More Related Content Similar to Advanced Observability & Security (20) More from Fabian Hardt (8) Advanced Observability & Security1. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1
Brühl, 2023-06-20
Fabian Hardt
ADVANCED OBSERVABILITY & SECURITY
FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
2. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2
WHY SERVICE MESH?
01
KUMA
02
CONCLUSION
04
DEMO
03
3. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6
WHY SERVICE MESH?
01
4. © OPITZ CONSULTING 2023 / Öffentlich
TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7
Centralized
STATIC
ON-PREM
MONOLITH
VIRTUAL MACHINES
MANUAL CHANGE PROCESS
Decentralized
DYNAMIC
CLOUD / MULTI-CLOUD
MICROSERVICES / SERVERLESS
CONTAINERS, KUBERNETES
AUTOMATED CI/CD TOOL CHAIN
# Services & APIs
CONTROL AND VISIBILITY
5. © OPITZ CONSULTING 2023 / Öffentlich
INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8
Security Security
Logging Logging
Security
Tracing
Metrics Routing
Metrics Tracing
Application
AuthN/
Z
Rate-Limiting
Routing
Caching
Organization
Application
AuthN/
Z
Versioning
Versioning
Rate-Limiting
6. © OPITZ CONSULTING 2023 / Öffentlich
WHAT’S A SERVICE MESH?
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10
Efficient implementation of cross-cutting
concerns with respect to service integration
challenges
Everything is a service!
Cloud-native apps deployed to Kubernetes
Non Cloud-native workloads
Should be independent of
Architecture (e.g. Monolithic or µService)
Platform (e.g. VMs, Containers, Kubernetes)
Dedicated infrastructure layer that makes
service-to-service communication more
reliable, secure and observable
7. © OPITZ CONSULTING 2023 / Öffentlich
E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12
Increased Developer experience
Consistent security
Seamless observability
Reliable connectivity
Resilience
Flexibility
GW DP
CLIENT
PUBLIC TRAFFIC
GW DP
MESH CP
MESH 1 MESH 2
8. © OPITZ CONSULTING 2023 / Öffentlich
SERVICE-MESH IMPLEMENTATIONS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13
Kuma
Istio
Consul
Linkerd
GlooMesh
9. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14
KUMA
02
10. © OPITZ CONSULTING 2023 / Öffentlich
KUMA INTRODUCTION
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15
Initially invented by Kong and donated to CNCF in 2020
Provides a modern distributed Control Plane
Completely Envoy-based Data Plane proxies
Platform agnostic open-source control plane for Service Mesh
Hence Kuma is
Universal
Simple
Scalable
Flexible deployment options
Standalone deployment
Multi-Zone deployment
Source: https://tinyurl.com/xb57bhx5
11. © OPITZ CONSULTING 2023 / Öffentlich
KUMA STANDALONE ARCHITECTURE
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
12. © OPITZ CONSULTING 2023 / Öffentlich
KUMA MULTI-CLUSTER ARCHITECTURE
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17
One mesh can be deployed over multiple clusters (=> Zone)
All traffic enters cluster over zone ingress
One Remote (Zone) Control Plane in each cluster
13. © OPITZ CONSULTING 2023 / Öffentlich
KUMA NETWORKING / INIT-CONTAINER
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18
Injected to Pod and started individually before Data Plane
Configures iptables / network routing
14. © OPITZ CONSULTING 2023 / Öffentlich
KUMA NETWORKING / CNI
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19
Installed as DaemonSet on all Nodes
Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni
CNI enables Transparent Proxying – redirects all traffic through Data Plane
15. © OPITZ CONSULTING 2023 / Öffentlich
SERVICE MESH DNS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20
Local DNS resolution directly in Data Plane (Envoy)
Names are not resolvable in complete cluster, just inside service mesh (Envoy)
Resolves “.mesh“ address to pre-defined service mesh IP address
IP in other zone / cluster is routed over Kuma Zone Ingress
16. © OPITZ CONSULTING 2023 / Öffentlich
ZONE EGRESS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21
