Service Mesh with

Istio
Sevi Karakose
Instructor
 Course Format

Course Video GIF LAB GIF

 Objectives

Monoliths & Service Visualizing

Install
Microservices Mesh Istio with
Istio
Kiali
 Objectives

Virtual Destination
Gateways Subsets Timeouts
Services Rules

Circuit Fault Request

Retries A/B Testing
Breaking Injection Routing
 Objectives

Certificate
Authentication Authorization
Management
 Objectives

Viewing and Kiali In Distributed

Collecting Detail Tracing
Metrics
PRE-REQUISITES
 Pre-Requisites

Kubernetes
Sidecars Envoy Proxy
Services
KUBERNETES SERVICES
 Kubernetes Services

10.244.0.1 10.244.0.2

POD-1 POD-2 10.244.0.4 10.244.0.5

? POD-8 POD-9

POD-3 POD-10
Backend Service
Frontend Deployment
10.96.0.12
10.244.0.3 10.244.0.12

Backend Deployment

KUBERNETES CLUSTER
 Kubernetes Services

NodePort ClusterIP LoadBalancer

 KUBERNETES ON
YOUR LOCAL MACHINES
 Two Popular Kubernetes Tools

kind

minikube

Hyperkit
How to Install Minikube
 Setting up Kubernetes Cluster with MiniKube
>_
$ minikube start
😄 minikube v1.16.0 on Darwin 10.15.5
🎉 minikube 1.19.0 is available! Download it:
https://github.com/kubernetes/minikube/releases/tag/v1.19.0
💡 To disable this notice, run: 'minikube config set WantUpdateNotification false'

✨ Automatically selected the docker driver

👍 Starting control plane node minikube in cluster minikube
🚜 Pulling base image ...
🔥 Creating docker container (CPUs=2, Memory=4000MB) ...
❗ This container is having trouble accessing https://k8s.gcr.io
💡 To pull new external images, you may need to configure a proxy:
https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
🐳 Preparing Kubernetes v1.20.0 on Docker 20.10.0 ...
▪ Generating certificates and keys ...
▪ Booting up control plane ...
▪ Configuring RBAC rules ...
🔎 Verifying Kubernetes components...
🌟 Enabled addons: storage-provisioner, default-storageclass
🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace
by default
 Setting up Kubernetes Cluster with MiniKube
>_
$ minikube addons enable ingress
Exiting due to MK_USAGE: Due to networking limitations of driver docker on darwin,
ingress addon is not supported.
Alternatively to use this addon you can use a vm-based driver:

'minikube start --vm=true'

To track the update on this work in progress feature please check:

https://github.com/kubernetes/minikube/issues/7332
 Setting up Kubernetes Cluster with MiniKube
>_
$ minikube start --vm=true
😄 minikube v1.16.0 on Darwin 10.15.7
✨ Automatically selected the hyperkit driver
👍 Starting control plane node minikube in cluster minikube
🔥 Creating hyperkit VM (CPUs=2, Memory=4000MB, Disk=20000MB) ...
🐳 Preparing Kubernetes v1.20.0 on Docker 20.10.0 ...
▪ Generating certificates and keys ...
▪ Booting up control plane ...
▪ Configuring RBAC rules ...
🔎 Verifying Kubernetes components...
🌟 Enabled addons: storage-provisioner, default-storageclass

▪ Want kubectl v1.20.0? Try 'minikube kubectl -- get pods -A'

🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace
by default

$ minikube addons enable ingress

🔎 Verifying ingress addon...
🌟 The 'ingress' addon is enabled
SIDECARS
 Sidecars
Log
Shipping

POD

MAIN
MAIN CONTAINER
CONTAINER
SIDECAR
CONTAINER

Storage

Network

File Monitoring
Loading
 Sidecars

pod.yaml
POD
containers:
- name: nginx-container
image: nginx
volumeMounts:
MAIN - name: shared-data
MAIN CONTAINER
CONTAINER mountPath: /usr/share/nginx/html
SIDECAR
CONTAINER - name: sidecar-container
image: fluent/fluentd
Storage volumeMounts:
Network
- name: shared-data
mountPath: /pod-data
ENVOY
Proxy

