►
From YouTube: KubeCon US 2020: Daily Demo featuring Gloo Mesh
Description
Denis Jannot kicks off KubeCon week with a demo of multi-cluster Istio service mesh configuration with Gloo Mesh. Having fun with virtual backgrounds in the process
Learn more about Solo.io at KubeCon
https://lp.solo.io/kubecon-na-2020-virtual
Questions? https://slack.solo.io
A
All
right
dennis
all
yours,
thanks
folks
for
joining
we've
got
dennis
who's
going
to
demo
multi-cluster
istio
with
glue
mesh,
and
if
you
are
having
tom,
I
know
you
mentioned
you're
having
some
issues
with
the
audio.
Please
feel
if
you
you're
welcome
to
unmute
and
folks
who
can
you're
welcome
to
unmute,
and
you
know,
ask
questions.
Otherwise
you
can
type
them
into
the
chat
and
I'll
also
bring
them
up
for
you.
B
So
just
before
we
start
about
discussing
about
the
multi-cluster
challenges,
I
will
briefly
show
the
two
current
options
that
people
have
when
they
want
to
use
istio
cross
multiple
clusters
and
they
can
use
what
we
call
a
shared
control
plane,
which
means
that
you
have
one
control
plane
and
you
have
multiple
cubans
clusters
and
that
works.
If
you
have
a
flat
network,
but
that's
really
not
commonly
used.
The
most
popular
approach
is
what
we
call
a
replicated
control
plane
and
you
will
see
in
istio
1.8.
B
The
names
have.
The
names
have
changed
a
little
bit,
but
the
the
idea
is
still
the
same
and
that
you
can
have
multiple
control,
plane
or
unique
control
plane
and
you
have.
You
can
have
a
flat
network
or
not
a
flat
network.
So
we'll
focus
on
this
one,
which
is
the
most
popular
approach,
it's
more
flexible
because
they
can
be
in
different
networks.
They
can
even
be
in
different
clouds.
You
can
have
one
on
premise,
one
in
a
public
cloud
and
so
on.
B
B
The
open
source
version
only
has
the
discovery
and
networking
services
and
the
enterprise
version
that
will
be
available
in
beta
soon,
as
also
two
additional
components
for
airbag
and
ui.
But
I'm
going
to
to
show
you
that
later
so
the
two
main
services,
the
one
you
find
in
the
open
source
version,
are
called
discovery
and
networking
and
basically
the
discovery.
One
is
responsible
for
discovering
all
the
workloads
running
on
the
different
clusters
and
the
networking
one
is
responsible
for
making
your
life
easier.
B
So
basically
you
you
define
your
traffic
policies
and
access
policies
in
a
very
simple
way
globally
and
then
this
service
is.
This
process
is
responsible
for
translating
that
into
multiple
istio
objects
and
we'll
focus
on
histo
here,
but
be
aware
that
we
are
also
working
on
integrating
other
mesh
technology
like
app
mesh
and
osm.
So
that's
the
same
principle.
It
will
be
translated
in
this
case
in
app
mesh
or
osm
objects
instead
of
these
tier
ones.
B
B
B
And
basically,
when
you
deploy
histo
the
control
plane
in
one
cluster,
you
use
like
a
ca
certificate
to
sign
these
different
certificates
and
the
the
css
that
you
have
in
the
other
cluster
is
different.
So
the
first
challenge
is
that
now,
if
you
want
one
service
in
one
cluster
to
trust
a
service
in
another
cluster,
you
need
to
make
sure
that
the
certificates
are
issued
from.
You
know
the
same
root
certificate.
B
You
deploy,
slash,
ns,
slash
the
namespace,
slash
ss
slash
the
service
account
used
by
the
pod.
So,
first
of
all,
you
need
to
make
sure
that
each
pod,
or
at
least
its
service,
is
using
a
different
service
account,
but
also
you,
as
you
can
see,
because
the
child
domain
is
placed
on
the
global
everywhere.
B
Then
that
means
that
if
you
have
different
two
pods
in
two
different
clusters
that
are
using
the
same
service
icon
in
the
same
space,
then
there
is
no
way
to
differentiate
them.
So
it's
important
to
deploy
your
istio
clusters
with
different
choice
domains
so
that
you'll
get
like
unique
identities
at
the
end.
