SlideShare a Scribd company logo

Advanced Observability & Security

F
Fabian Hardt

In distributed system architectures, a service mesh can help to make service communication more secure, reliable, and traceable. Along with the service mesh concept we may often think of concepts like microservices, containers or Kubernetes. Moreover, a modern service mesh also offers to integrate legacy workloads, for example on VMs. Even more so, it is possible to define a service mesh in such a way that it spans across multiple clusters or networks, e.g. in a multi-cloud setup, or in a mix of on-premises and cloud. A service mesh, however, possesses even more capabilities such as observability and security. This session will focus on these areas and how in today's heterogeneous world a service mesh can help to address complex challenges here. Scenarios from real-world projects will be presented and individual aspects will be highlighted in a demo.

Technology
1 of 29
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Brühl, 2023-06-20 Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
© OPITZ CONSULTING 2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
© OPITZ CONSULTING 2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
© OPITZ CONSULTING 2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10  Efficient implementation of cross-cutting concerns with respect to service integration challenges  Everything is a service!  Cloud-native apps deployed to Kubernetes  Non Cloud-native workloads  Should be independent of  Architecture (e.g. Monolithic or µService)  Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
© OPITZ CONSULTING 2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12  Increased Developer experience  Consistent security  Seamless observability  Reliable connectivity  Resilience  Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
© OPITZ CONSULTING 2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13  Kuma  Istio  Consul  Linkerd  GlooMesh
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
© OPITZ CONSULTING 2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15  Initially invented by Kong and donated to CNCF in 2020  Provides a modern distributed Control Plane  Completely Envoy-based Data Plane proxies  Platform agnostic open-source control plane for Service Mesh  Hence Kuma is  Universal  Simple  Scalable  Flexible deployment options  Standalone deployment  Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
© OPITZ CONSULTING 2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
© OPITZ CONSULTING 2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17  One mesh can be deployed over multiple clusters (=> Zone)  All traffic enters cluster over zone ingress  One Remote (Zone) Control Plane in each cluster
© OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18  Injected to Pod and started individually before Data Plane  Configures iptables / network routing
© OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19  Installed as DaemonSet on all Nodes  Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni  CNI enables Transparent Proxying – redirects all traffic through Data Plane
© OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20  Local DNS resolution directly in Data Plane (Envoy)  Names are not resolvable in complete cluster, just inside service mesh (Envoy)  Resolves “.mesh“ address to pre-defined service mesh IP address  IP in other zone / cluster is routed over Kuma Zone Ingress
© OPITZ CONSULTING 2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21  Special Data Plane instance – like Zone Ingress  All outgoing traffic is routed through this instance  Usage of External Services just possible with deployed Zone Egress in the future
© OPITZ CONSULTING 2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22  Integration of vm and bare metal workload  Local Data Plane instance connecting to Control Plane  Seamless and secure commuication between vm and Kubernetes workload
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
© OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
© OPITZ CONSULTING 2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh  Using Grafana Stack to create a 360-degree view  Component usage:  Visualization: Grafana  Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)  Metrics: Prometheus  Tracing: Jaeger or Tempo  Alerting: Prometheus Alert Manager  Operating models  Self-managed (e.g. on-prem)  Grafana SaaS offering 25
© OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
© OPITZ CONSULTING 2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28  Mesh Management (Kuma UI)  Managing Apps within the Mesh  Locality Awareness  Advanced Routing  Security  Mesh observability  Metrics  Logs  Traces
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
© OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30  Zero-trust security  mTLS, Traffic Permissions  Increased Developers productivity  Crosscutting concerns (AuthN & AuthZ, …)  Self-service network management  Multi-Tenancy over multiple clouds  Reliable connectivity  Circuit Breaker, Traffic Routes, …  Observability  Metrics, Tracing, Logs
© OPITZ CONSULTING 2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31  Service Mesh is essential to build and managing multi-cloud apps efficiently  Kuma as mesh implementation provides  Agnostic approach (independent of architecture or platform)  Modern, flexible architecture supporting hybrid, multi-cloud scenarios  Multi-zone  Multi-cluster  Multi-mesh  Seamless CI / CD integration (GitOps)  Intuitive design  Spanning a mesh over multiple clusters and clouds can be done easily
© OPITZ CONSULTING 2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32  Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh  Kuma docs: https://kuma.io/docs/2.2.x/  Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo  Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s  Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy  Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
© OPITZ CONSULTING 2023 / Öffentlich KONTAKT Modern Data Stack - Einführung - TDWI Community Talk 34 Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt

Recommended

Advanced Observability & Security
Advanced Observability & SecurityAdvanced Observability & Security
Advanced Observability & Security
Fabian Hardt
 
Build and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using KumaBuild and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Service Mesh Advanced Use Cases
Service Mesh Advanced Use CasesService Mesh Advanced Use Cases
Service Mesh Advanced Use Cases
Sven Bernhardt
 
