Christian Posta, profile picture
Uploaded byChristian Posta
PPTX, PDF1,431 views

Multicluster Kubernetes and Service Mesh Patterns

This document discusses multi-cluster Kubernetes and service mesh patterns, emphasizing challenges such as team velocity, decentralization, security, and compliance. It details the benefits of using smaller clusters, cluster federation, and the Envoy proxy for communication and traffic management. Additionally, it explores various patterns for network communication and considerations for implementing service meshes across clusters.

Downloaded 45 times
Multi-Cluster Kubernetes and Service Mesh Patterns Christian Posta Field CTO – Solo.io
2 | Copyright © 2020 CHRISTIAN POSTA Global Field CTO, Solo.io @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
3 | Copyright © 2020 Challenges • Improve velocity of teams building and delivering code • Decentralized implementations vs centralized operations • Connect and include existing systems and investments • Improve security posture • Stay within regulations and compliance
4 | Copyright © 2020 More, smaller clusters • High availability • Compliance • Isolation / Autonomy • Scale • Data locality, cost • Public/DMZ/Private networks
5 | Copyright © 2020 Multiple clusters • Exact replicas of each other, same fleet? • Separate, non-uniform deployments? • Single operational/administrative control • Segmented by network? Segmented by team? • Independent administration?
6 | Copyright © 2020 Cluster federation • Autonomous clusters • Different organizational/network/administrative boundaries • Share pieces of configuration • For those shared pieces, treat union as a single unit • Uses an orchestrator to stitch together policies for federation
7 | Copyright © 2020 Example: Kubefed Cluster 1 Cluster 2 Cluster 0 Kubefed CP Federated Resources watches Federate to clusters https://github.com/kubernetes-sigs/kubefed
8 | Copyright © 2020 Example: Kubefed apiVersion: types.kubefed.io/v1beta1 kind: FederatedService metadata: name: echo-server spec: placement: clusterSelector: matchLabels: {} template: metadata: labels: app: echo-server spec: ports: - name: http port: 8080 selector: app: echo-server
9 | Copyright © 20209 | Copyright © 2020 Demo Simple Kubernetes federation
10 | Copyright © 2020 Services need to communicate with each other
11 | Copyright © 2020 Pattern: flat network across pods Account User Products Cluster 1 Cluster 2 History
12 | Copyright © 2020 Pattern: Different network, expose all services Account User Products Cluster 1 Cluster 2 History
13 | Copyright © 2020 Pattern: Different network, controlled gateway Account User Products Cluster 1 Cluster 2 History
14 | Copyright © 2020 Forces to balance • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Building for scale
15 | Copyright © 2020 Could you build these patterns just using Kubernetes?
16 | Copyright © 2020 Service Mesh can help
17 | Copyright © 2020 Envoy is the magic behind service mesh http://envoyproxy.io
18 | Copyright © 2020 Envoy implements: • zone aware, priority/locality load balancing • circuit breaking, outlier detection • timeouts, retries, retry budgets • traffic shadowing • request racing • rate limiting • RBAC, TLS origination/termination • access logging, statistics collection
19 | Copyright © 2020 Envoy to do application networking heavy lifting Account work load work load work load mTLS • Transparent client-side routing decisions • TLS orig/termination • Circuit breaking • Stats collection
20 | Copyright © 2020 Envoy as backbone for multi-cluster communication federation Account User Cluster 1 Cluster 2 Products History User
21 | Copyright © 2020 Other key Envoy proxying features • Request hedging • Retry Budgets • Load balancing priorities • Locality weighted load balancing • Zone aware routing • Degraded endpoints (fallback) • Aggregated clusters
22 | Copyright © 2020 Exploring Envoy failover routing capabilities: Request racing Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Timeout Race request First to return is the response to the caller
23 | Copyright © 2020 Exploring Envoy failover routing capabilities: Zone aware routing (Envoy decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone
24 | Copyright © 2020 Exploring Envoy failover routing capabilities: Locality aware (Control plane decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone W=1 W=1 W=1 W=5 W=5
25 | Copyright © 2020 Exploring Envoy failover routing capabilities: Aggregate Cluster (for routing to gateways) Account work load work load work load Calls http://products.service/ Edge gw us-west-1 us-west-2 EDS Strict DNS
26 | Copyright © 202026 | Copyright © 2020 Multi-cluster examples Service mesh examples using Envoy Proxy
27 | Copyright © 2020 Istio shared control plane, flat network Account User Cluster 1 Cluster 2 Products History User Istiod
28 | Copyright © 2020 Thoughts about shared control plane/flat network • Simplest set up for Istio multi-cluster • No special Envoy routing (though may use zone-aware) • Shared control plane increases the failure domain to multiple clusters • Use flat networking if possible (simpler) but may not have/want that option • No special considerations for identity (identity domain is shared) • Still need to federate telemetry collection
29 | Copyright © 2020 Account User Cluster 1 Cluster 2 Products History User Istiod Istio shared control plane, separate networks
30 | Copyright © 2020 Thoughts about shared control plane/separate network • Uses a gateway to allow communication between networks • Uses Envoy Locality Weighted LB (for the gateway endpoints). Istio calls this “split horizon EDS”. • Shares same failure domain across all clusters • Use the gateways to facilitate communication AND control plane • Slight increase in burden on operator to label networks and gateway endpoints correctly so Istio has that information
31 | Copyright © 2020 Account User Cluster 1 Cluster 2 Products History User Istiod Istio separate control planes, separate networks Istiod
32 | Copyright © 2020 Thoughts about separate control plane/separate network • Uses a gateway to allow communication between networks • Uses Istio’s ServiceEntry mechanism to enable cross-network discovery • Independent control planes • Separate, independent failure domains • Doesn’t solve where trust domains MUST be separate (with federation at the boundaries) • Increase burden on operator to maintain service discovery, identity federation, and multi-cluster configuration across meshes
33 | Copyright © 2020 Account Cluster 1 Cluster 2 User User Istiod Example multi-cluster routing with ServiceEntry Istiod http://users.default.svc.cluster.local http://users.default.cluster-2 ServiceEntry users.default.cluster-2
34 | Copyright © 2020 ServiceEntry for service discovery apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: users-cluster2 spec: hosts: - users.default.cluster2 location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: - 240.0.0.2 endpoints: - address: 10.0.2.5 ports: http1: 15443
35 | Copyright © 2020 Forces to balance • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Building for scale
36 | Copyright © 2020 What to do about the added burden for the operator?
37 | Copyright © 2020 @christianposta Cluster 1 Cluster 2 Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub Ingress Gateway Management Plane
38 | Copyright © 202038 | Copyright © 2020 Demo Service Mesh Hub
39 | Copyright © 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub Ingress Gateway Management Plane Remote Cluster
40 | Copyright © 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub CSR agent CSR agent Create cert/key and CSR Sign cert w/ shared root Shared root Ingress Gateway Management Plane Remote Cluster
41 | Copyright © 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub CSR agent CSR agent Shared root Ingress Gateway Chain with same root Management Plane Remote Cluster
42 | Copyright © 2020 @christianposta THANK YOU FOR ATTENDING! @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
43 | Copyright © 2020 • https://solo.io • https://slack.solo.io • https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io • https://servicemeshhub.io • https://blog.christianposta.com