Application

Business
Logic

PROXY
TLS

Auth

RETRY
Proxy

Application

PROXY Business
TLS Logic
Auth

RETRY
 POD

MAIN CONTAINER
MAIN CONTAINER

ENVOY
SIDECAR CONTAINER

SIDECAR CONTAINER
SECTION INTRODUCTION
 Objectives

Monoliths & What is a Installing Installing Istio

Microservices Service Mesh? Istio
Istioctl on Your Cluster

Deploying Our Visualizing Create Traffic

First App with Service Mesh Installing Kiali Into Your
Istio with Kiali Mesh
MONOLITHS & MICROSERVICES
Software Development until the 2000s
 Agile Manifesto

Individuals & Interactions Processes and Tools

Working Software Comprehensive Documentation

“We are uncovering better ways of developing software by doing it and
helping others do it. Through this work we have come to value:”
Customer Collaboration Contract Negotiation

Responding to Change Following a plan

“That is, while there is value in the items on the

right, we value the items on the left more.”
Agile Practices
Agile Practices
Monolithic Applications

Module 1 Module 2

Module 4 Module 3

DB
A Monolithic Book Info App

Details Reviews

Product Page Ratings

DB
A Monolithic Book Info App
A Monolithic Book Info App

Details Reviews

Ratings
Product Page

DB
 A Monolithic Book Info App

Reviews Reviews
Details v2

Authentication Authorization Networking Logging

Monitoring Tracing
Campaign

Ratings
Product Page

DB
 A Big Ball of Mud

Reviews Reviews
Details v2

Authentication Authorization Networking Logging

Monitoring Tracing
Campaign

Ratings
Product Page

DB
A Monolithic Book Info App

Details Reviews

Ratings
Product Page
 A Microservices Book Info App

Product Page Details Reviews Ratings

 A Microservices Book Info App

Reviews v1

Product Page Ratings

Reviews v2

Reviews v3

Details
 Pros of Microservices

Scalability Faster, smaller releases

Technology and language agnostic

Development lifecycle

Independent and easy

System resiliency and isolation
to understand services
 A Monolithic Book Info App

Details Reviews

Authentication Authorization Networking Logging

Monitoring Tracing

Ratings
Product Page

DB
 A Microservices Book Info App
Authentication Authorization Networking Logging

Monitoring Tracing

Product Page Details Reviews

Reviews Ratings
Reviews
 A Problem: Fat Microservices
Authentication Authentication Authentication Authentication

Authorization Authorization Authorization Authorization

Networking Networking Networking Networking

Logging Logging Logging Logging

Monitoring Monitoring Monitoring Monitoring

Tracing Tracing Tracing Tracing

Product Page Details Reviews

Reviews Ratings
Reviews
 Cons of Microservices

Complex Service Networking Security

Observability Overload for

Traditional Operation Models
SERVICE MESH
 Authentication Authentication Authentication Authentication

Authorization Authorization Authorization Authorization

Networking Networking Networking Networking

Logging Logging Logging Logging

Monitoring Monitoring Monitoring Monitoring

Tracing Tracing Tracing Tracing

Product Page Details Reviews

Reviews Ratings
Reviews
 Control Plane

Data Plane

Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication

Product Page Details Reviews

Reviews Ratings
Reviews
 What is Service Mesh?

It is a dedicated and configurable infrastructure layer that

handles the communication between services without
having to change the code in a microservice architecture.
 What is Service Mesh Responsible For?