B
So
we
will
focus
on
on
on
this
one
and
basically,
as
I
said,
you
will
have
like
two
control
planes
and
we
have
this
notion
of
what
we
call
a
virtual
mesh
in
blue
mesh
and
you
define
the
number
of
control
plane
you
want
to
have
in
this
virtual
mesh.
You
just
determine
which
mesh
should
be
part
of
it
and
when
you
do
that,
then
glue
mesh
will
deploy
a
certain
agent
on
these
clusters
and
will
create
a
root
cell
that
can
be
coming
from
your
own
certificate
authority.
B
If
you
want
and
then
basically
it
will
create
a
new
c
excerpt
for
each
cluster
and
that
will
be
considered
as
an
intermediate
certificate
and
this
intermediate
certificate
will
be
used
to
sign
the
certificate
of
all
the
services.
So
that's
at
the
end,
one
service
and
one
cluster
can
trust
a
service
on
another
customer.
So
that's
all
the
magic
that
happens
in
blue
mesh
and
and
if
you,
if
I
show
you
because
I
already
created
it
here,
I
can
show
you
how
I
did
it.
B
No,
it's
not
there
yeah
it's
here,
so
you
see,
I
created
a
virtual
mesh
just
specifying
my
two
control
planes.
Here
I
enabled
access
policies
and
I
will
show
you
what
it
does
after
and
here
I
just
asked
to
create
or
to
generate
a
root
cell,
but,
as
I
said,
it
could
come
from
your
own
certificate
authority.
So
just
doing
this
that
stuff
or
just
creating
this
simple
object
allows
you
to
have
the
identity
federated,
I'm
not
going
to
discuss
about
access
control.
B
B
B
So
let's
say
now:
I
want
when
the
product
page
try
to
reach
the
reviews
micro
service.
I
want
sometimes
to
go
locally
and
sometime
to
go
on
the
remote
cluster.
If
I
want
to
do
that
in
istio
without
blue
mesh,
I
would
need
something
like
that.
I
would
need
to
create,
like
a
virtual
service,
where
I
describe
what
I
want
to
do
like,
for
example.
B
Here
I
want
to
send
like
75
of
the
request
to
the
service
v3
on
the
remote
cluster
and
15,
on
v1
on
the
local
cluster
and
10
on
v2
and
the
local
cluster,
and
then
I
will
need
to
have
destination
rules
created
to
define
the
subsets
here,
so
the
different
versions.
Then
I
need
a
service
entry
for
the
service
that
resides
on
the
other
cluster
and
indicating
the
ip
of
this
year,
ingress
the
other
cluster,
so
that
it
can
reach
it
and
and
then
the
second
cluster.
B
I
would
need
also
like
an
envoy
filter
so
that
I
I
remove
the
suffix
ear
and
after
that
it
becomes
like
a
local
request
and
I
still
need
destination
rule
for
the
subset
and
and
so
on.
So
it's
quite
complex
just
to
make
that
a
simple
communication
happening.
I
will
need
to
create
multiple
eco
objects
instead
of
doing
that
with
blue
mesh.
We
have
this
traffic
policy
abstraction
and
you
see
I
can
really
simply
describe
here
what
I
want
to
achieve.
B
B
And
now,
if
I
refresh,
I
should
quickly
see
here
that
it
tries
to
reach
the
version
three
it
even
it's
even
able
to
reach
version
three,
but
version
three
is
not
able
to
communicate
with
the
rating
service.
So
if
I
go
back
here
in
my
diagram,
I
see
that
this
communication
here
from
the
product
page
to
the
reviews
service,
is
happening,
but
this
one
is
not
because
I
didn't
create
a
policy
and
access
policy
for
that.
B
A
B
No,
I
think
it
was
just
background
noise,
so
you
can
just
perhaps
mute
him
thanks.
So
with
this
blue
mesh
ui,
you
are
able
to
see.
As
I
said
I
created
my
virtual
mesh.
You
can
see
the
different
clusters.
You
can
see
the
overall
state,
my
virtual
mesh
is
there.
I
have
my
two
clusters
and
I
can
see
the
different
traffic
targets
and
you
know
workloads
are
running
and
things
like
that
and
if
I
go
to
policy,
I
can
see
the
three.
B
The
simple
policy
I
created
here
and
you
see
the
the
weights
I
have
described
in
my
yammer
and
what's
nice-
is
that
it
also
shows
you
based
on
the
rule
you
created,
what
are
the
workloads
that
are
impacted
and
what
are
like
the
traffic
targets,
and
you
see
you
see
that
here.