More Related Content

PDF
VMware Tanzu Introduction
byVMware Tanzu
 
PPTX
vSphere with Tanzu Tech Overview 7.0 U1 (1).pptx
byhokismen
 
PPTX
NTP Server - How it works?
byDavoud Teimouri
 
PPTX
kafka
byAmikam Snir
 
PDF
Hacking apache cloud stack
byMurali Reddy
 
PDF
Ironic
byHaomeng Wang
 
PPTX
Kafka 101
byAparna Pillai
 
PPTX
IBM Spectrum Scale Authentication for Protocols
bySandeep Patil
 
VMware Tanzu Introduction
byVMware Tanzu
 
vSphere with Tanzu Tech Overview 7.0 U1 (1).pptx
byhokismen
 
NTP Server - How it works?
byDavoud Teimouri
 
kafka
byAmikam Snir
 
Hacking apache cloud stack
byMurali Reddy
 
Ironic
byHaomeng Wang
 
Kafka 101
byAparna Pillai
 
IBM Spectrum Scale Authentication for Protocols
bySandeep Patil
 

What's hot

PDF
Introduction to IBM Spectrum Scale and Its Use in Life Science
bySandeep Patil
 
PPTX
Azure governance
bygirish goudar
 
PDF
Disaster Recovery and High Availability with Kafka, SRM and MM2
byAbdelkrim Hadjidj
 