Traffic Management Security Observability Service Discovery

• Discovery
• Health Check
• Load Balancing

Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication

Product Page Details Reviews

Reviews Ratings
Reviews
ISTIO
 Control Plane

Data Plane

Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY

Product Page Details Reviews

Reviews Ratings
Reviews
 Control Plane

Istiod Citadel Pilot Galley

Data Plane
Istio Agent Istio Agent Istio Agent Istio Agent

Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY Authorization
Networking
Monitoring
Logging
Tracing
Proxy
ENVOY
Authentication Authorization
Networking
Monitoring
Logging
Tracing
Proxy
Authentication
ENVOY

Product Page Details Reviews

Reviews Ratings
Reviews
INSTALLING ISTIOCTL
 Installing istioctl
>_
$ curl -L https://istio.io/downloadIstio | sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 102 100 102 0 0 123 0 --:--:-- --:--:-- --:--:-- 123
100 4573 100 4573 0 0 3606 0 0:00:01 0:00:01 --:--:-- 3606

Downloading istio-1.9.4 from

https://github.com/istio/istio/releases/download/1.9.4/istio-1.9.4-osx.tar.gz ...
Istio 1.9.4 Download Complete!

Istio has been successfully downloaded into the istio-1.9.4 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes
cluster.

To configure the istioctl client tool for your workstation,

add the /Users/sevikarakose/Downloads/istio-1.9.4/bin directory to your environment
path variable with:
export PATH="$PATH:/Users/sevikarakose/Downloads/istio-1.9.4/bin"

Begin the Istio pre-installation check by running:

istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

 Installing istioctl

>_
$ cd istio-1.10.0
$ ls
LICENSE README.md bin manifest.yaml manifests
samples tools

$ export PATH=$PWD/bin:$PATH

$ istioctl verify-install
0 Istio control planes detected, checking --revision "default" only
0 Istio injectors detected
Error: could not load IstioOperator from cluster: the server could not find the
requested resource. Use --filename
INSTALLING ISTIO
ON YOUR CLUSTER
Install with Istio Operator Install with
Istioctl Install Helm
Install with
Istioctl
>_
$ istioctl install --set profile=demo -y
Detected that your cluster does not support third party JWT authentication. Falling
back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-
practices/security/#configure-third-party-service-account-tokens for details.
Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete

istio-ingressgateway Istiod istio-egressgateway

istio-system
>_
$ istioctl verify-install
1 Istio control planes detected, checking --revision "default" only
✔ Deployment: istio-ingressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
✔ Role: istio-ingressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
✔ Service: istio-ingressgateway.istio-system checked successfully
✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
✔ Deployment: istio-egressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-egressgateway.istio-system checked successfully
✔ Role: istio-egressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-egressgateway-sds.istio-system checked successfully
✔ Service: istio-egressgateway.istio-system checked successfully
✔ ServiceAccount: istio-egressgateway-service-account.istio-system checked successfully
✔ ClusterRole: istiod-istio-system.istio-system checked successfully

✔ EnvoyFilter: tcp-stats-filter-1.9.istio-system checked successfully

Checked 12 custom resource definitions
Checked 3 Istio Deployments
✔ Istio is installed and verified successfully
 DEPLOYING OUR FIRST
APPLICATION WITH ISTIO
 >_
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
deployment.apps/details-v1 created
deployment.apps/ratings-v1 created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
deployment.apps/productpage-v1 created
...

Reviews v1

Product Page Details Reviews v2 Ratings

Reviews v3
 >_
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default details-v1-66b6955995-zgrd8 1/1 Running 0 6m57s
default productpage-v1-5d9b4c9849-dckrt 1/1 Running 0 6m57s
default ratings-v1-fd78f799f-s94cc 1/1 Running 0 6m58s
default reviews-v1-6549ddccc5-bxv4n 1/1 Running 0 6m58s
default reviews-v2-76c4865449-2qmhj 1/1 Running 0 6m58s
default reviews-v3-6b554c875-vbf8v 1/1 Running 0 6m58s

Proxy ?

Reviews v1
Proxy ? Proxy ?
Proxy ? Proxy ?

