Istio 1.5 Updates

Jun Sakata Google Developers Expert, Cloud @sakajunquality Istio 1.5 Updates
2020.03.12 #GCPUG Istio 1.5 Day

Agenda Istio 1.5 Updates! - Istio Releases - Istio 1.5
Overview - Isito 1.5 Features - Demo? - Tips

Istio Releases Release Histories

Istio Releases Quarterly release since 1.1 - 1.0 - July
31, 2018 - Theme: Production Use - 1.1 - March 19, 2019 - Theme: Enterprise Ready - 1.2 - June 18, 2019 - Theme: Predictable Releases

Istio Releases Quarterly release since 1.1 - 1.3 - September
12, 2019 - Theme: User Experience - 1.4 - November 14, 2019 - Theme: User Experience, Performance - 1.5 New! - March 5, 2020 - Theme: istiod, WASM

1.5 https://istio.io/news/releases/1.5.x/announcing-1.5/

Istio 1.5 Overview What’s new in 1.5

“The Istio project is really heading in the right direction!
Improved lifecycle management, better performance, and Wasm based extensibility in Envoy -- you'll be able to write extensions in not C++ On top of all that, a single binary control plane.” - Kelsey Hightower https://twitter.com/kelseyhightower/status/1235449975565254656

Istio Roadmap 2020 https://istio.io/blog/2020/tradewinds-2020/

Istio Roadmap 2020 - Performance - Mixer to proxy -
Extensibility - More capabilities in sidecar proxies - Simplifying Control Plane - Component - Lifecycle Management - Install / Upgrade - User Experience - istioctl

istiod https://github.com/istio/community

istiod A single binary for control plane

How Istio works

How it worked prior to 1.5

How it works from 1.5

Istio Architecture

Resources in 1.4 (demo profile) kubectl -n istio-system get deploy,service

Resources in 1.5 (demo profile) kubectl -n istio-system get deploy,service

~1.4 Components in 1.5 isitod - Pilot -> istiod -
Sidecar injection -> istiod - Galley - Configuration Validation -> istiod - X features -> still remains as isito-galley - Citadel -> isitod - Mixer -> Deprecated

e.g. Sidecar Injection In ~1.4 $ k get MutatingWebhookConfiguration istio-sidecar-injector
-o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istio-sidecar-injector namespace: istio-system path: /inject port: 443 ...

e.g. Sidecar Injection In 1.5 $ k get MutatingWebhookConfiguration istio-sidecar-injector
-o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istiod namespace: istio-system path: /inject port: 443 ...

Mixer 1.4

Mixer Deprecated in 1.5, supported until 1.7 - istio-policy -
Policy enforcement - disabled by default since Istio 1.3 - istio-telemetry - Telemetry Report - disabled by default since Istio 1.5

Telemetry V2 Telemetry through proxy, without Mixer - Telemetry is
directly exported by proxy - Currently compiled in istio proxy - To be on Wasm runtime

Telemetry V2 https://istio.io/docs/reference/config/telemetry/metrics/

Telemetry V2 Telemetry through proxy - 1.3 - Experimental Feature
- HTTP telemetry (Alpha) - 1.4 - Simpler Installation - HTTP telemetry (Beta), TCP telemetry(Alpha) - 1.5 - Installed by Default

Feature Status Alpha -> Beta -> Stable https://istio.io/about/feature-stages/

WebAssembly https://istio.io/blog/2020/wasm-announce/

WebAssembly(WASM) - Need for more extensibility - Extensions without WASM
- Envoy -> Filters written in C++ - Istio -> Mixer - WASM - Ecosystems - Memory-safe and sandboxed runtime

WebAssemblyHub https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/

Istio 1.5 Features

Features - Authentication Policy - istioctl analyze - Telemetry v2
- Operator Install - Auto mTLS - Kiali

Authentication Policy PeerAuthentication and RequestAuthentication - Policy and MeshPolicy is
being replaced by - PeerAuthentication and RequestAuthentication - Docs - 1.5 https://istio.io/docs/tasks/security/authentication/authn-policy/ - 1.4 https://archive.istio.io/v1.4/docs/tasks/security/authentication/authn-policy/

Authentication Policy e.g. global mTLS STRICT // 1.4 apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy" metadata: name: "default" spec: peers: - mtls: {} // 1.5 apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "istio-system" spec: mtls: mode: STRICT

istioctl analyze More capabilities - Introduced in 1.4 - Out
of Experimental - More analyzers - mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated - -L to display - -k (current cluster) by default - -A|--all-namespaces flag - Print namespace - stdin / files from directory - istioctl analyze a.yaml b.yaml my-app-config/ , xxx | istioctl analyze

istioctl analyze e.g. istioctl analyze -A

Telemetry v2 TCP Support - HTTP Support in 1.3 -
TCP Support in 1.5 - mTLS only

Operator Install IstioControlPlane -> IstioOperator - istioctl operator {init, remove}
- CRD IstioControlPlane in 1.4 is renamed to IstioOperator in 1.5

Istio install istioctl, Operator, Helm - istioctl - istioctl manifest
apply - Standardalone Operator - istioctl operator init - Helm - Default before 1.3 - Will be deprecated!

Istio install istioctl, Operator - istioctl - Human-triggered - Standardalone
Operator - Machine-triggered - CRD’s reconcile loop - Planned for canarying rollout of control plane

Auto mTLS (mutualTLS) Alpha -> Beta - Introduced in 1.4
- Enabled by default

Newer version of Kiali $ istioctl dashboard kiali

Install demo profile istioctl manifest apply --set profile=demo

Firewalls for Private Clusters

Try Again istioctl manifest apply --set profile=demo

Thank You! Jun Sakata Google Developers Expert, Cloud @sakajunquality

Istio 1.5 Updates

Istio 1.5 Updates

More Decks by sakajunquality

Other Decks in Technology

Featured

Transcript