Service integration made easy with Open Source Kuma
Service integration made easy with Open Source KumaService integration made easy with Open Source Kuma
Service integration made easy with Open Source Kuma
Sven Bernhardt
 
Service Mesh Advanced Use Cases
Service Mesh Advanced Use CasesService Mesh Advanced Use Cases
Service Mesh Advanced Use Cases
Fabian Hardt
 
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
OPITZ CONSULTING Deutschland
 
Build and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using KumaBuild and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Presentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundationPresentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundation
xKinAnx
 

Recommended

Advanced Observability & Security
Advanced Observability & SecurityAdvanced Observability & Security
Advanced Observability & Security
Fabian Hardt
 
Build and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using KumaBuild and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Service Mesh Advanced Use Cases
Service Mesh Advanced Use CasesService Mesh Advanced Use Cases
Service Mesh Advanced Use Cases
Sven Bernhardt
 
Service integration made easy with Open Source Kuma
Service integration made easy with Open Source KumaService integration made easy with Open Source Kuma
Service integration made easy with Open Source Kuma
Sven Bernhardt
 
Service Mesh Advanced Use Cases
Service Mesh Advanced Use CasesService Mesh Advanced Use Cases
Service Mesh Advanced Use Cases
Fabian Hardt
 
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
OPITZ CONSULTING Deutschland
 
Build and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using KumaBuild and Manage Multi-Cloud Applications Using Kuma
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Presentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundationPresentation data center virtualization –setting the foundation
Presentation data center virtualization –setting the foundation
xKinAnx
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
SUSE
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
Cisco Canada
 
Designing IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generationDesigning IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generation
David Ware
 
Declarative observability management for Microservice architectures
Declarative observability management for Microservice architecturesDeclarative observability management for Microservice architectures
Declarative observability management for Microservice architectures
Sven Bernhardt
 
Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
Janos Matyas
 
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft AzureModernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Mitchell Pronschinske
 
Towards secure vehicular clouds
Towards secure vehicular cloudsTowards secure vehicular clouds
Towards secure vehicular clouds
durgeshkumarshukla
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
Cloudify Community
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
Avi Networks
 
Integration architectures based on Microservices, APIs and events
Integration architectures based on Microservices, APIs and eventsIntegration architectures based on Microservices, APIs and events
Integration architectures based on Microservices, APIs and events
Sven Bernhardt
 
Acronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNFAcronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNF
Emulex Corporation
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
 
Kong Mesh入門編
Kong Mesh入門編Kong Mesh入門編
Kong Mesh入門編
WenhanShi1
 
Necos keynote ii_mobislice
Necos keynote ii_mobisliceNecos keynote ii_mobislice
Necos keynote ii_mobislice
Augusto Neto
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
Matt Leming
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
Speed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G MonarchSpeed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G Monarch
Klaus Moessner
 
Mobile Edge Computing
Mobile Edge ComputingMobile Edge Computing
Mobile Edge Computing
M2M Alliance e.V.
 
Presentation cloud, the whole offer
Presentation cloud, the whole offerPresentation cloud, the whole offer
Presentation cloud, the whole offer
xKinAnx
 
Mit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten OrganisationMit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten Organisation
Fabian Hardt
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Fabian Hardt
 

More Related Content

Similar to Advanced Observability & Security

End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
Declarative observability management for Microservice architectures
Declarative observability management for Microservice architecturesDeclarative observability management for Microservice architectures
Declarative observability management for Microservice architectures
Sven Bernhardt
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
Cloudify Community
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
Avi Networks
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 

Similar to Advanced Observability & Security (20)

End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
 
Designing IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generationDesigning IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generation
 
Declarative observability management for Microservice architectures
Declarative observability management for Microservice architecturesDeclarative observability management for Microservice architectures
Declarative observability management for Microservice architectures
 
Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
 
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft AzureModernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
 
Towards secure vehicular clouds
Towards secure vehicular cloudsTowards secure vehicular clouds
Towards secure vehicular clouds
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
 
Integration architectures based on Microservices, APIs and events
Integration architectures based on Microservices, APIs and eventsIntegration architectures based on Microservices, APIs and events
Integration architectures based on Microservices, APIs and events
 
Acronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNFAcronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNF
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
Kong Mesh入門編
Kong Mesh入門編Kong Mesh入門編
Kong Mesh入門編
 
Necos keynote ii_mobislice
Necos keynote ii_mobisliceNecos keynote ii_mobislice
Necos keynote ii_mobislice
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
 
Speed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G MonarchSpeed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G Monarch
 
Mobile Edge Computing
Mobile Edge ComputingMobile Edge Computing
Mobile Edge Computing
 
Presentation cloud, the whole offer
Presentation cloud, the whole offerPresentation cloud, the whole offer
Presentation cloud, the whole offer
 

More from Fabian Hardt

Mit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten OrganisationMit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten Organisation
Fabian Hardt
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Fabian Hardt
 
How Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data StackHow Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data Stack
Fabian Hardt
 

More from Fabian Hardt (8)

Mit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten OrganisationMit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten Organisation
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
 
Analytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIsAnalytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIs
 
How Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data StackHow Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data Stack
 
Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?
 
Persönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und ChatbotPersönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und Chatbot
 
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data ScientistsAutomatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
 
Augmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon AlexaAugmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon Alexa
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Advanced Observability & Security

  • 1. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Brühl, 2023-06-20 Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
  • 2. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
  • 3. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
  • 4. © OPITZ CONSULTING 2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
  • 5. © OPITZ CONSULTING 2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
  • 6. © OPITZ CONSULTING 2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10  Efficient implementation of cross-cutting concerns with respect to service integration challenges  Everything is a service!  Cloud-native apps deployed to Kubernetes  Non Cloud-native workloads  Should be independent of  Architecture (e.g. Monolithic or µService)  Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
  • 7. © OPITZ CONSULTING 2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12  Increased Developer experience  Consistent security  Seamless observability  Reliable connectivity  Resilience  Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
  • 8. © OPITZ CONSULTING 2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13  Kuma  Istio  Consul  Linkerd  GlooMesh
  • 9. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
  • 10. © OPITZ CONSULTING 2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15  Initially invented by Kong and donated to CNCF in 2020  Provides a modern distributed Control Plane  Completely Envoy-based Data Plane proxies  Platform agnostic open-source control plane for Service Mesh  Hence Kuma is  Universal  Simple  Scalable  Flexible deployment options  Standalone deployment  Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
  • 11. © OPITZ CONSULTING 2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
  • 12. © OPITZ CONSULTING 2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17  One mesh can be deployed over multiple clusters (=> Zone)  All traffic enters cluster over zone ingress  One Remote (Zone) Control Plane in each cluster
  • 13. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18  Injected to Pod and started individually before Data Plane  Configures iptables / network routing
  • 14. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19  Installed as DaemonSet on all Nodes  Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni  CNI enables Transparent Proxying – redirects all traffic through Data Plane
  • 15. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20  Local DNS resolution directly in Data Plane (Envoy)  Names are not resolvable in complete cluster, just inside service mesh (Envoy)  Resolves “.mesh“ address to pre-defined service mesh IP address  IP in other zone / cluster is routed over Kuma Zone Ingress
  • 16. © OPITZ CONSULTING 2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21  Special Data Plane instance – like Zone Ingress  All outgoing traffic is routed through this instance  Usage of External Services just possible with deployed Zone Egress in the future
  • 17. © OPITZ CONSULTING 2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22  Integration of vm and bare metal workload  Local Data Plane instance connecting to Control Plane  Seamless and secure commuication between vm and Kubernetes workload
  • 18. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
  • 19. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
  • 20. © OPITZ CONSULTING 2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh  Using Grafana Stack to create a 360-degree view  Component usage:  Visualization: Grafana  Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)  Metrics: Prometheus  Tracing: Jaeger or Tempo  Alerting: Prometheus Alert Manager  Operating models  Self-managed (e.g. on-prem)  Grafana SaaS offering 25
  • 21. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
  • 22. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
  • 23. © OPITZ CONSULTING 2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28  Mesh Management (Kuma UI)  Managing Apps within the Mesh  Locality Awareness  Advanced Routing  Security  Mesh observability  Metrics  Logs  Traces
  • 24. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
  • 25. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30  Zero-trust security  mTLS, Traffic Permissions  Increased Developers productivity  Crosscutting concerns (AuthN & AuthZ, …)  Self-service network management  Multi-Tenancy over multiple clouds  Reliable connectivity  Circuit Breaker, Traffic Routes, …  Observability  Metrics, Tracing, Logs
  • 26. © OPITZ CONSULTING 2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31  Service Mesh is essential to build and managing multi-cloud apps efficiently  Kuma as mesh implementation provides  Agnostic approach (independent of architecture or platform)  Modern, flexible architecture supporting hybrid, multi-cloud scenarios  Multi-zone  Multi-cluster  Multi-mesh  Seamless CI / CD integration (GitOps)  Intuitive design  Spanning a mesh over multiple clusters and clouds can be done easily
  • 27. © OPITZ CONSULTING 2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32  Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh  Kuma docs: https://kuma.io/docs/2.2.x/  Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo  Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s  Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy  Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
  • 28. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
  • 29. © OPITZ CONSULTING 2023 / Öffentlich KONTAKT Modern Data Stack - Einführung - TDWI Community Talk 34 Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt

Editor's Notes

  1. Achtung: Hier muss!!!! Der Sprechtext sitzen, weil hier unser Angebot formuliert wird.
  2. Pfeile
  3. Global Control Plane (AKS, Fabian) Zone 1: OKE (Sven mit Data API) Zone 2: AKS (Fabian)
  4. Reliable connectivity No longer Developer’s responsibility Consistent, declarative management at infrastructure level Self-service network management Developer defines communication rules (traffic permissions) No longer need to also involve network teams (firewall rules) Zero-trust security Secure communication via mTLS Automated certificate management Service Discovery