Special Data Plane instance – like Zone Ingress
All outgoing traffic is routed through this instance
Usage of External Services just possible with deployed Zone Egress in the future
17. © OPITZ CONSULTING 2023 / Öffentlich
INTEGRATION OF LEGACY WORKLOAD
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22
Integration of vm and bare metal workload
Local Data Plane instance connecting to Control Plane
Seamless and secure commuication between vm and Kubernetes workload
18. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23
DEMO
03
19. © OPITZ CONSULTING 2023 / Öffentlich
ARCHITECTURE OVERVIEW
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
20. © OPITZ CONSULTING 2023 / Öffentlich
ANALYZING AND MONITORING THE DATA
Advanced Observability & Security for your Kubernetes with a modern Service Mesh
Using Grafana Stack to create a 360-degree view
Component usage:
Visualization: Grafana
Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)
Metrics: Prometheus
Tracing: Jaeger or Tempo
Alerting: Prometheus Alert Manager
Operating models
Self-managed (e.g. on-prem)
Grafana SaaS offering
25
21. © OPITZ CONSULTING 2023 / Öffentlich
ARCHITECTURE OBSERVABILITY
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
22. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27
DEMO
23. © OPITZ CONSULTING 2023 / Öffentlich
ASPECTS COVERED
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28
Mesh Management (Kuma UI)
Managing Apps within the Mesh
Locality Awareness
Advanced Routing
Security
Mesh observability
Metrics
Logs
Traces
24. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29
CONCLUSION
04
25. © OPITZ CONSULTING 2023 / Öffentlich
SERVICE MESH BENEFITS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30
Zero-trust security
mTLS, Traffic Permissions
Increased Developers productivity
Crosscutting concerns (AuthN & AuthZ, …)
Self-service network management
Multi-Tenancy over multiple clouds
Reliable connectivity
Circuit Breaker, Traffic Routes, …
Observability
Metrics, Tracing, Logs
26. © OPITZ CONSULTING 2023 / Öffentlich
KEY TAKEAWAYS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31
Service Mesh is essential to build and managing multi-cloud apps efficiently
Kuma as mesh implementation provides
Agnostic approach (independent of architecture or platform)
Modern, flexible architecture supporting hybrid, multi-cloud scenarios
Multi-zone
Multi-cluster
Multi-mesh
Seamless CI / CD integration (GitOps)
Intuitive design
Spanning a mesh over multiple clusters and clouds can be done easily
27. © OPITZ CONSULTING 2023 / Öffentlich
MATERIALS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32
Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh
Kuma docs: https://kuma.io/docs/2.2.x/
Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo
Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”:
https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s
Demo “Service integration made easy with OpenSource Kuma”:
https://github.com/svenbernhardt/service-integration-made-easy
Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
28. © OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33
Q & A
https://opitzcloud.canto.global/b/H0EMG
29. © OPITZ CONSULTING 2023 / Öffentlich
KONTAKT
Modern Data Stack - Einführung - TDWI Community Talk 34
Fabian Hardt
Solution Architect
Fabian.Hardt@opitz-consulting.com
https://twitter.com/fabian_hardt
https://www.xing.com/profile/Fabian_Hardt
https://www.linkedin.com/in/fabian-hardt
Editor's Notes Achtung:Hier muss!!!! Der Sprechtext sitzen, weil hier unser Angebot formuliert wird. Pfeile Global Control Plane (AKS, Fabian)
Zone 1: OKE (Sven mit Data API)
Zone 2: AKS (Fabian) Reliable connectivity
No longer Developer’s responsibility
Consistent, declarative management at infrastructure level
Self-service network management
Developer defines communication rules (traffic permissions)
No longer need to also involve network teams (firewall rules)
Zero-trust security
Secure communication via mTLS
Automated certificate management
Service Discovery