►
From YouTube: Deep Dive: Linkerd - Zahari Dichev, Buoyant
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Deep Dive: Linkerd - Zahari Dichev, Buoyant
In this session, Zahari Dichev, will focus on lessons learned, how to's, and what the future of Linkerd holds.
https://sched.co/Zexn
A
A
So
the
agenda
for
today
is
the
following:
we're
going
to
do
a
quick
overview
of
what
service
meshes,
why
you
might
need
one
and
how
linkery
works
internally,
we're
going
to
cover
the
multi-cluster
concepts
that
govern
the
implementation
of
this
feature,
we're
going
to
look
at
the
architecture
and
how
we
designed
it.
And
of
course
we
are
also
going
to
jump
into
the
terminal.
A
And
so
I
can
show
you
how
using
this
feature
feels
like
and
then
we
are
going
to
dive
even
deeper
to
track
the
life
of
a
request
across
clusters,
and
I
think
that's
going
to
be
particularly
interesting,
because
it's
going
to
give
you
it's
going
to
give
you
a
a
bit.
It's
going
to
give
a
bit
more
a
deep
knowledge
into
how
the
whole
the
whole
system
has
been
put
together.
A
A
A
A
A
A
A
It
provides
latency,
aware
layer,
7,
load,
balancing
and
automatic
tls
out
of
the
box,
and
what
is
a
particular
feature?
That's
actually
that
I
think
is
is
pretty
cool
is
that
it
exposes
an
on-demand
diagnostic
tap
api.
So
you
can
use
a
cli
to
to
tap
into
any
proxy
and
see
the
live
requests
that
are
going
through
the
proxy
in
real
time.
A
Well,
that's
happening
through
a
process
that
we
call
injection,
so
it's
usually
accomplished
by
the
proxy
injector
component,
which
is
part
of
the
control
plane,
but
can
be
done
manually
as
well,
and
the
essence
of
it
is
that
your
pots
are
modified
to
include
an
init
container
which
is
responsible
for
setting
up
the
ip
tables
rules
for
the
pot.
So
all
the
traffic
can
go
through
the
proxy
and
then
there
is
the
psychiatric
side
car
container,
that
runs
the
proxy
itself,
intercepting
this
all
the
traffic.
A
So
if
you
have
to
draw
that
the
injection
sort
of
looks
like
this,
you
have
your
pot
running
with
the
application
container
in
there
and
then
there
is
an
init
container
at
it,
setting
up
the
rules
and
then
there
is
the
proxy
as
a
side,
car
or
sidecar
container.
So
now
your
traffic,
your
incoming
traffic,
gets
shifted,
so
it
first
hits
the
proxy
and
then
goes
to
the
application
container.
A
So
when
we
were,
we
wanted
to
we
kind
of
thought
about
all
of
this
and
we
wanted
to
bring
these
guarantees
and
these
core
concepts
to
the
multi-cluster
support
as
well.
So
you
get
all
of
that
not
only
within
your
cluster
but
within
your
whole
ensemble
of
clusters.
So
to
speak,
so
this
kind
of
brings
the
question
as
to
why
why
why
multiple
clusters?
A
A
Cluster,
for
example,
as
well
as
also
people
want
to
do
failover
so
kind
of
shifting
traffic
from
one
cluster
to
another
when,
when
a
certain
cluster
fails
or
needs
some
kind
of
maintenance,
so
we
kind
of
thought
about
all
of
that
and
we
decided
to
have
some
core
concepts
across
across
multi-cluster.
The
multi-cluster
feature
that
kind
of
build
upon
the
linker
d
score
concepts,
and
so
our
solution
is
secure
and
much
like
with
link
rd.
A
A
Then
we
have
the
solution:
big
kubernetes,
first
so
remote
services,
they
appear
as
normal
kubernetes
services,
so
any
service
that's
exported
and
available
in
your
local
cluster.
But
it's
a
remote
service.
It's
just
a
normal
service.
It's
not
some
kind
of
special
special
kind
of
service
and
there
is
no
single
point
of
failure.
So
no
single
cluster
is
blessed
or
magical.
Each
cluster
is
running
its
own
linker
d,
installation
with
the
control
plane.
A
So
if
a
cluster
fails
that
doesn't
bring
the
whole
system
down,
the
solution
is
also
transparent,
so
applications
don't
need
to
know
whether
service
is
remote
or
local
and
the
solution
is
also
network
independent.
So
the
only
requirement
is
that
there
is
gateway
connectivity
between
clusters,
but
the
underlying
the
underlying
network,
infrastructure
or
network
hierarchy
doesn't
matter
at
all.
A
So
if
we
have
to
draw
kind
of
a
diagrammatic
kind
of
a
diagrammatic
representation
of
what
our
multicultural
solution
looks
like
it
kind
of
looks
like
this.
So
imagine
you
have
cluster
east
and
west
that
you're
going
to
see
in
the
demo
in
a
bit.
So
these
both
are
running
lingerie
and
it's
important
that
linkard
for
both
of
these
clusters
is
installed
with
with
truss
roots.
That's
that
so
the
certificates
share
the
same
trust
root
in
order
to
enable
the
mtls
across
clusters.
A
A
So
the
service
mirror
is
responsible
for
monitoring
the
exported
state
of
the
target
cluster
and
replicating
it.