Product Page Details Reviews v2 Ratings

Proxy ?

default Reviews v3
 >_
$ istioctl analyze
Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection.
Run 'kubectl label namespace default istio-injection=enabled' to enable it, or
'kubectl label namespace default istio-injection=disabled' to explicitly mark it as
not needing injection.

Proxy ?

Reviews v1
Proxy ? Proxy ?
Proxy ? Proxy ?

Product Page Details Reviews v2 Ratings

Proxy ?

default Reviews v3
 >_
$ istioctl analyze
Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection.
Run 'kubectl label namespace default istio-injection=enabled' to enable it, or
'kubectl label namespace default istio-injection=disabled' to explicitly mark it as
not needing injection.

Product Page

Details
Reviews v1
Reviews v2
Reviews v3

Ratings
kube-system default hr payroll
>_
$ kubectl delete -f samples/bookinfo/platform/kube/bookinfo.yaml
service "details" deleted
serviceaccount "bookinfo-details" deleted
service "ratings" deleted
serviceaccount "bookinfo-ratings" deleted
serviceaccount "bookinfo-reviews" deleted
service "productpage" deleted
serviceaccount "bookinfo-productpage" deleted

Product Page

Details
Reviews v1
Reviews v2
Reviews v3

Ratings
default
>_

$ kubectl label namespace default istio-injection=enabled

namespace/default labeled

istio-injection=enabled

default
 >_
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
deployment.apps/details-v1 created
deployment.apps/ratings-v1 created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
deployment.apps/productpage-v1 created
...

istio-injection=enabled

Reviews v1

Product Page Details Reviews v2 Ratings

default Reviews v3
 >_
$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.

istio-injection=enabled

Reviews v1

Product Page Details Reviews v2 Ratings

default Reviews v3
 >_
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-5f449bdbb9-vrgzh 2/2 Running 0 26s
productpage-v1-6f9df695b7-cx259 2/2 Running 0 26s
ratings-v1-857bb87c57-hmpfd 2/2 Running 0 26s
reviews-v1-68f9c47f69-cbj7c 2/2 Running 0 26s
reviews-v2-5d56c488f5-wb4v7 2/2 Running 0 26s
reviews-v3-869ff44845-h5fpf 2/2 Running 0 26s

istio-injection=enabled Proxy

Reviews v1

Proxy Proxy Proxy Proxy

Product Page Details Reviews v2 Ratings

Proxy

default Reviews v3
VISUALIZING SERVICE
MESH WITH KIALI
Define Validate Observe
INSTALLING KIALI
>_
$ kubectl apply -f samples/addons
$ kubectl rollout status deployment/kiali -n istio-system
monitoringdashboard.monitoring.kiali.io/springboot-jvm created
monitoringdashboard.monitoring.kiali.io/springboot-tomcat created
monitoringdashboard.monitoring.kiali.io/thorntail created
monitoringdashboard.monitoring.kiali.io/tomcat created
monitoringdashboard.monitoring.kiali.io/vertx-client created
monitoringdashboard.monitoring.kiali.io/vertx-eventbus created
monitoringdashboard.monitoring.kiali.io/vertx-jvm created
monitoringdashboard.monitoring.kiali.io/vertx-pool created
monitoringdashboard.monitoring.kiali.io/vertx-server created
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are
available...
deployment "kiali" successfully rolled out
>_
$ kubectl -n istio-system get svc kiali
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kiali ClusterIP 10.96.6.123 <none> 20001/TCP,9090/TCP 3m42s
>_
$ istioctl dashboard kiali
http://localhost:20001/kiali
CREATE TRAFFIC
INTO YOUR MESH
>_
$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.
>_
$ minikube ip
192.168.64.6
>_
$ export INGRESS_HOST=$(minikube ip)
>_
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-
ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-
ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-
ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
>_
$ curl "http://$INGRESS_HOST:$INGRESS_PORT/productpage"
<!DOCTYPE html>
<html>
<head>
<title>Simple Bookstore App</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<!-- Latest compiled and minified CSS -->

