Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Dr. David Meder-Marouelli, Stephan Fudeus
SERVICE MESH❤️ LEGACYBenefits of a service mesh when integrating Kubernetes with legacy services
11.06.20192 1&1 Mail & Media Development & Technology GmbH
Stephan Fudeus
▪ Expert for Container Platforms
▪ 16 years of distributed systems
▪ Since 2017 with 1&1 Mail & Media
Dr. David Meder-Marouelli
▪ Architect for Automation
▪ 15 years of IT experience
▪ Since 2015 with 1&1 Mail & Media
United Internet / 1&1 Mail & Media
11.06.20193 1&1 Mail & Media Development & Technology GmbH
United Internet
▪ Leading European internet specialist
▪ > 9000 employees
▪ > 90.000 servers in 10 data centers worldwide
▪ Access and Applications
1&1 Mail & Media
▪ Several free basic services and professional fee-
based e-mail solutions
▪ One of the most powerful online marketing platforms
▪ > 33 million active users / month
▪ Multiple brands
Product Overview
Cloud-Storage
for photos, videos,
music and documents
Online Office
documents,
spreadsheets,
presentations
De-Mail
Legally compliant
communication and
identity management
Communication
and Organisation
E-Mail, Calendar,
Contacts, SMS, Fax
11.06.20194 1&1 Mail & Media Development & Technology GmbH
Ideal Software Lifecycle
11.06.20195 1&1 Mail & Media Development & Technology GmbH
Java YAMLAPP
LIBS
Product Idea
Container Strategy
11.06.20196 1&1 Mail & Media Development & Technology GmbH
▪ Kubernetes as centrally provided orchestration platform
▪ Fast deployment cycles
▪ Focus on soft multi-tenancy
• Friendly users, but with security in mind
▪ Focus on microservices
▪ Multiple clusters decoupled on network dimensions
▪ fe/be/infrastructure, data center, live/non-live
▪ bare-metal on-premise
▪ non-routable podCIDR and serviceCIDR (RFC 6598 / CGNAT / 100.64.0.0/10)
Legacy Gap
11.06.20197 1&1 Mail & Media Development & Technology GmbH
▪ Ca. 1000 existing services
▪ 90% on VMs and bare metal
▪ 10% on Kubernetes
▪ Complex dependencies
▪ Not cloud (native) ready
▪ Not stateless
▪ IP based ACLs
▪ … some never can/will be
▪ Both worlds need to interact https://www.reddit.com/r/cablegore
▪ Mostly Java SpringBoot
▪ Several PHP
▪ Few Node.js SPA
Typical Application Stack
11.06.20198 1&1 Mail & Media Development & Technology GmbH
Service 1
Actual service
Ribbon
Hystrix
Metrics
Tracing
Service 2
Actual service
Ribbon
Hystrix
Metrics
Tracing
Service 3
Actual service
Ribbon
Hystrix
Metrics
Tracing
Cross cutting concerns @ infrastructure level
11.06.20199 1&1 Mail & Media Development & Technology GmbH
Pod 1 Pod 2Service
AService B
Proxy Proxy
Pod 3
Service C
Proxy
Benefits of using a Service Mesh
11.06.201910 1&1 Mail & Media Development & Technology GmbH
▪ Deal with the service mess of microservices
▪ Externalize required standard functionality
▪ Telemetry
▪ Request routing
▪ Circuit breaking
▪ Rate limiting
▪ TLS/Authn/Authz
▪ …
▪ Declaratively configured
▪ Centrally maintained
▪ Language agnostic
Mesh
Pod 1Pod 1Pod 1
General connectivity – in-mesh
11.06.201911 1&1 Mail & Media Development & Technology GmbH
Pod 1 Pod 2
Service A Service B
Proxy Proxy
Pod 3
Service C
Proxy
Client
Proxy
Destination
Proxy
Mesh
Pod 1Pod 1Pod 1
General connectivity – out-of-mesh
11.06.201912 1&1 Mail & Media Development & Technology GmbH
Pod 1 Pod 2
Service A Service B
Proxy Proxy
Pod 3
Service C
Proxy
Ingress-GW
Proxy
Egress-GW
Proxy
Client Destination
Configuration Objects
