►
From YouTube: 2020-10-29 Istio Community Meeting
Description
On October 29, 2020 the Istio community hosted a meetup featuring a demo by Denis Jannot, Director, Field Engineering at Solo.io entitled, “Multi-cluster Kubernetes and Service Mesh Patterns."
B
C
A
C
A
Denisendo,
I'm
director
of
field
engineering
at
emea,
in
emea,
for
solo.I,
o
and
I'm
going
to
you
know,
speak
about
this
multi-cluster
pattern
with
istio
in
particular,
and
I'm
going
to
really
like
focus
a
lot
on
demos,
so
I'm
I'm
using
some
slide
at
the
beginning
to
introduce
the
concepts.
But
I
will
really
like
you
know,
do
a
lot
of
different
small
demos
there
so
that
it's
more
interactive
and
feel
free
to
interrupt
me.
If
you
have
any
questions,
if
anything
is
not
clear,
I'll,
be
happy
to
to
clarify
that.
A
So
let
me
just
like
go
and
present
our
mods,
and
now
I
will
jump
directly.
So
basically,
what
I'm
going
to
do
is
I'm
going
to
do
a
lot
of
demo
that
we
have
in
a
workshop
and
we
are
going
to
run
this
workshop
again
in
the
near
future.
So
if
you
are
interested,
you'll
you'll
be
able
to
join,
but
the
idea,
I
will
jump
directly
in
this
part
here,
where
I'm
going
to
speak
about
the
different.
Your
way
you
can
deploy
istio
on
you
know
multi-cluster.
A
So
obviously,
one
way
is
what
we
call
the
the
shared
cluster
or
short
control
plane.
Sorry,
where
you
have
just
one
control
plane
and
you
have
like
two
cubans
clusters
and
you
have
pods
running
on
on
the
two
clusters.
This
model.
We
don't
see
it
used
quite
often
because,
first
of
all,
you
need
a
flat
network
and
also,
if
you
have
an
outage
on
this
cluster,
then
you
lose
your
control
plane
and
the
other
services
will
not
work
correctly
anymore,
and
so
the
most
popular
ways
for
multi-cluster
is
really
using.
A
It
can
be
two
three
four
or
more
clusters
and
then
the
advantage
is
obviously
you
don't
need
a
flat
network
if
you
have
an
outage
on
one
cluster,
I
just
impact
this
specific
cluster,
but
on
the
other
side,
it's
a
lot
more
complex
to
implement
and
I
will
cover
I
will
go
through.
You
know
what
are
the
common
challenges
there
and
and
the
way
we
can,
we
can
handle
them.
A
So
the
most
common
challenges-
and
there
are
a
few
more-
are
like
about
federate.
You
know
federated
the
trust
and
identity
and
I'll
go
through
that
deeper
in
in
the
next
slides,
and
also
how
you
allow
the
communication
between
the
clusters,
how
you
can
also
like
manage
access
control
globally,
how
you
can
manage
failover
this
kind
of
things.
So
that's
the
topic
I
will
cover
and
I'll
try
to
do.
A
A
A
For
I
mean
each
body
is
using
and
the
the
beauty
of
istio
is
that
you
can
quite
easily
have
encryption
between
the
services
using
mutual
tls
and
istio
is
like
handling
the
complexity
rotating
the
certificate,
which
is
something
that
is
really
not
straightforward
to
do.
If
you
don't
have
sto
and
when
two
services
need
to
communicate
together,
they
come
with
their
own
identity,
like
I
described
based
on
the
service
account,
but
it's
quite
important
to
understand
how
it
works.
A
So
each
each
pod
has
like
its
identity
in
the
form
of
a
spiffy
id.
So
this
spiffy
is
like
a
standard
that
mean
secure
production,
identity
framework
for
everyone
that
is
used
in
in
istio
and
a
spf
id
is
in
this
kind
of
format
like
spf
trust,
domain
and
workload
identifier
and
in
in
istio.
A
spiffy
id
is
like
spiffy
the
trust
domain
that
you
use
when
you
deploy
your
istio
cluster
ns,
the
namespace
of
the
service
account
used
by
the
pods
sa
and
the
service
account
name.