<link rel="stylesheet" href="static/bootstrap/css/bootstrap.min.css">

<!-- Optional theme -->

<link rel="stylesheet" href="static/bootstrap/css/bootstrap-theme.min.css">

</head>
<body>
>_

$ while sleep 0.01;do curl -sS

'http://'"$INGRESS_HOST"':'"$INGRESS_PORT"'/productpage'\ &>
/dev/null ; done
>_
$ kubectl delete deployments/productpage-v1
deployment.apps "productpage-v1" deleted
TRAFFIC MANAGEMENT
 Traffic Management

Virtual Destination
Gateways Subsets Timeouts
Services Rules

Circuit Fault Request A/B

Retries
Breaking Injection Routing Testing
GATEWAYS
 Kubernetes Ingress
http://bookinfo.app

Reviews v1

Product Reviews v2 Ratings

ingress Details
Page

Reviews v3
 Kubernetes Ingress
bookinfo-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
rules:
- host: bookinfo.app Product
ingress Deta
http: Page
paths:
- path: /
backend:
serviceName: productpage
servicePort: 8000
 Istio Gateway

Reviews v1

istio Product Reviews v2 Ratings

ingress Details
gateway Page

Reviews v3
 Istio Gateway

istio-ingressgateway Istiod istio-egressgateway

istio-system
 Istio Gateway

custom-ingress
gateway (controller)

Reviews v1

istio-ingress istio-egress
Product Reviews v2 Ratings gateway (controller)
gateway (controller) Details
Page

Reviews v3
custom-2-ingress
gateway (controller)
 Istio Gateway
bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway custom-ingress
metadata: gateway (controller)
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway istio-ingress
servers: Product
gateway (controller)
- port: bookinfo-gateway Page
number: 80
name: http
protocol: HTTP
custom-2-ingress
hosts: gateway (controller)
- "bookinfo.app"

>_
$ kubectl apply -f bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
 Istio Gateway
bookinfo-gateway.yaml >_
apiVersion: networking.istio.io/v1alpha3 $ kubectl get gateway
NAME AGE
kind: Gateway bookinfo-gateway 9d
metadata:
name: bookinfo-gateway $ kubectl describe gateway bookinfo-gateway
spec: Name: bookinfo-gateway
Namespace: default
selector: Labels: <none>
istio: ingressgateway Annotations: API Version: networking.istio.io/v1beta1
Kind: Gateway
servers: ...
- port: Spec:
Selector:
number: 80 Istio: ingressgateway
name: http Servers:
Hosts:
protocol: HTTP *
hosts: Port:
Name: http
- "bookinfo.app" Number: 80
Protocol: HTTP
>_ Events: <none>

$ kubectl apply -f bookinfo-gateway.yaml

gateway.networking.istio.io/bookinfo-gateway created
VIRTUAL SERVICES
 Istio Virtual Services
http://bookinfo.app /productpage
http://bookinfo.app /static/*
http://bookinfo.app /login
http://bookinfo.app/logout
http://bookinfo.app/api/v1/products
Reviews v1

istio-ingress
gateway (controller) Virtual Product
Service
Reviews v2 Ratings
Page
bookinfo-gateway

Details Reviews v3
 Istio Virtual Services
http://bookinfo.app /productpage
virtual-service1.yaml
http://bookinfo.app /static/*
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService http://bookinfo.app /login
metadata:
name: bookinfo http://bookinfo.app/logout
spec:
hosts: http://bookinfo.app/api/v1/products
- "bookinfo.app"
gateways:
- bookinfo-gateway istio-ingress
http: gateway (controller) Virtual Product
- match: Service Page
- uri:
exact: /productpage bookinfo-gateway
- uri:
prefix: /static
- uri: Details
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
 Reviews v1

istio-ingress
gateway (controller) Virtual Product
Service
Reviews v2 Ratings
Page
bookinfo-gateway