11.06.201913 1&1 Mail & Media Development & Technology GmbH
VirtualService DestinationRuleClient PodDestination
Pod
Connecting to the „Old World“
11.06.201914 1&1 Mail & Media Development & Technology GmbH
▪ „Mesh expansion“ (based on Istio 1.0.x)
▪ Install Envoy on hosts and connect to Istio control plane
▪ mTLS: Universal transport encryption and authentication
▪ Uniformly configured with Kubernetes resources
▪ Central observability by Istio telemetry
Mesh Expansion: Example
11.06.201915 1&1 Mail & Media Development & Technology GmbH
Cluster A
Host A
Host B
Pod 1
Service A
App A
App A
Istio Control Plane
Problems with Operating Istio
11.06.201916 1&1 Mail & Media Development & Technology GmbH
▪ Security concerns
▪ High privileges for control plane components
• run as root
• writable root filesystem
▪ High privileges for admins and serviceaccount
• net_admin capabilities
• run as root
▪ Same problem with bookinfo sample application
▪ Sidecar injection
▪ Problematic order of automatic sidecar injection vs. PSP
evaluation
Problems with Mesh Expansion
11.06.201917 1&1 Mail & Media Development & Technology GmbH
▪ Connectivity to control plane▪ Manual DNS tweaks via dnsmasq
▪ Exposure of K8s-DNS required
▪ Telemetry / Policy▪ Mixer connections only to pod IP address
▪ Additional tweaks to iptables required for PoC
▪ Inbound (in-mesh) calls▪ Would proxy to pod IP addresses, which are not routable
▪ mTLS setup
Result for Istio 1.0
11.06.201918 1&1 Mail & Media Development & Technology GmbH
▪ Not suitable for production in our setup
▪ Too many unstable tweaks necessary
▪ Too much interference on expansion nodes
▪ Blocked migration of services to Kubernetes
▪ Need for intermediate short term solution
Kubernetes
„Service Mesh Light“
11.06.201919 1&1 Mail & Media Development & Technology GmbH
▪ Mimic mTLS with custom proxy setup and static certificates
▪ Automatic sidecar injection as part of deployment pipeline
Pod 1Service
A
Host
Service B
Squid Apache
Cert Cert
Istio 1.1 to the Rescue?
11.06.201920 1&1 Mail & Media Development & Technology GmbH
▪ Control plane connection ✓
▪ Outbound expansion ✓
▪ mTLS setup ✓
▪ Istio-CNI / Security concerns ✓
But:
▪ Inbound expansion ✕
▪ Automatic sidecar injection ✕
▪ Documentation complex
▪ Documentation partially inconsistent
▪ Multi-tenancy unclear
What‘s up next?
11.06.201921 1&1 Mail & Media Development & Technology GmbH
▪ Solving the remaining issues
▪ Inbound mesh expansion
▪ Large scale evaluation
▪ Production readiness
• Redundancy
• Permissions
• Scalability
▪ Multi-tenancy questions
• Responsibilities
▪ Performance and overhead
• Costs
• Runtime Overhead
What‘s up next?
11.06.201922 1&1 Mail & Media Development & Technology GmbH
▪ More benefits to be leveraged
▪ Multi-cluster connectivity
▪ SPIFFE interoperability
▪ Locality based routing
▪ Error scenarios
▪ Authorization (request-based with JWT)
▪ Evaluate alternatives (e.g. Linkerd2)
▪ Provide upstream patches
Summary
11.06.201923 1&1 Mail & Media Development & Technology GmbH
▪ Istio (>= 1.1) fits our needs
▪ Feature set and K8s integration look fine
▪ Not yet fully covering our requirements
▪ Hard to set up the right way
▪ Organisational questions need to be solved
▪ Direction of development is promising
11.06.201924 1&1 Mail & Media Development & Technology GmbH
Bitte geben Sie uns jetzt Ihr Feedback!ServiceMesh auf Kubernetes und die Integration in die BestandsinfrastrukturDavid Meder-Marouelli, Stephan Fudeus