Shulou(Shulou.com)06/02 Report--

This article is compiled from Star, a member of the Istio community.

Live sharing of Cloud Native Days China 2019 Beijing Railway Station

The first rule

Protagonist Istio

As a star project in the field of service mesh, Istio has been growing in popularity since it was released in 2016.

Istio & Envoy Github Star Growth

In the architecture diagram of Istio1.1 on the official website, in addition to the three major components of Envoy on the data side and Pilot,Mixer,Citadel on the control plane, the Galley component is introduced to verify the configuration of Istio API.

What benefits can Istio bring?

In the process of development and operation and maintenance, we often encounter the following problems: how to ensure that the launch of the new version does not affect the operation of the existing network business? What if there is a sudden increase in requests to access the system and our system cannot handle it? If there is a problem with the system, which service is the problem and what is the invocation relationship between the services? Business programmers often lack security-related knowledge, can they automatically encrypt unencrypted traffic directly? To solve these problems, Istio has corresponding solutions, corresponding to its various functional components.

The second rule

Istio 1.1 is very different

The theme of Istio 1.0 is production availability, while version 1.1 is available for enterprises, emphasizing that the performance and reliability of 1.1 in large clusters (many services and loads) can be guaranteed.

The following table is a comparison of the characteristic states of Istio1.1 and 1.0 in traffic management:

The performance improvement of Istio version 1.1 is remarkable.

In terms of application performance:

Average latency of applications reduced by 30%

40% faster service startup in large-scale clusters

In terms of component resource occupancy on the management side:

Pilot CPU usage decreased by 90% in large clusters

Pilot memory usage decreased by 50% in large clusters

The key optimizations that Istio version 1.1 contributes to improving performance are as follows:

Sidecar API to reduce the number of configurations sent to proxy and the pilot load

The exportTo field added to the network configuration rules (Destinationrule,Virtualservie, ServiceEntry) limits the visible range of the configuration

The statistics collected by Envoy are greatly reduced by default

Add load-shedding function to mixer to prevent overload.

Improve the interaction protocol between envoy and mixer

Configurable number of concurrent threads to improve throughput

Filter can be configured to constrain mixer telemetry data

It is also convenient to upgrade to Istio 1.1.

Dashboard upgrade

Kubernetes rolling update

Helm upgrade

Data plane upgrade

Re-inject sidecar by triggering rolling update for all pods (e.g. patching the grace termination period)

Multi-cluster Grid Management of Istio1.1

The multi-control plane scheme and the single control plane scheme of cluster awareness (Split Horizon EDS) are introduced:

Multi-control plane scheme

Single control plane (Split Horizon EDS) scheme

With regard to service visibility, the improved performance of large clusters just mentioned is largely due to service visibility. It is mainly used in combination with two parts:

ExportTo field

The server's Service/ServiceEntry/Virtualservice/Destinationrule configuration exportTo field declares the visible range of this network resource.

New sidecar resource object

The namespace where the requester is located is configured with a sidecar object, which can precisely control the forwarding of sidecar to the specified namespace or service.

One of the more important security features is SDS (Secret Discovery Service):

Provide greater security:

Through node key generation, the private key exists only in the memory of Citadel and Envoy Sidecar.

Do not rely on Kubernetes Secret

There is no need to mount the Secret volume.

Certificate replacement does not require a restart of Envoy

Sidecar can use SDS API to dynamically refresh keys and certificates.

The command line tool Istioctl of Istio 1.1 adds offline check commands and verification installation commands, Istioctl deprecates create, replace, get and delete using kubectl instead, and supports kubectl to use abbreviations when operating Istio network resources.

The Istio community has set up a user experience working group dedicated to improving the ease of use of Istio and further lowering the barriers to use.

For related services, please visit: https://support.huaweicloud.com/cce/index.html?utm_content=cce_helpcenter_2019

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.