Details Reviews v3
 Reviews v1

Product
Reviews v2
Page

Reviews v3
 review-v1-deployment.yaml
review-v2-deployment.yaml
review-v3-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
reviews-v1
reviews-v2
name: reviews-v3
spec:
3
replicas: 1 100%
75%
60%
<...>
template:
metadata: Reviews v1
labels:
app: reviews reviews
version: v1
Product 25%
20%
Page
review-service.yaml
apiVersion: v1 Reviews v2
kind: Service
metadata:
name: reviews
spec:
ports: 20%
- port: 9080
name: http
selector: Reviews v3
app: reviews
>_
$ kubectl scale deployment reviews-v3 --replicas=3
deployment.apps/reviews-v3 scaled
50%
100%
75%
60%
42%
$ kubectl scale deployment reviews-v2 --replicas=0
deployment.apps/reviews-v2 scaled Reviews v1
$ kubectl scale deployment reviews-v1 --replicas=0
reviews
deployment.apps/reviews-v1 scaled
Product 25%
20%
16%
Page
review-service.yaml
apiVersion: v1 Reviews v2
kind: Service
metadata:
name: reviews
spec:
ports: 20%
100%
42%
50%
- port: 9080
name: http
selector: Reviews v3
app: reviews
 100%
75%
99%

Reviews v1

reviews

Product 25%
1%
Page

Reviews v2

Reviews v3
 review-service.yaml
apiVersion: networking.istio.io/v1alpha3 v1
kind: VirtualService
metadata: subset 100%
75%
99%
name: reviews
spec:
hosts: Reviews v1
- reviews
http: reviews
- route: v2
- destination: Product Virtual 25%
1%
host: reviews subset
Page Service
subset: v1
weight: 99 Reviews v2
- destination:
host: reviews
subset: v2
weight: 1

Reviews v3
DESTINATION RULES
 review-destination.yaml
review-service.yaml
apiVersion: networking.istio.io/v1alpha3
apiVersion: networking.istio.io/v1alpha3 v1
kind: DestinationRule
kind: VirtualService
metadata: subset
metadata:
name: reviews-destination
name: reviews
spec:
spec:
hosts:reviews
host: Reviews v1
- reviews
subsets:
-http:
name: v1 reviews
- labels:
route: v2
- version:
destination:
v1 Product Virtual
subset
- name:host:
v2 reviews Page Service
subset: v1
labels: review-v1-deployment.yaml
weight: 99
version: v2 Reviews v2
apiVersion: apps/v1
- destination: kind: Deployment
host: reviews metadata:
subset: v2 name: reviews-v1
weight: 1 spec:
replicas: 3
<...>
template: Reviews v3
metadata:
labels:
app: reviews
version: v1
 review-destination.yaml
review-service.yaml
apiVersion: networking.istio.io/v1alpha3
apiVersion: networking.istio.io/v1alpha3 v1
kind: DestinationRule
kind: VirtualService
metadata: subset
metadata:
name: reviews-destination
name: reviews
spec:
spec:
hosts:reviews
host: Reviews v1
- reviews
trafficPolicy:
http:
loadBalancer: reviews
- route:
simple: PASSTHROUGH v2
- destination:
subsets: Product Virtual
subset
- name:host:
v1 reviews Page Service
subset: v1
labels:
weight: 99
version: v1 Reviews v2
- name: v2
- destination:
labels:
host: reviews
version: v2
subset: v2
trafficPolicy: Simple Algorithms
weight: 1
loadBalancer:
simple: RANDOM ROUND_ROBIN
LEAST_CONN Reviews v3
RANDOM
PASSTHROUGH
 review-destination.yaml
review-service.yaml
apiVersion: networking.istio.io/v1alpha3
apiVersion: networking.istio.io/v1alpha3 v1
kind: DestinationRule
kind: VirtualService
metadata: subset
metadata:
name: reviews-destination
name: reviews
spec:
spec:
hosts:reviews
host: reviews.default.svc.cluster.local Reviews v1
- reviews
trafficPolicy:
http:
tls: reviews
- tls:
route:
mode: SIMPLE v2
- mode: MUTUAL
destination: Product Virtual
clientCertificate:
host: reviews /myclientcert.pem subset
Page Service
privateKey:
subset: v1/client_private_key.pem
caCertificates:
weight: 99 /rootcacerts.pem
Reviews v2
- destination:
host: reviews
subset: v2
weight: 1