A
So
when
it
comes
to
multi-cluster
sto,
then
that
can
become
very
challenging,
because
if
you
have
multiple
clusters-
and
let's
say
you
have
like
pods
on
these
different
clusters-
that
use
the
same
service
account
name
in
the
same
name
space,
then
there
is
no
way
to
differentiate
these
two
pods.
So
when
you
want
to
tackle
this
multi-cluster
is
your
problem
or
the
you
want
to
to
deploy
stu
and
multi-cluster
in
the
right
way.
A
Now
they
have
their
unique
identity,
but
they
are
not
able
to
validate
that
identity
because,
as
I
said
before,
the
certificate
used
by
this
pod
has
been
signed
by
the
control
plane
here.
While
this,
the
certificate
used
by
this
pod
has
been
signed
by
another
control
plane
and
each
control
plane
has
its
own
ca
certificate.
A
It
will
sign
this
intermediate
certificate
with
a
common
root
cert,
and
then
this
intermediate
certificate
on
each
cluster
will
be
replacing
the
the
css
that
is
used
by
istio
in
each
cluster.
So
at
the
end,
you
will
have
a
certificate
chain
that
looks
like
the
certificate
of
the
the
pods,
the
intermediate
certificate,
which
is
unique
on
each
cluster
and
a
common
root
cert,
and
because
we
have
a
common
root
cert
now
it
will
allow
one
service
on
one
cluster
to
to
be
able
to
validate
the
identity
of
a
pod
in
another
cluster.
A
So
that's
what
you
get
like
when
you,
when
you
you
create
this
virtual
mesh.
I
already
created
the
virtual
mesh
in
the
in
the
environment.
We
will
use
for
the
demo,
so
I'm
not
going
to
focus
there
and
I'm
going
to
go
back
to
access
control
a
little
bit
later
as
well.
So
I,
the
first
thing
I'm
going
to
do
here-
is
really
to
do
a
quick
demo
about
how
I
can
now
have
this
cross
cluster
communication,
and
for
that
I
I
deployed
like
two
clusters.
A
Basically,
in
fact,
I
have
three
clusters,
because
I
have
one
cluster
where
I
have
still
running
here
on
the
left,
which
is
called
cluster
one
another
one
here
called
cluster
two,
where
I
also
have
this
tio
and
another
one.
That's
called
management
where
I
have
service
mesh
up,
but
this
could
run
also
on
one
of
these
clusters.
A
I
just
put
that
in
a
separate
cluster
so
that
you
see
it's
not
mandatory
and,
as
you
can
see,
I
I
deployed
the
book
info
demo
application
on
both
sides
on
both
clusters.
The
only
difference
is
that
the
review
service
has
only
v1
and
v2
in
this
cluster,
while
it
has
v1,
v2
and
v3
on
this
cluster.
So,
as
you
probably
know
you
I'm
sure,
you're
already
familiar
with
the
booking
for
application,
so
yeah.
A
If
I
refresh
this
page,
you
see
I
just
get
like
no
stars
or
black
stars,
because
obviously
I
sent
the
request
locally
and
I
didn't
configure
any
cross
cluster
communication.
Now.
If
I
want
to
upload
this
cross,
cluster
communication
service
mesh
hub
makes
that
easy,
with
this
abstraction
called
traffic
policy.
So
in
the
traffic
policy.
A
What
I
will
say
that
when
I
send
when
there
is
a
request
sent
to
the
review
service
on
cluster
one,
I
want
a
traffic
shift
to
happen
where
I
send
75
percent
of
the
request
to
the
v3
service
on
cluster
2
15
of
those
of
the
request
in
cluster
1
on
v1
and
10
cluster
1
and
v2.
So
you
see
it's
very
simple
way
to
define
this
cross
cluster
communication.
A
A
So
what's
interesting
is
that
it
was
very
easy
to
set
up,
but
behind
the
scene,
service
mesh
herb
has
created
a
lot
of
different
studio
objects
that
are
needed
for
this
communication
to
happen.
So
you
have
obviously
a
virtual
service
that
looks
very
similar
to
the
traffic
policy.
I
def,
I
defined
you
where
you
see
the
different
weights,
but
here
you
see
the
destination
is
like
there
is.
No
notion
of
this
is
the
cluster,
because
istio
is
not
aware.
A
A
Then
you
need
to
have
a
service
entry
that
tells
esteo
how
to
reach
this
service
in
the
other
site.
And
obviously
here
the
address
is
the
address
of
this.
Your
ingress
gateway
on
the
second
side,
then,
on
the
second
site,
it
creates
an
android
filter
that
basically
will
track
all
the
communication
coming
with
clustered
blue.global
and
will
replace
this
suffix
by
cluster.local.
So
that's
the
communication
seems
like
a
local
communication,
so
everything
then
can
happen
normally
with
the
local
destination
rule
and
so
on.
A
Pods
to
talk
to
the
rating
pods
and
you
see,
I
defined
different
traffic
targets,
and
I
can
show
you
that
in
fact
here,
so
I
already
created
that
before
the
demo.
But
you
see
you
create,
you
have
the
traffic
policy
like
I
described
before,
but
we
have
also
another
abstraction,
which
is
called
access
policy,
which
is
a
kind
of
cluster
aware
authorization
policy
if
you
want,
but
here
instead
of
just
you
know,
using
traditional
service
account
sector
and
stuff,
like
that,
you
can
also
use
set
up
some
different
clusters.
A
You
know
authorization,
policies
and
service
entries
and
destination
awards
and
so
on,
but
that
just
makes
it
easier
with
this
higher
abstraction
that
are
cluster
aware.
So
this
example
was
really
about
showing
you
how
you
can
do
like
cross-cluster
communication
and
another
use
case,
for
that
is
if
I
want
to
manage
failover.
So
let's
say
I
want
if
I
am
not
able
to
reach
the
local
review
service,
I
now
want
to
reach
the
review
service
on
the
other
side.
A
And
then
I'm
going
to
create
a
few
objects,
so
one
is
a
traffic
policy
that
will
define
outlier
detection.
So
I
will
be
able
to
tell
that
I
want
basically
to
have
this
outlier
detection.
If
I
have
like
more
than
one
er
in
10
seconds,
then
I
want
to
eject
the
the
target
for
like
two
minutes,
and
so
I'm
going
to
apply
that
here
and
basically
it
will
be
translated
when
I
do
that,
it's
translated
in
two
different
in
one
in
two
different
sorry
stu
objects.
A
So
let
me
just
try
to
you,
know,
copy
and
paste
that
and
again,
when
I
do
that.
Basically,
what
service
mesh
up
does
is
that
it
will
create
an
envoy
filter
so
that
it
will
replace
the
the
the
dns
name
is
specified
here
by
the
local
under
remote
cluster,
and
it
will
also
create
a
service
entry
for
this
new
host
name
so
that
it's
known
by
the
mesh.
A
So
I
could
just
stop
there
and
I
could
say:
okay
now,
if
I
want
to
access
this,
then
I
would
go
to
the
product
page
service
and
I
will
modify
my
micro
service
here.
I
will
modify
my
application
and
instead
of
sending
my
request
to
reviews,
I
would
send
the
request
to
reviews
failover
and
basically
the
application
will
be
aware
that
it's
now
targeting
like
an
highly
available
service,
but
I
can
even
make
it
transparent
so
that
here
I
don't.
I
don't
want
to
modify
my
product
page
service.
I
wanted.
A
I
just
need
to
configure
another
traffic
policy
where,
basically,
what
I
say
is
that,
when
a
request
targets
the
review
service,
I
send
it
to
the
reviews
failover
so
that
it's
it
becomes
transparent,
and
so
I'm
going
to
just
create
that
and
again,
if
you
think
about
what
it
does
in
terms
of
istio,
it's
just
like
create
a
virtual
service,
and
the
virtual
service
is
just
like
request
going
to.
Reviews
are
now
sent
to
the
highly
available
service
so
to
test
it
out.
A
What
I'm
I
can
do
is
I
can
just
like
make
this
review
service
on
the
local
cluster.
I
can
make
them
unavailable
by
just
like
adding
a
sleep
command,
so
if
I
do
that
here
they
are
not
now
unavailable,
but
if
I
try
to
access
my
app
here
that
should
still
work,
you
see
it
still
works.
I
still
get
like
just
the
time
to
make
it
happen.
A
A
So
again,
it
was
really
easy
to
set
up
the
failover,
and
I
am
also
able
like
it
was
the
case
before
I
can
go
here
and
I
can
see
what
policies
I
have
in
place
and
I
can
see
the
the
failover
that
I
just
configured
here
and
I
can
see
the
backing
services
for
the
different
failover
and
a
few
other
things
that
I
didn't
describe
before.
But
that
are
quite
nice
here
when
I
created
the
mesh
I
enforced
airbag
globally.
A
So
it
was
like
an
option
on
the
virtual
mesh
creation
that
I
can
show
you
here.
So
I
created
the
virtual
image
before
it
was
just
there
a
little
bit
higher.
I
think
yeah.
So
here
you
see
the
first
time
when
I
created
the
mesh
in
the
in
the
in
the
demo.
I
didn't
set
the
access
control
here
and
I
just
did
that
to
validate.
A
You
know
the
spf
id
and
all
these
things,
and
then,
when
we
do
the
access
control
part,
we
just
modify
the
virtual
mesh
so
that
we
want
our
back
to
be
enabled
globally
and
when
we
do
that.
What
service
meshup
does
is
that
it
creates
some
rules
like
that,
some
authorization
policy
with
empty
spec.
That
means
that
nothing
is
allowed.
A
A
B
D
Great
yeah,
I
had
a
question:
I'm
a
novice
at
all
about
istio,
so
I
was
looking
into
multi-cluster
stuff
and
I
was
honoring
and
there's
kyali,
which
offers
like
visualization
of
the
traffic
that's
flowing
and
also
with
traffic
policies
that
splits
percentages
of
certain
traffic
to
certain
destination.
Is
there
something
like
that
as
well
in
service
mesh
hub,
because
there
is
a
lot
of
information,
apparently
in
there
about
which
servers
that
are
backing,
which
rules
and
what's
on
the
thing,
if
that
is
available
as
well.
A
Yeah,
that's
a
that's,
a
very
good
question.
So
that's
the
next
next
item
in
the
list
of
what
we
are
tackling.
So
we
are
adding
some
new
stuff
in
in
service
mesh
hub.
One
thing
that
we're
adding
is
like
a
global
airbag
so
that
you
can
define
you
know
who
can
do
what
who
can
create
these
access
policies?
A
Who
can
create
these
traffic
policies
and
stuff
like
that?
And
the
other
thing
we
are
working
on
is
a
global.
You
know
global
telemetry
or
you
know
global
metrics
like
you
just
described,
so
that's
something
we
we
are
working
on
because
currently
you
can
have
kelly
on
your
first
cluster,
carry
on
the
second
cluster
and
you
can
use
that
to
to
visualize.
E
A
F
E
How
can
we
integrate
with
mesh
hub
when
we
have
our
own
pki
infrastructure
because
we're
not
using?
We
don't
use
citadel?
We
don't
want
to.
I
can't,
because
it's
not
technical
limitations,
more
a
policy
and
a
governance
issue
that
we're
highly
regulated
industry.
So
we
to
give
you
some
some
high-level
introduction
how
we
manage
it.
E
So
we
actually
run
the
sidecar
in
every
part
that
retrieves
the
certificates
and
then
it
puts
it
into
kubernetes
secrets
and
then
those
secrets
get
mounted
and
as
a
file
system
into
the
part
and
then
our
services
access
that
through
this
with
istio,
it's
very
hard
to
manage
that
it's
possible.
But
it's
it's
pretty
pretty
much.
Hacked
so
we
don't,
let
istio
generate
the
certificates.
How
can
we
do
that
with
mesh
hub.
A
A
A
But
when
you
create
the
virtual
mesh,
then
we
add
another
layer
with
this
root
certificate
and
the
root
certificate
is
used
to
sign
the
intermediate
certificate
that
is
different
on
each
cluster
and
then
the
intermediate
certificate
is
used
to
sign
the
pod
certificates
and
if
you
create
the
virtual
mesh
like
I
did,
then
the
root
cert
is
generated,
but
you
can
also
provide
your
own
road
certs
that
comes
from
your
pki.
Basically,
and
then
that
means
that
all
the
certificates
will
will
be
trusted
by
your
your
environment.
E
A
E
A
E
A
A
C
Have
a
quick
question:
if
there
is
still
time
this
is
the
century
from
zendesk
and
since
you
touched
on
the
trust
domain,
this
is
an
issue
that
I'm
currently
investigating.
So
I
have
a
sandbox
cluster
here.
It
was
running
it's
running
173
with
the
default
res
domain
and
as
soon
as
I
replace
that
by
whatever
name,
I
want
everything
all
the
mtls
cluster
breaks.
If
I
add
the
trust,
alias
cluster.local,
then
I
restore
the
functionality,
but
even
after
I
restart
stod,
I
restart
all
the
sidecars.
If
I
leave
only
the
neutrals
domain,
it
breaks
everything.
A
A
A
A
A
Sure
and
just
reach
to
me,
if
you
have
an
issue
sure,
thanks
and
and
just
like
a
quick
advertising,
we
are
doing
another
workshop
on
the
service
mesh
hub
like
the
23rd
of
november.
I
think
it
will
be
like
european
friendly
time,
but
if
some
of
you
are
in
europe,
that
will
be
easy.
Otherwise
we
will
do
a
other
workshop
in
u.s
friendly
time
as
well
soon.
So
I
hope
it
was
useful
for
you
guys.
B
A
A
Yeah,
I
know
we
are-
we
are
already
starting
to
to
to
work
on
that.
We
always
like
kind
of
validate
with
the
the
beta
before
and
and
obviously
we
are
tracking
that
I
I
I
didn't
look
by
myself.
I
don't
think
like
there
are
really
huge
breaking
changes.
I
think
the
the
big
change
is
really
on
the
on
the
dns
side,
so
obviously
we
we
it
will.
Basically
it
will
make
our
life
easier
more
than
anything
else,
even
on
the
service
mesh
website.
A
But
one
of
the
advantage
as
well
of
service
mesh
herb
is
that
it
will
take
care
of
the
complexity
of
like
going
from
one
seven
to
one
eight
and
that's
something
we
will
handle
on
our
side
for
the
multi-cluster
things
instead
of
you
having
to
do
it
in
one
way
in
one
seven
and
then
in
another
way,
in
one
eighth
for
example.
So
that's
also
one
of
the
idea
of
service
meshup
is
to
to
make
it
easier
for
people
who
want
to
adopt
multi-cluster
to
then
also
maintain
it
in
the
long
long.
A
A
B
B
I
was
wondering
if
anyone
has
submitted
a
session,
if
you
want
to
discuss
that,
unfortunately,
unfortunately,
we
don't
have
the
feature
to
break
people
into
rooms,
but
that's
ideally
what
we
would
be
doing
at
this
point,
but
I
thought
that
that
that
topic
might
be
interesting
to
discuss
in
this
group.
Has
anybody
submitted
a
session
about
istio.
G
B
G
B
B
H
G
G
G
Yeah,
it's
it's
that
general
schedule.
You
just
find
out
what
talk
so
there's
actually
a
lot
of
talk
about
istio
like,
for
instance,
there
is
a
confident
canary
deployment.
So
that's
israel
talk
like
sure.
I'm
actually
not
sure
if
sharon
is
speaking
now
that
he
left
detroit,
so
there
there's
a
talk
about
multi-cluster
deployment,
practical
guide
from
tetra.
I
would
be
thinking.
That's
probably
it's
deal
and
also
there's
a
talk
about
department
of
defense
use
istio
to
do
end-to-end
encryption
from
zach
and
platform,
one
jeff.
G
B
B
B
B
Thank
you
mitch,
please
reach
out
to
us
and
we
would
love
to
have
you
present
at
the
next
meet
up.
I
am
basing
some
of
the
guidelines
on
what
demos
we
are
looking
for.
Okay,
let
me
give
you
one
second,
I
need
to
put
this
here,
okay
and,
as
always,
I
I
would
love
to
have
your
support
in
spreading
the
word
about
this.
B
These
demos
are
going
to
like
this
recording
what
we
do
afterwards.
We
upload
this
to
the
istio
youtube
channel
and
we
trim
the
demo
we're
gonna
make
a
playlist
of
demos,
so
it's
always
a
good
resource
to
have
to
show
how
easy
works,
and
this
is
the
place
where
you
can
point
people
or
add
your
own
demos
as
well.
B
B
B
B
We
expect
to
attract
more
of
the
cubicle
north
american
participants,
so
there
may
be
new
people
around,
and
I
hope
that
you
all
can
still
show
up
and
make
everybody
else
feel
comfortable
as
well
until
welcome
to
the
easter
community
and
I
think
without
any
further
ado,
I
will
give
you
a
few
more
minutes
back
to
your
day.
Thank
you
for
coming.