But
if
I
go
in
my
other
policies,
you
see,
I
also
have
access
policies
and
I
already
created
them
to
allow
the
local
traffic
and
if
I
look
at
the
reviews,
one.
B
What
I
did
here
is
that,
as
you
can
see,
I
upload
the
reviews
version
one
on
cluster
one
and
the
reviews
version
2
and
cluster
1
to
talk
to
the
rating
on
both
clusters.
But
I
didn't
allow
the
reviews
on
cluster
2
to
talk
to
them.
So
that's
what
I'm
going
to
do
now
and
that's
why
we
don't
see
the
rating
for
the
moment.
B
B
I
will
indicate
that
I
allow
the
service
accounts
of
the
reviews
service
on
cluster
one
and
the
one
on
cluster
two
to
access
any
any
pod
with
this
label
service,
equal
rating.
So
because
I
had
only
that
before
I
didn't
see
the
reviews
services
of
the
second
cluster,
but
only
the
one
of
the
first
cluster
in
the
ui.
B
And
then
I
can
even
check
that
in
the
ui
ear
you
see
now
it
has
discovered
so
blue
mesh
is
looking
okay,
based
on
the
rule
that
I
have
set.
What
are
the
workloads
that
are
impacted,
so
what
it
shows
you
now
is
that
it
also
impacts
these
three
additional
workloads,
though
the
three
services
on
cluster
two.
So
now
these
services
are
also
allowed
to
talk
to
the
rating
services.
So
if
I
go
here-
and
I
refresh
this
page-
I
should
see
the
red
star.
B
B
B
A
B
A
A
B
B
You
you
want
that
to
be
really
transparent
and
you
can
do
that
with
a
traffic
policy
again
where
what
you
just
say
is
that
for
all
the
requests
targeting
the
reviews
service,
I
want
to
send
them
to
the
reviews
failover
service,
so
it
becomes
transparent
for
the
application.
The
the
application
is
now
having
your
id
available
review
service
without
even
being
aware
of
it.
B
B
I
still
have
access
to
my
application
like
like
we
see,
and
then
we
see
the
access
logs
there
that
proves
that
it's
handled
by
the
second
site.
So
again,
let's
just
like
clean
up
that
by
restarting
your
services.
We
will
probably
not
wait
for
that,
but
here
I
have.
We
have
a
description
about
all
the
istio
objects
that
are
created
by
this
failover
service.
B
B
So
yeah,
I'm
going
quite
fast
on
that,
but
just
be
aware
that
if
I
wait
here
for
two
minutes,
then
it
will
fall
back
automatically
in
the
first
sight,
and
you
can
also
see
you
know
the
outlier
detection
that
we
discussed
about
before
we
created.
You
can
also
go
in
the
mesh
here
and
you
can
see
the
fadeover
that
we
have
configured
here
and
we
can
see
how
we
configured
the
failover
and
so
on,
so
that's
kind
of
it
for
the
traffic
and
failover
multi-cluster
traffic
and
failover.
B
But
I
wanted
to
touch
on
another
thing
that
we
are
adding
in.
We
have
in
our
enterprise
version,
which
is
about
multi
cluster
airbag.
So
before
I
I
show
you
how
it
works.
I
just
want
you
to
explain
the
the
idea
behind
it.
So
if
you
are
familiar-
and
you
are
probably
familiar
with
kubernetes,
you
can
use
roles
and
all
bindings
to
define
who
can
do
what
in
your
cluster.
B
But
it's
not
really
granular.
You
can
say:
okay,
you
can
create
this
kind
of
resources
or
you
can
delete
this
kind
of
resources
or
stuff
like
that.
But
you
cannot
say
how
you
want
people
to
create
these
resources.
Like
you
cannot
say,
I
want
this
person
to
create.
I
want
to
allow
him
to
create
a
pod,
but
he
cannot
do
that
with
this
specific
parameter.
B
B
B
So
the
way
we
do,
that
is
that
we
we've
created
something
that
we
call
a
glue
mesh
airbag
and
the
the
the
way
this
works.
I'll
show
you
that
here
is
that
we
are
giving
you
like
very
fine
grain
control
about
about
who
can
do
what
and
you
see
here-
that's
an
example
of
the
namespace
admin
or
so
what
what
we,
so
you,
let
me
show
you
something
before
yeah,
so
by
default.