Reviews v3
 An Example With Fully Qualified Domain Names
virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: productpage
namespace: default
spec:
hosts:
- productpage.prod.svc.cluster.local
http:
- timeout: 5s
route:
- destination:
host: productpage.prod.svc.cluster.local
FAULT INJECTION
 Istio Virtual Services

Reviews v1
reviews
istio-ingress
gateway (controller) Virtual Product Virtual
Service Service Reviews v2 Ratings
Page
bookinfo-gateway

Reviews v3

Details
 fault-injection.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service
http:
- fault:
delay: abort:
percentage: percentage:
value: 0.1 value: 0.1
fixedDelay: 5s httpStatus: 400
route:
- destination:
host: my-service
subset: v1
TIMEOUTS
 Reviews v1

istio-ingress
gateway (controller) Virtual Product Virtual
Service Service Reviews v2 Ratings
Page
bookinfo-gateway

Reviews v3

Details
 Timeouts

Reviews v1

istio-ingress
gateway (controller) Virtual Product Virtual
Service Service Reviews v2 Ratings
Page
bookinfo-gateway

Reviews v3

Details
 book-info.yaml details-service.yaml
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: VirtualService kind: VirtualService
metadata: metadata:
name: bookinfo name: details
spec: spec:
hosts: hosts:
- "bookinfo.app"
- details
gateways: http:
- bookinfo-gateway - route:
http: - destination:
- match: host: details
- uri: subset: v1
exact: /productpage
- uri: fault:
prefix: /static delay:
<code hidden> fixedDelay: 5s
percent: 50
route:
- destination:
host: productpage
port:
number: 9080
timeout: 3s
RETRIES
 Istio Virtual Services

Reviews v1

istio-ingress
gateway (controller) Virtual Product Virtual
Service Service Reviews v2 Ratings
Page
bookinfo-gateway

200
500 Reviews v3

Details
 Virtual-service-timeout.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service ISTIO DEFAULTS
http:
- route: 25ms+ intervals after 1st fail
- destination: 2 retries before returning an error
host: my-service
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
CIRCUIT BREAKING
 Istio Circuit Breaking

Reviews v1
reviews
istio-ingress
gateway (controller) Virtual Product Virtual
Service Service Reviews v2 Ratings
Page
bookinfo-gateway

Reviews v3

Details
 Circuit Breaking
circuit-breaking.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
tcp:
maxConnections: 3
REQUEST ROUTING
 Request Routing

Virtual
Service

Virtual
Service Product Reviews Reviews
Page v1 v3
Istio
Ingress
Gateway

Reviews
Details Ratings
v2
Virtual
Service
Virtual
Service
ISTIO SERVICE MESH
 Request Routing
request-routing.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
 Request Routing
request-routing.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
 Request Routing
request-routing.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
A/B TESTING
 review-service.yaml
apiVersion: networking.istio.io/v1alpha3 v1
kind: VirtualService
metadata: subset 100%
75%
99%
name: reviews
spec:
hosts: Reviews v1
- reviews
http: reviews
- route: v2
- destination: Product Virtual
subset 25%
1%
host: reviews Page Service
subset: v1
weight: 99 Reviews v2
- destination:
host: reviews
subset: v2
weight: 1

Reviews v3
SECTION INTRODUCTION
 Security

Security Istio Security

Authentication
In Istio Architecture

Authorization Mutual Certificate

TLS Management
SECURITY IN ISTIO
 Encryption

Mutual TLS
Reviews v1
Audit Logs
istio-ingress
gateway (controller) Product
Reviews v2 Ratings
Page
bookinfo-gateway

