Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Istio 1.5 Updates

Istio 1.5 Updates

sakajunquality

March 12, 2020
Tweet

More Decks by sakajunquality

Other Decks in Technology

Transcript

  1. Agenda Istio 1.5 Updates! - Istio Releases - Istio 1.5

    Overview - Isito 1.5 Features - Demo? - Tips
  2. Istio Releases Quarterly release since 1.1 - 1.0 - July

    31, 2018 - Theme: Production Use - 1.1 - March 19, 2019 - Theme: Enterprise Ready - 1.2 - June 18, 2019 - Theme: Predictable Releases
  3. Istio Releases Quarterly release since 1.1 - 1.3 - September

    12, 2019 - Theme: User Experience - 1.4 - November 14, 2019 - Theme: User Experience, Performance - 1.5 New! - March 5, 2020 - Theme: istiod, WASM
  4. “The Istio project is really heading in the right direction!

    Improved lifecycle management, better performance, and Wasm based extensibility in Envoy -- you'll be able to write extensions in not C++ On top of all that, a single binary control plane.” - Kelsey Hightower https://twitter.com/kelseyhightower/status/1235449975565254656
  5. “The Istio project is really heading in the right direction!

    Improved lifecycle management, better performance, and Wasm based extensibility in Envoy -- you'll be able to write extensions in not C++ On top of all that, a single binary control plane.” - Kelsey Hightower https://twitter.com/kelseyhightower/status/1235449975565254656
  6. Istio Roadmap 2020 - Performance - Mixer to proxy -

    Extensibility - More capabilities in sidecar proxies - Simplifying Control Plane - Component - Lifecycle Management - Install / Upgrade - User Experience - istioctl
  7. ~1.4 Components in 1.5 isitod - Pilot -> istiod -

    Sidecar injection -> istiod - Galley - Configuration Validation -> istiod - X features -> still remains as isito-galley - Citadel -> isitod - Mixer -> Deprecated
  8. e.g. Sidecar Injection In ~1.4 $ k get MutatingWebhookConfiguration istio-sidecar-injector

    -o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istio-sidecar-injector namespace: istio-system path: /inject port: 443 ...
  9. e.g. Sidecar Injection In 1.5 $ k get MutatingWebhookConfiguration istio-sidecar-injector

    -o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istiod namespace: istio-system path: /inject port: 443 ...
  10. Mixer Deprecated in 1.5, supported until 1.7 - istio-policy -

    Policy enforcement - disabled by default since Istio 1.3 - istio-telemetry - Telemetry Report - disabled by default since Istio 1.5
  11. Telemetry V2 Telemetry through proxy, without Mixer - Telemetry is

    directly exported by proxy - Currently compiled in istio proxy - To be on Wasm runtime
  12. Telemetry V2 Telemetry through proxy - 1.3 - Experimental Feature

    - HTTP telemetry (Alpha) - 1.4 - Simpler Installation - HTTP telemetry (Beta), TCP telemetry(Alpha) - 1.5 - Installed by Default
  13. WebAssembly(WASM) - Need for more extensibility - Extensions without WASM

    - Envoy -> Filters written in C++ - Istio -> Mixer - WASM - Ecosystems - Memory-safe and sandboxed runtime
  14. Authentication Policy PeerAuthentication and RequestAuthentication - Policy and MeshPolicy is

    being replaced by - PeerAuthentication and RequestAuthentication - Docs - 1.5 https://istio.io/docs/tasks/security/authentication/authn-policy/ - 1.4 https://archive.istio.io/v1.4/docs/tasks/security/authentication/authn-policy/
  15. Authentication Policy e.g. global mTLS STRICT // 1.4 apiVersion: "authentication.istio.io/v1alpha1"

    kind: "MeshPolicy" metadata: name: "default" spec: peers: - mtls: {} // 1.5 apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "istio-system" spec: mtls: mode: STRICT
  16. istioctl analyze More capabilities - Introduced in 1.4 - Out

    of Experimental - More analyzers - mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated - -L to display - -k (current cluster) by default - -A|--all-namespaces flag - Print namespace - stdin / files from directory - istioctl analyze a.yaml b.yaml my-app-config/ , xxx | istioctl analyze
  17. Telemetry v2 TCP Support - HTTP Support in 1.3 -

    TCP Support in 1.5 - mTLS only
  18. Operator Install IstioControlPlane -> IstioOperator - istioctl operator {init, remove}

    - CRD IstioControlPlane in 1.4 is renamed to IstioOperator in 1.5
  19. Istio install istioctl, Operator, Helm - istioctl - istioctl manifest

    apply - Standardalone Operator - istioctl operator init - Helm - Default before 1.3 - Will be deprecated!
  20. Istio install istioctl, Operator - istioctl - Human-triggered - Standardalone

    Operator - Machine-triggered - CRD’s reconcile loop - Planned for canarying rollout of control plane