PDF
[오픈소스컨설팅] OpenInfra Asia 2024_OpenStack & K8S로 혁신하는 기상청
byOpen Source Consulting
 
PPTX
AWS Lambda
byJulian Kleinhans
 
PDF
Apache Kafka
byDiego Pacheco
 
PPTX
Disaster Recovery using Spectrum Scale Active File Management
byTrishali Nayar
 
PPT
Hadoop Security Architecture
byOwen O'Malley
 
PPTX
AWS network services
byNagesh Ramamoorthy
 
PDF
Large scale overlay networks with ovn: problems and solutions
byHan Zhou
 
PDF
What to do if Your Kafka Streams App Gets OOMKilled? with Andrey Serebryanskiy
byHostedbyConfluent
 
PDF
OpenStack Tutorial
byBret Piatt
 
PPTX
Veeam Solutions for SMB_2022.pptx
byPrince Joseph
 
PDF
KB국민카드 - 클라우드 기반 분석 플랫폼 혁신 여정 - 발표자: 박창용 과장, 데이터전략본부, AI혁신부, KB카드│강병억, Soluti...
byAmazon Web Services Korea
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
PPTX
Service mesh
byArnab Mitra
 
PPTX
Introduction to AWS KMS
byAkesh Patil
 
PPTX
Issues of OpenStack multi-region mode
byJoe Huang
 
PPTX
Connecting mq&kafka
byMatt Leming
 
PPTX
Hashicorp Vault Open Source vs Enterprise
byStenio Ferreira
 
Introduction to IBM Spectrum Scale and Its Use in Life Science
bySandeep Patil
 
Azure governance
bygirish goudar
 
Disaster Recovery and High Availability with Kafka, SRM and MM2
byAbdelkrim Hadjidj
 
[오픈소스컨설팅] OpenInfra Asia 2024_OpenStack & K8S로 혁신하는 기상청
byOpen Source Consulting
 
AWS Lambda
byJulian Kleinhans
 
Apache Kafka
byDiego Pacheco
 
Disaster Recovery using Spectrum Scale Active File Management
byTrishali Nayar
 
Hadoop Security Architecture
byOwen O'Malley
 
AWS network services
byNagesh Ramamoorthy
 
Large scale overlay networks with ovn: problems and solutions
byHan Zhou
 
What to do if Your Kafka Streams App Gets OOMKilled? with Andrey Serebryanskiy
byHostedbyConfluent
 
OpenStack Tutorial
byBret Piatt
 
Veeam Solutions for SMB_2022.pptx
byPrince Joseph
 
KB국민카드 - 클라우드 기반 분석 플랫폼 혁신 여정 - 발표자: 박창용 과장, 데이터전략본부, AI혁신부, KB카드│강병억, Soluti...
byAmazon Web Services Korea
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
Service mesh
byArnab Mitra
 
Introduction to AWS KMS
byAkesh Patil
 
Issues of OpenStack multi-region mode
byJoe Huang
 
Connecting mq&kafka
byMatt Leming
 
Hashicorp Vault Open Source vs Enterprise
byStenio Ferreira
 

Similar to Multicluster Kubernetes and Service Mesh Patterns

PPT
Multi-cluster service mesh with GlooMesh
byChristian Posta
 
PDF
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
bySanjeev Rampal
 
PDF
Service Mesh For Beginner
byMien Dinh
 
PPTX
Kubernetes Ingress to Service Mesh (and beyond!)
byChristian Posta
 
PDF
Service mesh in Microservice World to Manage end to end service communications
bySatya Syam
 
PDF
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
PPTX
Kubernetes And Istio and Azure AKS DevOps
byOfir Makmal
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
PPTX
Service Mesh in the Real World [Raleigh NC Meetup]
bySolo.io
 
PDF
The Future of Service Mesh
byAll Things Open
 
PDF
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
PDF
Bringing it all together
byMelissaMcKay15
 
PPTX
The Hardest Part of Microservices: Calling Your Services
byChristian Posta
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
PDF
Docker microservices and the service mesh
byDocker, Inc.
 