Details Reviews v3

httpbin
ISTIO SECURITY
ARCHITECTURE
Istio Security Architecture

Configuration
APIServer

https://istio.io/latest/docs/concepts/security/
AUTHENTICATION
 Peer Authentication Request Authentication

Reviews v1

istio-ingress
gateway (controller) Product
Reviews v2 Ratings
Page
bookinfo-gateway

JWT Details Reviews v3

ORY Hydra

Keycloak

Firebase

Google
Product
Page
 Peer Authentication
example-peer-authentication.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "example-peer-policy"
namespace: "book-info"
Reviews v1
spec:
selector:
istio-ingress
matchLabels:
gateway (controller) Product
app: reviews Reviews v2
Page
mtls: bookinfo-gateway
mode: STRICT
Details Reviews v3

Product
Page
 Peer Authentication
example-peer-authentication.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "example-peer-policy"
namespace: "istio-system"
"book-info"
Reviews v1
spec:
selector:
istio-ingress
matchLabels:
gateway (controller) Product
app: reviews Reviews v2
Page
mtls: bookinfo-gateway
mode: STRICT
Details Reviews v3
Workload-specific policy

Namespace-wide policy

Mesh-wide policy
Product
Page
AUTHORIZATION
 Authorization

GET POST
PATC
DELETE Reviews v1
H

istio-ingress
gateway (controller) Product
Reviews v2 Ratings
Page
bookinfo-gateway

Details Reviews v3
 Authorization Actions

GET POST PATCH DELETE Reviews v1

istio-ingress
gateway (controller) Product
Reviews v2 Ratings
Page
bookinfo-gateway

Details Reviews v3
 Authorization

GET POST PATCH DELETE Reviews v1

istio-ingress
gateway (controller) Product
CUSTOM Reviews v2 Ratings
Page
bookinfo-gateway DENY

ALLOW Reviews v3
Details
AUDIT
 A
auth-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: authdenypolicy
namespace: bookinfo
GET POST PATCH
spec:
action: DENY istio-ingress
rules: gateway (controller) Product
- from: Page
- source: bookinfo-gateway
namespaces: ["bar"]
to: Details
- operation:
methods: ["POST"]
CERTIFICATE
MANAGEMENT
Certificate Management

CSR

https://istio.io/latest/docs/concepts/security/
Certificate Management

CSR cert
 Lab
OBSERVABILITY
 Observability

Visualizing Distributed
Metrics Tracing Kiali
with Prometheus and in Detail
with Jaeger
Grafana
 LabMETRICS
VISUALIZING
WITH PROMETHEUS AND GRAFANA
 LabTRACING
DISTRIBUTED
WITH JAEGER
 Lab
KIALI IN DETAIL
Kiali in Detail
Overview
Graph
>_
$ kubectl delete service/details
service “details” deleted
Graph
>_
$ kubectl apply –f
samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details unchanged
deployment.apps/details-v1 unchanged
service/ratings unchanged
serviceaccount/bookinfo-ratings unchanged
deployment.apps/ratings-v1 unchanged
service/reviews unchanged
serviceaccount/bookinfo-reviews unchanged
deployment.apps/reviews-v1 unchanged
deployment.apps/reviews-v2 unchanged
deployment.apps/reviews-v3 unchanged
service/productpage unchanged
serviceaccount/bookinfo-productpage unchanged
deployment.apps/productpage-v1 unchanged
Graph
The App Graph
The Workload Graph
The Versioned App Graph
The Service Graph
Replay An Issue Back in Time
Applications & Workloads & Services
Istio Config
Istio Wizards
 A QUICK NOTE ON
SERVICE MESH INTERFACE
Service Mesh Interface

https://smi-spec.io/
Service Mesh Interface

https://github.com/servicemeshinterface/smi-spec
CONCLUSION
Thank You!