B
B
B
B
But
you
see
it's
very
fine
grain.
You
see.
I
have
stars
everywhere,
because
I
am
an
admin,
but
you
can
define
if
if,
for
example,
if
you
completely
remove
the
access
policy
scope
here,
that
means
that
this
this
hole
doesn't
doesn't
give
you
any
permission
to
create
access
policies
at
all,
or
you
can
do
the
same
for
traffic
policy
or
failover,
and
things
like
that,
so
you
can
define
that
and
then
you
can
define
very
fine
grain.
B
You
know
you
can
say
okay,
this
person
can
create
like
a
failover
service
and
traffic
policies,
but
I
want
them
to
be
doing
that
only
in
their
own
namespace.
So
that's
a
very
common
use
case,
for
example,
instead
of
having
like
a
namespace
admin
in
your
local
cluster.
Now
you
can
extend
that
idea
so
that
you
can
have
like
a
global
namespace
admin.
So
this
person
has
a
namespace
on
each
cluster
and
is
able
to
create,
like
all
these
traffic
policies
and
access
policies
in
his
namespaces.
But
that's
it.
B
You
cannot
create
any
rule
that
will
impact
other
namespaces.
He
cannot
allow
communication
between
his
namespace
and
another
namespace
is
really
just
restricted
to
his
own
namespace.
So
that's
one
example.
We
are
going
to
show
you
now,
but
obviously
I'm
going
to
speak
about
a
few
other
use
cases
after
so
that's
my
traffic
policy
that
I
created
before
you
remember
I
deleted
it.
B
B
And
now,
if
I
try
to
create
this
traffic
policy,
you
see
I'm
not
allowed,
because
I
don't
have
the
permissions
for
that,
but
that's
a
good
opportunity
for
me
to
give
an
example
with
a
namespace
I
mean,
let's
say
I
want
to
now
have
permission
that
just
corresponds
to
the
default
namespace.
Where
I
have
my
application
running
now,
so
I
can
go
there.
I
can
create
this
role
and
then,
when
the
whole
is
created,
I
can
create
a
new
binding
and
you
see
I
just
I
will
just
get
the.
B
Yeah,
you
see
so
I
get
like
this
admin
role
and
and
again
I
did
everything
with
these
crds,
but
the
ui
is
always
there
to
help
you.
You
know
making
sure
that
you
can
understand
who
can
do
what
globally
across
all
your
clusters,
you
can
really
easily
see
that
okay,
I
have
these
rolls
and
this
hole
is
only
granted
to
this
guy
for
the
moment.
So
that's
also
you
to
make
sure
that
there
is
no
like
security
hole
somewhere.
B
B
I
don't
know
you
want
to
pair
them
2x2
that
you
create
like
five
virtual
meshes.
Then
you
can
create
a
role
that
will
give
admin
all,
but
only
for
one
of
these
virtual
mesh
or
you
can
create
like
someone
who
can
only
create
policies
on
one
cluster
or
can
only
define
access
policies
or
only
defined
traffic
policies
and
many
many
other
things
like
I.
I
gave
you
some
examples,
but
but
it
can
be
really
fine
grain,
so
yeah.
That's
all
for
this
talk.
A
B
B
I
want
to
apply
this
wasn't
filter
in
these
specific
targets
and
then
you
can
also
see
in
the
ui
which
services
have
this
are
using
this
or
this
filter
and
and
in
the
mesh
ctl,
which
is
our
cli
you'll,
be
able
to
build
your
web
assembly
filter
from
the
cli,
then
you'll
be
able
to
push
it
to
let's
say
oci,
compliant
registry
and
and
so
on.
So
that's
a
lot
of
good
stuff
coming
there,
so
I
don't
think
we
have
any
questions.
So
let
me
thank
you
for
attending.
B
B
Yeah
so
glue
mesh
is
is
not
is
not
an
online
service.
You
see
it's
running
there,
it's
not
a
software
as
a
service.
It's
it's
really
like
a
software.
You
deploy
anywhere
in
one
of
your
kubernetes
cluster
and
then
yes,
it
needs
to
access.
It
needs
to
use
the
quest
api
of
the
other
cluster,
so
it
discover
the
different
services.
You
know
the
discovery
piece
I
have.