PDF
Introduction to Istio on Kubernetes
byJonh Wendell
 
PDF
Istio presentation jhug
byGeorgios Andrianakis
 
PPTX
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
byapidays
 
PPTX
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
byChristian Posta
 
Multi-cluster service mesh with GlooMesh
byChristian Posta
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
bySanjeev Rampal
 
Service Mesh For Beginner
byMien Dinh
 
Kubernetes Ingress to Service Mesh (and beyond!)
byChristian Posta
 
Service mesh in Microservice World to Manage end to end service communications
bySatya Syam
 
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
Kubernetes And Istio and Azure AKS DevOps
byOfir Makmal
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
Service Mesh in the Real World [Raleigh NC Meetup]
bySolo.io
 
The Future of Service Mesh
byAll Things Open
 
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
Bringing it all together
byMelissaMcKay15
 
The Hardest Part of Microservices: Calling Your Services
byChristian Posta
 
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
Docker microservices and the service mesh
byDocker, Inc.
 
Introduction to Istio on Kubernetes
byJonh Wendell
 
Istio presentation jhug
byGeorgios Andrianakis
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
byapidays
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
byChristian Posta
 

More from Christian Posta

PDF
What Istio Got Wrong: Learnings from the last seven years of service mesh
byChristian Posta
 
PDF
Move Auth, Policy, and Resilience to the Platform
byChristian Posta
 
PDF
Comparing Sidecar-less Service Mesh from Cilium and Istio
byChristian Posta
 
PDF
Understanding Wireguard, TLS and Workload Identity
byChristian Posta
 
PDF
Compliance and Zero Trust Ambient Mesh
byChristian Posta
 
PDF
Cilium + Istio with Gloo Mesh
byChristian Posta
 
PPTX
Cloud-Native Application Debugging with Envoy and Service Mesh
byChristian Posta
 
PPTX
The Truth About the Service Mesh Data Plane
byChristian Posta
 
PPTX
Deep Dive: Building external auth plugins for Gloo Enterprise
byChristian Posta
 
PPTX
Role of edge gateways in relation to service mesh adoption
byChristian Posta
 
PPTX
Chaos Debugging for Microservices
byChristian Posta
 
PPTX
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
byChristian Posta
 
PPTX
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
byChristian Posta
 
PPTX
Intro Istio and what's new Istio 1.1
byChristian Posta
 
PPTX
API Gateways are going through an identity crisis
byChristian Posta
 
PPTX
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
byChristian Posta
 
PPTX
PHX DevOps Days: Service Mesh Landscape
byChristian Posta
 
PPTX
Intro to Knative
byChristian Posta
 
PPTX
API World: The service-mesh landscape
byChristian Posta
 
PPTX
Making sense of microservices, service mesh, and serverless
byChristian Posta
 
What Istio Got Wrong: Learnings from the last seven years of service mesh
byChristian Posta
 
Move Auth, Policy, and Resilience to the Platform
byChristian Posta
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
byChristian Posta
 
Understanding Wireguard, TLS and Workload Identity
byChristian Posta
 
Compliance and Zero Trust Ambient Mesh
byChristian Posta
 
Cilium + Istio with Gloo Mesh
byChristian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
byChristian Posta
 
The Truth About the Service Mesh Data Plane
byChristian Posta
 
Deep Dive: Building external auth plugins for Gloo Enterprise
byChristian Posta
 
Role of edge gateways in relation to service mesh adoption
byChristian Posta
 
Chaos Debugging for Microservices
byChristian Posta
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
byChristian Posta
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
byChristian Posta
 
Intro Istio and what's new Istio 1.1
byChristian Posta
 
API Gateways are going through an identity crisis
byChristian Posta
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
byChristian Posta
 
PHX DevOps Days: Service Mesh Landscape
byChristian Posta
 
Intro to Knative
byChristian Posta
 
API World: The service-mesh landscape
byChristian Posta
 
Making sense of microservices, service mesh, and serverless
byChristian Posta
 

Recently uploaded

PPTX
The Impact of GST on Medicine and the Healthcare Sector
byMarg Books
 
PPTX
Meridian 2025 - The Intent-Driven Future With NEAR Intents
byDejan Radic
 
PDF
Transform Salesforce Workflows: The Basics You Must Know to Deploy AI Agents
byCymetrix Software
 
PDF
Delegating Behaviors in C++: A Practical Tour of the Available Mechanisms
byDaniele Pallastrelli
 
PPTX
Soft(ware) Stories: Tecnologia, Identità e Giustizia di genere nel mondo digi...
byLetizia Jaccheri
 
PDF
End-to-End Payroll Processing Checklist for Growing Businesses.pdf
byCRMLeaf
 
PDF
The journey from (not)REST to GraphQL at scale - The Deezer experience
byLoïc Doubinine
 
