Sailing with Istio towards Knative

A SOMEWHAT TECHNICAL TALK

+

+

Who am I?

My name is Pavlos Tzianos

Been working professionally with K8s for a few years

DevOps engineer @ MaibornWolff

Goals for Tonight

Get some intuition about Knative and Istio

Serverless is all the rage lately

Every cloud provider wants in!

But why?

Because people want to focus on business logic

Knative

K8s' answer to cloud providers' serverless platforms

  • Focus on business logic
  • Trigger with events
  • Autoscale from 0 to infinity

Terminology

Functions

Lambdas

KServices

Build

Serving

Eventing

Container building

Networking and autoscaling

Event propagation

How does Serving do all these things?

Service Meshes!

What's a Service Mesh?

Glad you asked!

K8s Networking

Ingress traffic

Egress traffic

K8s Nodes

K8s Networking - Ingress Controllers

Ingress traffic

Egress traffic

K8s Nodes

Nginx

K8s Networking - Ingress Controllers

  • Only aware of ingress traffic
  • Only HTTP traffic
  • Not enough

K8s Networking - Service Meshes

Ingress traffic

Egress traffic

K8s Nodes

Some proxy

K8s Networking - Service Meshes

Ingress / Other Pods

Egress / Other Pods

Your pod

Proxying Daemon

K8s Networking - Service Meshes

Knows about all traffic!

Build

Serving

Eventing

Abstracts over service meshes

First integration with Istio

What is Istio?

  • First native service mesh for K8s
  • Means sail in Greek

What does it do?

  • Network traffic routing
  • Load balancing
  • Circuit braking
  • Telemetry
  • And more...

Split into a control plane and a data plane

  • Control plane -> configuration and management
  • Data plane -> traffic routing

Control Plane

Pilot

Galley

Citadel

Mixer

Sidecar Injector

Data Plane

Lots and lots of

Build

Serving

Eventing

Let's focus here again

Putting all the pieces together

Serving

Your Kservice

Serves traffic

Autoscales

Monitors

Configures

Why Istio?

SPIFFE

S

ecure

P

roduction

I

dentity

F

ramework

F

or

E

veryone

An Example

Ksvc 1

Ksvc 2

Ksvc 3

Ksvc 4

Ksvc 5

Stores results

Not accessible to the outside

An Example

Your service

How do you know where your request comes from?

Answer:

SPIFFE

Mutual TLS for all requests

Last Words

  • Experimental tools
  • You should definitely play with them
  • Ubuntu + snap + microk8s + istio + knative
  • without mutual TLS and RBAC!
  • And if something needs fixing... contribute

Thank You!

Questions?