GOTOpia Chicago / April 2021 Service Meshes: Istio, Linkerd - or No Mesh at All? Eberhard Wolff Hanna Prinz @ewolff @hannaprinz • Software Development • DevOps, Kubernetes, Service Mesh Hanna Prinz Consultant at INNOQ Deutschland GmbH [email protected] @hannaprinz 2 • Architecture, DevOps • Focus on business, technology & software architecture Eberhard Wolff Fellow at INNOQ Deutschland GmbH [email protected] @ewolff 3 What is a service mesh? What problems does it try to solve? Microservices are distributed Systems Retry Routing and Discovery Timeout Circuit Breaker Microservice Microservice Encryption Metrics Authentication & Authorization Logs 5 @hannaprinz @ewolff @INNOQ Service Mesh Architecture Application Microservice Microservice Data Plane Proxy Proxy Metrics Config Metrics Control Plane Control Plane Infrastructure Kubernetes API Infrastructure Services 6 @hannaprinz @ewolff @INNOQ Service Mesh Implementations Istio vs Linkerd Istio Linkerd Google, IBM & Lyft Buoyant many features, optimized for usability & highly customizable performance Envoy proxy linkerd-proxy custom concept for ingress supports any ingress traffic controller optimized for Kubernetes Kubernetes only support for other platforms 8 @hannaprinz @ewolff @INNOQ Service Mesh Implementations Open Service Mesh Istio 9 @hannaprinz @ewolff @INNOQ 10 @hannaprinz @ewolff @INNOQ Service Mesh Features Service Mesh Features Routing Resilience Security Observability 12 @hannaprinz @ewolff @INNOQ Routing Complex routing for A/B testing & Traffic mirroring canary releasing 90% Service 2A Service 2 Production Service 1 Service 1 Service 2B Service 2 10% Staging 13 @hannaprinz @ewolff @INNOQ Service Mesh Features Routing Resilience Security Observability 14 @hannaprinz @ewolff @INNOQ Resilience Features Timeout Microservice Microservice Retry 4s x Circuit Breaker Proxy Proxy 15 @hannaprinz @ewolff @INNOQ Chaos Engineering Microservice Microservice Fault Injection Delay Injection Proxy Proxy 16 @hannaprinz @ewolff @INNOQ Service Mesh Features Routing Resilience Security Observability 17 @hannaprinz @ewolff @INNOQ Authentication & Encryption Microservice 1 Microservice 2 mTLS Encryption & Authentication Proxy Proxy 18 @hannaprinz @ewolff @INNOQ Service Authorization Microservice 1 Microservice 2 ✓ Proxy Proxy X Can also be limited to HTTP methods / paths Microservice 3 Proxy 19 @hannaprinz @ewolff @INNOQ Service Mesh Features Routing Resilience Security Observability 20 @hannaprinz @ewolff @INNOQ Observability Features •Dashboard 21 @hannaprinz @ewolff @INNOQ @hannaprinz @ewolff @INNOQ @hannaprinz @ewolff @INNOQ Observability Features •Dashboard •Preconfigured Prometheus, Grafana and Jaeger •Tracing support •Access logs (or similar features such as Linkerd's "tap") 24 @hannaprinz @ewolff @INNOQ Service Mesh Challenges Configuration Complexity Example: Traffic Split Microservice 2a 90% Microservice 1 10% Microservice 2b can be one CRD (Custom Resource Definition) with 10 lines of YAML (Linkerd) ... or two CRDs with 30 lines of YAML (Istio) 26 @hannaprinz @ewolff @INNOQ Debugging Complexity Microservice Microservice Ingress Proxy Proxy Control Plane Kubernetes & Overlay Network Hardware & Cloud 27 @hannaprinz @ewolff @INNOQ Performance & Benchmarking •Additional latency: ~ 3ms (as published by Istio) •Additional CPU & memory resources •Depending on architecture, traffic and mesh implementation → Do your own benchmark! https://istio.io/latest/docs/ops/deployment/performance-and-scalability/ 28 @hannaprinz @ewolff @INNOQ Do You Need a Service Mesh? Do your services need mentioned routing, resilience, security, or observability features? Libraries Service Mesh 30 @hannaprinz @ewolff @INNOQ Can you avoid needing these features at all? ... by choosing a suitable architecture Deployment Syncronous Asyncronous Monollith 31 @hannaprinz @ewolff @INNOQ Conclusion Approaching Service Mesh 1. Is the problem somewhere else? → e.g. synchronous architecture: lots of network traffic, slow, unreliable 2. Which features do you need? → routing, resilience, security, observability? 3. Have you considered alternatives? → e.g. libraries 4. Challenges acceptable? → e.g. configuration, performance impact, additional complexity 33 @hannaprinz @ewolff @INNOQ More about Service Mesh • Service Mesh Comparison https://servicemesh.es • Blog Post: Happy without a Service Mesh https://www.innoq.com/en/blog/happy-without-a-service- mesh Linkerd Tutorial GOTO Book Club • Getting started with Service Mesh • https://www.youtube.com/watch?v=w14ge2838Vs https://linkerd.io/getting-started • Istio Tutorial https://istio.io/docs/setup/getting-started • Sample application with Istio and Linkerd Tutorial on GitHub https://github.com/ewolff/microservice-istio https://github.com/ewolff/microservice-linkerd Service Mesh Primer - 2nd Edition for free at leanpub.com/service-mesh-primer @hannaprinz @ewolff @INNOQ Thank you! Questions? www.innoq.com Hanna Prinz [email protected] @hannaprinz Eberhard Wolff [email protected] @ewolff Service Mesh Primer - 2nd Edition for free at leanpub.com/service-mesh-primer innoQ Deutschland GmbH Krischerstr. 100 Ohlauer Str. 43 Ludwigstr. 180E Kreuzstr. 16 Hermannstrasse 13 Erftstr. 15-17 Königstorgraben 11 40789 Monheim 10999 Berlin 63067 Offenbach 80331 München 20095 Hamburg 50672 Köln 90402 Nürnberg +49 2173 3366-0 .