PPTX
Curated Help for T-Tests in IBM SPSS Statistics
byVersion 1 Analytics
 
PDF
ICTlecture1 for 1st Semester Students of BS(CS)
bySirRafiLectures
 
PDF
Alluxio Webinar | Alluxio + S3 A Tiered Architecture for Latency-Critical, Se...
byAlluxio, Inc.
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PPTX
What is the Best BI Tool for Real-Time Data Exploration Beyond Tableau.pptx
byVarsha Nayak
 
PDF
HTML_Final notes_with_header_and_footer.pdf
byJaydeep Kale
 
PDF
[GBGCPP] MISRA C++: Safer C++17 for critical systems
byDimitris Platis
 
PPTX
LangSmith_and_LLM_Evaluation_Session 1.pptx
bymdqansari1
 
PDF
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
PPTX
Building smarter with AI - From Idea to Market at Warp Speed
byLuca Grulla
 
PDF
Improving Customer Experience with Einstein AI and Salesforce Data Cloud
byMinuscule Technologies
 
PDF
How to Find an App Developer in Phoenix.pdf
byNet-Craft.com
 
PPTX
Foundations of Marketo Engage - Professional Exam Preparation - October 2025
bybbedford2
 
The Impact of GST on Medicine and the Healthcare Sector
byMarg Books
 
Meridian 2025 - The Intent-Driven Future With NEAR Intents
byDejan Radic
 
Transform Salesforce Workflows: The Basics You Must Know to Deploy AI Agents
byCymetrix Software
 
Delegating Behaviors in C++: A Practical Tour of the Available Mechanisms
byDaniele Pallastrelli
 
Soft(ware) Stories: Tecnologia, Identità e Giustizia di genere nel mondo digi...
byLetizia Jaccheri
 
End-to-End Payroll Processing Checklist for Growing Businesses.pdf
byCRMLeaf
 
The journey from (not)REST to GraphQL at scale - The Deezer experience
byLoïc Doubinine
 
Curated Help for T-Tests in IBM SPSS Statistics
byVersion 1 Analytics
 
ICTlecture1 for 1st Semester Students of BS(CS)
bySirRafiLectures
 
Alluxio Webinar | Alluxio + S3 A Tiered Architecture for Latency-Critical, Se...
byAlluxio, Inc.
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
What is the Best BI Tool for Real-Time Data Exploration Beyond Tableau.pptx
byVarsha Nayak
 
HTML_Final notes_with_header_and_footer.pdf
byJaydeep Kale
 
[GBGCPP] MISRA C++: Safer C++17 for critical systems
byDimitris Platis
 
LangSmith_and_LLM_Evaluation_Session 1.pptx
bymdqansari1
 
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
Building smarter with AI - From Idea to Market at Warp Speed
byLuca Grulla
 
Improving Customer Experience with Einstein AI and Salesforce Data Cloud
byMinuscule Technologies
 
How to Find an App Developer in Phoenix.pdf
byNet-Craft.com
 
Foundations of Marketo Engage - Professional Exam Preparation - October 2025
bybbedford2
 
In this document
Powered by AI

Introduction to multi-cluster Kubernetes management and service mesh patterns by Christian Posta.

Key challenges include improving code delivery velocity, managing decentralized operations, integrating existing systems, enhancing security, and ensuring compliance.

Discussion on smaller clusters for high availability, compliance, and autonomy. Introduction to cluster federation for managing autonomous clusters.

Overview of Kubefed for federation of Kubernetes clusters, showcasing configuration management through federated resources.

Various patterns for service communication across clusters, including flat networks and controlled gateways.

Essential balances include security measures, service discovery, failover techniques, observability, and defined fault domains.

Introduction to the role of service meshes in Kubernetes, highlighting improvements in communication and management.

Envoy's functionalities such as load balancing, circuit breaking, traffic shadowing, and mTLS essential for efficient service mesh architecture.

Examples of Istio configurations for service mesh over multiple clusters featuring shared and independent control planes.

Implementation of ServiceEntry for service discovery across clusters, ensuring proper network management.

Discussions on operator burdens due to added complexities in managing the service mesh and strategies to alleviate them.

Demonstration of Service Mesh Hub, including management of gateways and certificate authority processes for remote clusters.End of presentation with additional resources and contact information for further engagement.

