Service Mesh
- In Microservices, apps are broken down into multiple smaller services that communicate over network which are unreliable, hackable and slow. Service Mesh addresses this set of challenges by managing traffic between services and adding reliability, observability and security features uniformly across services
-
The broader category of critical functions provided by service mesh are
- security
- reliability
- observability
-
Service Meshes
- Linkerd
- Istio
- Consul
- AWS App Service Mesh
- Azure Service fabric Mesh
Linkerd architecture
- Refer Here for official docs
Data Plane
- Pods that have proxies are referred to as meshed
- Meshed pods communicate exclusively through the proxies
- proxies collect critical metrics
- Four functions of Data plane
- Iptables config: Route traffic to proxy in the Pod
- Load Balancing: Balance traffic for HTTP and gRPC
- Metrics
- mTLS (Mutual TLS): Secure by default
- IP Tables config
- Two ways to configure
- Init Container
- Linkerd CNI plugin
- Load Balancing:
- Request Level load Balancing
- Connection pool
- Balances based on latency
- Uses exponentially weighted moving average
- Request Level load Balancing
- Metrics:
- Linkerd collects metrics from proxies
- Metrics are used to as shown below in Prometheus format
- Determine app health
- Collect baseline metrics
- Define error budges
- Service Level Objectives
- Mutual TLS
- Zero-trust
- mTLS between services
- Linkerd recommends bringing your own prometheus Refer Here
control plane
- Controller Component
- It interacts with linkerd cli and Dashboard
- Destination Services:
- Identity Service
- Proxy Injector: It injects for objects with
Linkerd.io/inject: enabled - Linkerd Extensions:
- Viz
- Jaeger
- Multicluster
Using Linkerd
- Refer Here for setting up the cli
choco install linkerd2 -y
- Refer Here for steps
- As discussed in the class post setup of linkerd install dashboard using viz extension
- Lets install emojivoto
kubectl apply -f https://run.linkerd.io/emojivoto.yml
- Lets inject proxy into emojivoto
kubectl annotate ns emojivoto linkerd.io/inject=enabled
- Now restart the deployment to inject the proxy
kubectl rollout restart deploy -n emojivoto
- Service Profiles in Linkerd Refer Here
- Refer Here for setting up service profiles
- Three ways to setup Service Profiles
- OpenAPI/Swagger
linkerd profile -n emojivoto --open-api <swagger file> <svc> > yaml - Protbuf
linkerd profile -n emojivoto --proto <swagger file> <svc> > yaml - tap
linkerd viz profile <from> --tap <to> --tap-duration 10s -n <namespace> > yaml
- OpenAPI/Swagger
- Simple swagger. create a file called as emojivoto.swagger
openapi: 3.0.1
version: v10
paths:
/api/list:
get: {}
/api/vote:
get: {}
- Create a service profile using the command
linkerd profile -n emojivoto --open-api .\emojivoto.swagger web-svc > web-sp.yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
creationTimestamp: null
name: web-svc.emojivoto.svc.cluster.local
namespace: emojivoto
spec:
routes:
- condition:
method: GET
pathRegex: /api/list
name: GET /api/list
- condition:
method: GET
pathRegex: /api/vote
name: GET /api/vote
- Refer Here for circuit breakers
- Refer Here for timeouts
- Validate mtls Refer Here
- Canar Deployments are supported using the following Refer Here
Istio architecture
- Refer Here for official docs
