Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布 An open platform to connect, manage, and secure microservices 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc Labels:app=svcb Port:9379 Backend Pod2 Labels:app=svcb Port:9379 svca 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 服务治理 • 调用链追踪 • 动态路由 • 熔断限流 • 负载均衡 • 服务发现 • 扩缩容 • 运维 • 部署 Kubernetes Istio Istio治理的不只是微服务，只要有访问的服务，都可以被治理。

1 Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站2 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布3 An open platform to connect, manage, and secure 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc Labels:app=svcb Port:9379 Backend Pod2 Labels:app=svcb Port:9379 svca8 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 服务治理 • 调用链追踪 • 动态路由 • 熔断限流 • 负载均衡 • 服务发现 • 扩缩容 • 运维 • 部署 Kubernetes Istio9 Istio治理的不只是微服务，只要有访问的服务，都可以被治理。10

Optimal Canary Deployments using Istio and how it scores over Spring Cloud and Kubernetes Presented by Archna Gupta What is a Canary Release or Deployment? • A canary deployment, or canary release Canary Releases Using Kubernetes Deployment POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary Releases Using Kubernetes – Across

across globe peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Capability to run all applications from a single region or AZ in a worst-case scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s

Group - Upgrade Survey 2020 #IstioCon Theme for Istio 2021 #IstioCon Day 2 operations https://dzone.com/articles/defining-day-2-operations #IstioCon What does it mean for our users? ● Project maturity predictability ● Longer support windows ● Skip releases for upgrades #IstioCon Focus areas for ‘Day 2 Operations’ #IstioCon Stability & Maintainability ● Improved upgrade experience ○ Upgrade Working improvement areas ● Native Kubernetes API integration ○ Kubernetes Service APIs ○ Kubernetes Multi-cluster APIs ● Adopt & drive innovation in Envoy community ○ Delta xDS ○ HTTP2 tunnels https://istio

Natesan Andy Olsen Feedback on this project? https://my.nccgroup.com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform Istio and all of its components. Istio is a modern service mesh technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload overall design and archi- tecture of Istio as it is deployed within common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery

mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for #IstioCon V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service

started working on Istio last summer. Istio.io Work Automation Indicator #7734 Add IBM Cloud Kubernetes Service specific instructions for node port Ingress Host #7663 Homepage Redesign Proposal #IstioCon and foremost: as a potential contributor, your changes and ideas are welcome at any hour of the day or night, weekdays, weekends, and holidays. Please do not ever hesitate to ask a question or send

Service Instance. Each one workload in the Service group is named as an instance. Like pods in Kubernetes, it doesn't need to be a single process in OS. Also if you are using instrument agents, an instance SkyWalking. Don’t delete these. INDICATOR All metric data belong to this. They are in min/ hour/day/hour time level. They are named by Rule: scopename_funcName_timeLevel RECORD Segment and AlarmRecord

Istio is a long wild river: how to navigate it safely 2 About me Raphael Fraysse @la1nra (Twitter) Github / @lainra Tech Lead, Networking Mercari, Inc. 3 Today’s agenda ● Istio at Mercari Regions/languages supported: Base specs for Japan/Japanese ● Total number of listings to date: More than 2 billion *As of December 2020 Many sellers enjoy having the items they no longer need purchased and actively communicate through the buyer/seller chat and the “Like” feature. The Mercari app is a C2C marketplace where individuals can easily sell used items. We want to provide both buyers and sellers