Multicluster Kubernetes and Service Mesh Patterns

  • 1.
    Multi-Cluster Kubernetes and ServiceMesh Patterns Christian Posta Field CTO – Solo.io
  • 2.
    2 | Copyright© 2020 CHRISTIAN POSTA Global Field CTO, Solo.io @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  • 3.
    3 | Copyright© 2020 Challenges • Improve velocity of teams building and delivering code • Decentralized implementations vs centralized operations • Connect and include existing systems and investments • Improve security posture • Stay within regulations and compliance
  • 4.
    4 | Copyright© 2020 More, smaller clusters • High availability • Compliance • Isolation / Autonomy • Scale • Data locality, cost • Public/DMZ/Private networks
  • 5.
    5 | Copyright© 2020 Multiple clusters • Exact replicas of each other, same fleet? • Separate, non-uniform deployments? • Single operational/administrative control • Segmented by network? Segmented by team? • Independent administration?
  • 6.
    6 | Copyright© 2020 Cluster federation • Autonomous clusters • Different organizational/network/administrative boundaries • Share pieces of configuration • For those shared pieces, treat union as a single unit • Uses an orchestrator to stitch together policies for federation
  • 7.
    7 | Copyright© 2020 Example: Kubefed Cluster 1 Cluster 2 Cluster 0 Kubefed CP Federated Resources watches Federate to clusters https://github.com/kubernetes-sigs/kubefed
  • 8.
    8 | Copyright© 2020 Example: Kubefed apiVersion: types.kubefed.io/v1beta1 kind: FederatedService metadata: name: echo-server spec: placement: clusterSelector: matchLabels: {} template: metadata: labels: app: echo-server spec: ports: - name: http port: 8080 selector: app: echo-server
  • 9.
    9 | Copyright© 20209 | Copyright © 2020 Demo Simple Kubernetes federation
  • 10.
    10 | Copyright© 2020 Services need to communicate with each other
  • 11.
    11 | Copyright© 2020 Pattern: flat network across pods Account User Products Cluster 1 Cluster 2 History
  • 12.
    12 | Copyright© 2020 Pattern: Different network, expose all services Account User Products Cluster 1 Cluster 2 History
  • 13.
    13 | Copyright© 2020 Pattern: Different network, controlled gateway Account User Products Cluster 1 Cluster 2 History
  • 14.
    14 | Copyright© 2020 Forces to balance • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Building for scale
  • 15.
    15 | Copyright© 2020 Could you build these patterns just using Kubernetes?
  • 16.
    16 | Copyright© 2020 Service Mesh can help
  • 17.
    17 | Copyright© 2020 Envoy is the magic behind service mesh http://envoyproxy.io
  • 18.
    18 | Copyright© 2020 Envoy implements: • zone aware, priority/locality load balancing • circuit breaking, outlier detection • timeouts, retries, retry budgets • traffic shadowing • request racing • rate limiting • RBAC, TLS origination/termination • access logging, statistics collection
  • 19.
    19 | Copyright© 2020 Envoy to do application networking heavy lifting Account work load work load work load mTLS • Transparent client-side routing decisions • TLS orig/termination • Circuit breaking • Stats collection
  • 20.
    20 | Copyright© 2020 Envoy as backbone for multi-cluster communication federation Account User Cluster 1 Cluster 2 Products History User
  • 21.
    21 | Copyright© 2020 Other key Envoy proxying features • Request hedging • Retry Budgets • Load balancing priorities • Locality weighted load balancing • Zone aware routing • Degraded endpoints (fallback) • Aggregated clusters
  • 22.
    22 | Copyright© 2020 Exploring Envoy failover routing capabilities: Request racing Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Timeout Race request First to return is the response to the caller
  • 23.
    23 | Copyright© 2020 Exploring Envoy failover routing capabilities: Zone aware routing (Envoy decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone
  • 24.
    24 | Copyright© 2020 Exploring Envoy failover routing capabilities: Locality aware (Control plane decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone W=1 W=1 W=1 W=5 W=5
  • 25.
    25 | Copyright© 2020 Exploring Envoy failover routing capabilities: Aggregate Cluster (for routing to gateways) Account work load work load work load Calls http://products.service/ Edge gw us-west-1 us-west-2 EDS Strict DNS
  • 26.
    26 | Copyright© 202026 | Copyright © 2020 Multi-cluster examples Service mesh examples using Envoy Proxy
  • 27.
    27 | Copyright© 2020 Istio shared control plane, flat network Account User Cluster 1 Cluster 2 Products History User Istiod
  • 28.
