Kubernetes , Helm , Istio , Prometheus

Overview
 1 Basic Overview

Kubernetes native
2 API

Kubernetes custom
3 Resource
Agenda
4 Helm

5 Istio

6 Prometheus
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Basic Overview and native Kubernetes API

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Important Control Plane Components
• api-server -> exposes the Kubernetes API, frontend
• etcd -> highly-available key value store used as Kubernetes'
backing store for all cluster data
• Scheduler -> watches for newly created pods assigns nodes etc
• Controller-manager -> controllers are managed by it ex : node-
controller , job-controller , etc

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Important Node Components
• kubelet - agent that runs on each node in the cluster. It makes
sure that containers are running in a Pod.
• kube-proxy - network proxy that runs on each node in your
cluster, implementing part of the Kubernetes service concept.
• Container runtime (docker , Crio)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Examples of Native Resources ( Kind)
• Pods ( encapsulates container)
• Deployments (encapsulates svcs, pods, cfmaps etc)
• Services (exposes pod to other pods/ external traffic )
• Config-Maps ( k:v pair to store config data)
• Secrets (store keys, secrets , certs etc)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Kubernetes custom resource
• Extension of the Kubernetes API that is not necessarily available
in a default Kubernetes installation.
• They use CRDs / API aggregation to define the resource.
• Custom controllers to manage the resource.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Examples of Custom Resources ( Kind)
• Prometheus (part of Prometheus operator)
• EnvoyFilter (part of Istio)
• You can build one too :P

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Helm
• Package manager for Kubernetes.
• Bundles your artifacts and allows templating using values.yaml
• Easy to manage environments and releases
• Terminologies :- charts(organized artifacts with meta info) ,
releases (versioning)
• CLI with a bunch of commands

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Problems faced while designing microservices:-
• Security - Inside cluster services talk to each other over http , if attacker gets into
the cluster (RIP) :\ (need to add extra security logic to my application)
• Retry Logic – Need to embed retry logic to counter situations like network
failures.
• Metrics – Again I need to add exporters and bunch of extra configs to pull them
:/
Overall developers are just managing tons of configs and not focusing on writing
business logic L

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Solution – Istio ( a service mesh) J
• Bunch of Kubernetes custom resources
• Deploys side-car proxies to each pod to handle all networking logic
• Acts as a proxy
• Can be configured easily
• Does not interfere with your deployments as all sidecars etc are handled by
control plane components.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Global rate limiting

Local RL

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Istio - Features
• Traffic splitting – versioned traffic split for new releases
• Proxy component – Envoy proxy ( open-source project)
• Control plane component – istiod ( contains all CRs)
• Control plane handles data plane (group of envoy proxies)
• VirtualService(How to route to a given destination) and DestinationRules(add
policies for that desitnation’s traffic) to handle svc – svc coms used by envoy
proxies enforced by istiod control plane
• Envoy proxies also publishes telemetry data (Prometheus metrics)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Gateway directs traffic using a virtual service
3. Apply destination rules
2. Route traffic to
correct svc

1 5

4 uses vsvc again to route

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Let’s talk about metrics – Prometheus J
• Istio and other cloud native infrastructure components generate metrics which
can be used for proactive alerting , monitoring and reporting
• Options available for monitoring , Prometheus , TICK stack (Telegraf, InfluxDB,
Chronograf , Kapacitor)
• Why Prometheus ? One stop solution with all components inbuilt and uses a pull
model to scrape metrics + a very good community

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 • https://kubernetes.io/docs/concepts/overview/co
mponents/
• https://istio.io/latest/docs/
• https://helm.sh/docs/intro/using_helm/
• https://prometheus.io/docs/prometheus/latest/ge
tting_started/
References •
•
https://kind.sigs.k8s.io/
https://grafana.com/docs/

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential