Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Istio / Istio Ambient Mesh / 7 Sep 2022
Istio / Istio Ambient Mesh / 7 Sep 2022
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Istio Ambient Mesh Launch Demo

Description

Watch Christian to explain key Istio ambient components and demo around some ambient capabilities.

A

In this demo, we'll take a look at the new istio ambient mesh data plane, which is a sidecarless approach to deploying istio and allows you to opt in to various capabilities gradually by splitting the layer 4 mesh from the capabilities that provide layer, 7.

A

layer, 4 really is a tunneling technology that is much closer to the cni, while layer 7 is a full-blown Envoy proxy that is deployed, one per app or per identity type, and can Implement all of the capabilities of layer 7 like retries and header, based, routing and and so forth.

A

In this demo, we're going to take a look at a couple of scenarios. The first is when applications need to communicate with each other, but don't need layer, 7 capabilities, and this is a way that a lot of people start off with the service mesh. They just want to enable Mutual, TLS and layer, 7 or sorry layer, 4 control, Network policies between the applications and in istio ambient mesh. The way this is implemented is with the Z tunnels.

A

Z tunnels are agents that live on each of the nodes and direct the traffic to the appropriate destinations, and in doing so it creates an hdb overlay Network that we can use to implement Mutual TLS between the applications.

A

So let's take a look at what what that looks like to do that we're going to start by installing istio. Actually, if you come here and look at our cluster, we don't have istio system and we have a handful of applications here. Very simple sample applications that I'll use to demonstrate this this capability, so the Sleep service here, if I exec into it I, can call hello world and get a response from one of the services and in this case I see I, see, load balance in between V1 and V2.

A

I can call a specific version if I want and I can and I can call the other version as well. But what we want to do is we want to install istio and we want to implement service mesh capabilities without having to deploy a sidecar.

A

So, let's come over here we will run istio install to and we will run it using stlctl and we'll set the profile to ambient.

A

So, let's take a moment and we'll install this, this will install some familiar components like the istio d control, plane and I, believe it installs the Ingress gateways as well, but then we'll see some of the new components, the Z tunnel that I mentioned.

A

If I come back here and we look on the bottom pane, we see, istio system has been installed as a namespace. If I click into that namespace, we see some components that run as a cni plug-in on the Node. We see the sdod control plane and we see the Z tunnel agents that are deployed as a damage set one per one for node.

A

Now. The next thing we're going to do is we're going to add our applications in the default namespace to this ambient mesh.

A

So what we're going to do is label the default namespace with ambient mode or data plane mode equal to ambient, and now that will automatically add the workloads that are in the default namespace these services to the ambient mesh but notice there are no side cars.

A

In fact, these applications have been running for a while, so we didn't have to restart them or inject anything into them, change their descriptors or anything.

A

But if we come into the Sleep application, which we see is running on the ambient worker node and we exec into it- and we come back down here to this pane- we find the Z tunnel that's running on the ambient worker node, and maybe we watch its logs watch. It full screen and if we now do our curl hello world.

A

Then what we should see is traffic is now going through this Z tunnel. If you look a little bit closer at the logs, we can see things like while it's trying to do some Mutual TLS or it's it's it's invoking, spiffy and uh and establishing Mutual TLS.

A

Now, let's take a look, a closer look at when we make those calls through the Z tunnel. What does that actually look like we're going to do Cube, CTL debug in the istio system, namespace around this Z tunnel, we'll use um and that shoot uh image full.

A

And we're going to look at term shark um on on the default on the default device and let's come back here and let's make a call, let's make a couple, calls just to capture some traffic between sleep and hello world and we'll stop that we have enough traffic now.

A

And actually just come back up a little farther up. We should see that when traffic's going through that here, we see traffic getting to the Z tunnel and then when it gets there, we have TLS encryption all right, so the traffic going over the Z tunnels.

A

We get Mutual TLS between sleep and Hello World Service and as a reminder, we didn't inject any side cars. We don't have any uh restarts of the application. What we've done is in ambient mode we've been able to include these workloads and the communication between them as part of the service mesh.

A

Now, a big part of the service mesh is also enabling layer, 7 capabilities, and so that's where the Waypoint proxy or the layer 7 capabilities of the ambient mesh come into the picture. So, instead of the traffic passing between these tunnels, we can actually pass them and hand them off to a layer, 7 Envoy proxy, which then implements certain capabilities like retries fault, injection, header, based manipulations and so on. In this demo, we are going to deploy a waypoint proxy and we are going to inject a layer.

A

7 policy fault injection in this case and then we'll observe how we can Implement layer, 7 capabilities in the service mesh again in ambient mode without sidecars.

A

So to do this, let's, let's get out of term shark here, let's get out of this. We are going to apply a waypoint proxy, which is, let's take a look at it, which is um the the layer 7 proxy for the hello world services.

A

So one thing you'll notice is we don't try to share layer, 7 components between different identities? We want to keep those separate and we can create this Waypoint proxy by applying this this Waypoint and then we should see a new proxy comes up, which then would enable us to write layer, 7 policies about traffic going to the Hello World Service.

A

So now, if I come back, we can take a look at a virtual service which is a familiar API in istio that specifies traffic rules when I. Try to you know when a client tries to talk to hello world and in this case we'll do some layer, 7 matching and then we'll do some fault injection. In this case, 100 of the time we will delay the calls by five seconds.

A

So let's apply this virtual service and then come back to our client and now, when I call hello world Hello, World Service, we should see a delay of a one, two three four five and we should see that potentially load balance across V1 and V2.

A

So you can see we get layer, 7 capabilities, we get layer, 4 capabilities in mutual TLS and we can write policies about the communication between these services and we haven't touched the the applications we can include them and even exclude them dynamically.

A

So if we're done with the service measure, we don't we don't want it anymore, then what we can do is just uninstall it and remove the SEO system. Namespace.

A

And then come back to our applications, we see they're not touched go into one of the applications if I need and traffic continues to flow, as though there was nothing there before.

A

So thanks for stopping by go check out uh the istio ambient mesh and please provide us feedback thanks.