    28 | Copyright© 2020 Thoughts about shared control plane/flat network • Simplest set up for Istio multi-cluster • No special Envoy routing (though may use zone-aware) • Shared control plane increases the failure domain to multiple clusters • Use flat networking if possible (simpler) but may not have/want that option • No special considerations for identity (identity domain is shared) • Still need to federate telemetry collection
  • 29.
    29 | Copyright© 2020 Account User Cluster 1 Cluster 2 Products History User Istiod Istio shared control plane, separate networks
  • 30.
    30 | Copyright© 2020 Thoughts about shared control plane/separate network • Uses a gateway to allow communication between networks • Uses Envoy Locality Weighted LB (for the gateway endpoints). Istio calls this “split horizon EDS”. • Shares same failure domain across all clusters • Use the gateways to facilitate communication AND control plane • Slight increase in burden on operator to label networks and gateway endpoints correctly so Istio has that information
  • 31.
    31 | Copyright© 2020 Account User Cluster 1 Cluster 2 Products History User Istiod Istio separate control planes, separate networks Istiod
  • 32.
    32 | Copyright© 2020 Thoughts about separate control plane/separate network • Uses a gateway to allow communication between networks • Uses Istio’s ServiceEntry mechanism to enable cross-network discovery • Independent control planes • Separate, independent failure domains • Doesn’t solve where trust domains MUST be separate (with federation at the boundaries) • Increase burden on operator to maintain service discovery, identity federation, and multi-cluster configuration across meshes
  • 33.
    33 | Copyright© 2020 Account Cluster 1 Cluster 2 User User Istiod Example multi-cluster routing with ServiceEntry Istiod http://users.default.svc.cluster.local http://users.default.cluster-2 ServiceEntry users.default.cluster-2
  • 34.
    34 | Copyright© 2020 ServiceEntry for service discovery apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: users-cluster2 spec: hosts: - users.default.cluster2 location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: - 240.0.0.2 endpoints: - address: 10.0.2.5 ports: http1: 15443
  • 35.
    35 | Copyright© 2020 Forces to balance • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Building for scale
  • 36.
    36 | Copyright© 2020 What to do about the added burden for the operator?
  • 37.
    37 | Copyright© 2020 @christianposta Cluster 1 Cluster 2 Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub Ingress Gateway Management Plane
  • 38.
    38 | Copyright© 202038 | Copyright © 2020 Demo Service Mesh Hub
  • 39.
    39 | Copyright© 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub Ingress Gateway Management Plane Remote Cluster
  • 40.
    40 | Copyright© 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub CSR agent CSR agent Create cert/key and CSR Sign cert w/ shared root Shared root Ingress Gateway Management Plane Remote Cluster
  • 41.
    41 | Copyright© 2020 @christianposta Istiod work load Ingress Gateway Istiod work load work load work load work load work load Service Mesh Hub CSR agent CSR agent Shared root Ingress Gateway Chain with same root Management Plane Remote Cluster
  • 42.
    42 | Copyright© 2020 @christianposta THANK YOU FOR ATTENDING! @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  • 43.
    43 | Copyright© 2020 • https://solo.io • https://slack.solo.io • https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io • https://servicemeshhub.io • https://blog.christianposta.com

Editor's Notes

  • #3 How does Solo help do this? Help pick right tech when it’s warranted (Envoy) Hedge when market still volatile (SMH) Simplify adoption Enterprise focus (security, heterogeneous) Solve the problem everywhere regardless of technology, infrastructure, footprint On prem/public cloud/hybrid Any service mesh technology VMs, containers, et. al
  • #11 Kubernetes the defacto way to build and deploy containeriszed microservices … but not everything runs in Kubernetes, and not everything will run on premises
  • #18 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!
  • #20 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!
  • #23 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!
  • #24 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!
  • #25 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!
  • #26 Need a way to automate handling of explosive numbers of workloads (microservices) Placement of workloads AKA deployments Autoscale, health check, start/stop, rebalance, scale up/down Building applications for Kubernetes (or any cloud native platform) is fundamentally different Why Kubernetes won: * community Right level of API Extensible Declarative configuration model Foundation of DevOps and Automation model Adopting microservices to go fast!