Notes from episode 3 of TGIK: Istio

Over the past few months I’ve been trying to learn everything there is to know about Kubernetes. Kubernetes is an amazing technology for deploying and scaling containers though it comes with a cost. It’s an incredibly complex piece of software and there are a ton of bells and whistles to become familiar with. One way that I’ve found for coming up to speed is Joe Beda’s weekly TGIK live broadcast. This occurs each Friday at 4PM EST and is CHOCK full of fantastic information. In episode three Joe talks about istio. You can watch it here:

Here are some of my takeways from the episode:

• Allows services in a microservice architecture to talk to each other with some added benefits:
  • Control the flow of traffic and API calls between services.
  • Locating other services in the mesh.
  • Securing services by identifying who is calling them and enforcing policy.
  • Allows things like distributed tracing to be incorporated without application changes.
• Linkerd is built on top of the concepts learned from finagle.
• istio runs as a sidecar which lives in the namepsace of your pod.
• Sidecars are buddy processes used to give other containers additional capabilities.
• Kubernetes has a pluggable authentication an authorization framework.
• Zipkin is a distributed tracing system that can be used to better understand a microservices architecture.
• You can get the logs from a pod with the logs command:
  $ kubectl logs mypod
• Istio makes heavy use of the LoadBalancer service. Be careful if running in AWS. These can cost you real $$ if you are using the quickstart and don’t delete them.
• Crash loops and back offs are incredibly powerful patterns.
• Third party resource allow you to create new things that are application specific. Kubernetes can be used to store the configuration and objects created by TPR.
• Third party resources (TPR) are going away. CRDs will replace them.
• A RoleBinding grants the permissions defined in a role to a user or set of users in a namespace.
• A ClusterRoleBinding grants the permissions defined in a role to a user or set of users cluster wide (be careful with these).
• Istio pods created during the installation process:
  • istio-ca is the istio certificate authority.
  • istio-egress provides access to external services.
  • istio-ingress is used to expose a service outside of the service mesh.
  • istio-mixer provides a generic intermediation layer between application code and infrastructure backends.
  • istio-pilot is responsible for the lifecycle of Envoy instances deployed across the Istio service mesh.
• Istio kube inject takes yaml from a pod defintion and injects the istio side car information into it
• Finally know what the deal is with the Gong. :)

Things I need to learn more about:

• Need to study the heck out of RBAC.
• Read all of the istio documentation.
• kubectl exec ash into the istio pods to see what they are running.
• Play with the istio resources (metrics, logging, tracing, etc.).
• Read through the envoy documentation to learn how it works.

This article was posted by Matty on 2018-02-06 18:00:00 -0500 -0500