So
it
would
use
kubernetes
informers
and
the
go
api
clients
to
to
continuously
monitor
the
set
of
services
that
are
exported
on
a
target
cluster
and
create
proxy
services
locally,
and
then
there
is
the
gateway
which
is
responsible
for
routing
incoming
traffic
to
the
services
to
the
appropriate
services
on
the
on
the
target
cluster.
A
A
A
A
A
A
A
A
A
So
now
we
can
use
the
gateways
command
in
order
to
see
that
on
cluster
east
cluster
east
knows
about
a
gateway
on
cluster
west.
That's
has
that's
exhibiting
a
bunch
of
traffic
characteristics,
so
this
is
the
latency
to
this
gateway
and
it's
alive.
So
there
is
a
probe
internally
that
that
probes,
this
gateway
and
informs
us
whether
that
gateway
is
alive
at
the
moment
or
not.
Currently,
however,
there
is
there
is
no
services
being
mirrored.
A
A
A
So
now
we
can
step
back
a
bit
and
think
about
what
we
can
do.
So
we
can
define
a
traffic
split
here
that
splits
all
the
traffic
going
to
back-end
service
in
half,
so
half
of
the
request
will
go
to
back-end
service,
which
is
the
local
service
and
half
of
the
request
will
go
to
the
service,
that's
located
on
cluster
west.
A
A
A
A
A
So
that
dashboard
command
gives
us
the
dashboard
here
we
can
look
at
our
traffic
splits
and
gets
a
visual
representation
of
that
and
again
you're
gonna
see
the
characteristics
here.
So
half
of
the
traffic
goes
to
the
local
service.
Half
of
the
traffic
goes
to
the
service
on
cluster
west.
Also,
what's
also
interesting
to
observe
is
that
we
can
go
into
grafana
and
there
is
a
multi-cluster
dashboard
here.
A
That
shows
you
a
bunch
of
traffic
statistics
about
your
about
the
traffic
that's
going
to
remote
services,
so
you
can
see
here
that
there
is
a
request
rate
for
the
linker
b
gateway,
so
this
is
for
all
the
traffic.
That's
going
to
this
gateway,
no
matter
the
service.
But
then
there
is,
you
know
a
breakdown
here,
that's
that's
by
services,
and
that
would
be
a
bit
more
interesting
if
we
have
more
services,
but
we
can
see
that
all
the
traffic
is
going
to
back
in
service
at
the
moment
at
cluster
west.
A
So
this
is
all
quite
interesting,
and
you
know
you
might
ask
yourself
well
how
does
this?
How
does
this
actually
work?
Well,
the
way
it's
been
designed
is
is
the
following.
So
imagine
you
have
your
clan
pods,
that's
located
on
cluster
east
right!
Well,
the
moment
you
fire
get
requests
through
curl
to
back-end
service.
A
A
A
So
it's
going
to
return
the
expected
identity
of
the
gateway
on
the
other
side,
so
it
can
enable
mtls,
and
it's
also
going
to
return
the
fully
qualified
domain
name
of
the
target
service
on
to
the
other
cluster
and
that's
important,
because
this
other
cluster
might
very
well
have
a
different
cluster
domain
and
it
also
is
not
suffixed
with
the
west
right.
The
the
name
on
the
other
side
is
back-end
service,
not
back
in
service
west.
A
So
when
all
of
that
happens,
this
request,
the
uri
authority
is
rewritten,
the
proper
tls
identity
is
set,
and
this
request
flies
off
to
cluster
west.
So
once
it
hits
this
ip
on
this
port,
it's
intercepted
by
this.
This
request
is
intercepted
by
the
proxy
and
the
proxy
will
and
and
this
gateway
gateway
will
route
it
to
the
correct
back-end
service.
A
So
and
because
all
of
that,
because
there
is
the
correct
destination
encoded
in
the
request,
it
knows
onto
where
to
send
it
on
which
port?
So
you
know
you
might
be
hitting
the
proxy
service
onto
different
ports
and
all
of
that
traffic
will
go
to
one
single
port
on
the
gateway,
but
because
we
carry
metadata
indicating
which
port
was
actually
the
original
port,
we
can
route
it
to
the
correct
service.
A
So
that
being
said
this
this,
this
was
sort
of
the
first
iteration
of
the
multi-cluster
support
that
we
designed
and
it
works
quite
well.
However,
there
are
a
few
improvements
that
we
have
in
mind
and
we
are
actively
working
on
at
the
moment.
So,
first
of
all,
now
there
is
a
service
we
want
to
be,
and
now
there
is
a
single
service,
mirror
controller
running
and
it's
responsible
for
pretty
much
all
the
all
the
linked
clusters.
A
We
want
to
split
that
up
and
have
a
service
mirror
controller
per
target
cluster,
and
I
think
that's
going
to
simplify
things
greatly
and
make
the
kind
of
the
cognitive
luggage
lighter,
and
it's
going
to
be
much
easier
to
debug
whenever
problems
occur,
we
also
want
to
introduce
a
crd
to
better
represent
the
target
cluster
information.
So
now
a
bunch
of
that
information
is
encoded
in
a
secret
other
bits
of
the
of
that
information
is
encoded
in
arbitrary
annotations
on
the
services
that
are
mirrored
and
whatnot.
A
We
want
to
consolidate
all
that
into
a
crd
that
represents
this
information.
So
it's
all
in
one
place.
We
want
to
support
traffic
policy
and
much
finer
green
permissions
control
as
to
what
traffic
can
go
where
and
of
course
we
want
to
support
plain
tcp
traffic,
so
this
is
something
we
so
currently
it's
all
http.