3. INSERT DESIGNATOR, IF NEEDED3
OPENSHIFT ARCHITECTURE
EXISTING
AUTOMATION
TOOLSETS
SCM
(GIT)
CI/CD
SERVICE LAYER
ROUTING LAYER
PERSISTEN
T
STORAGE
REGISTRY
RHEL
NODE
c
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
C
C
C C
C
C
C CC C
RED HAT
ENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
5. INSERT DESIGNATOR, IF NEEDED5
DISTRIBUTED SERVICES
ARCHITECTURES
Fallacies of Distributed Computing
● The network is reliable.
● Latency is zero.
● Bandwidth is infinite.
● The network is secure.
● Topology doesn't change.
● There is one administrator.
● Transport cost is zero.
● The network is homogeneous.
wikipedia.org/wiki/Fallacies_of_distributed_computing
6. INSERT DESIGNATOR, IF NEEDED6
DISTRIBUTED SERVICES
ARCHITECTURES
Applications must deal with
● Unpredictable failure modes
● End-to-end application correctness
● System degradation
● Topology changes
● Elastic/ephemeral/transient resources
A
E
B C
F G
D
H
I
Client
12. Opportunity – A/B on Service Chains
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
50%
50%
Service
Pod
Container
JVM
Service B
v1/v2
Pod
Container
JVM
Service C
v1/v2
?
?
13. Opportunity – Fault Injection
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Intentionally introduce a 7
second delay to see how
customer is impacted
Much needed testing scenario!
14. Opportunity – Fault Injection
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Throttling traffic as Service B
is constrained in capacity
Rate Limiting
Circuit Breaker
15. Opportunity – Granular Security Management
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
TLS between microservices
Enforce Authn/z in comms
Centralized certs mgmt
16. Opportunity – Testing in Production
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Pod
Container
JVM
Service B
v2
When the request is from
Tester Jason, route it to
Service B version 2
35. A service mesh is a dedicated infrastructure layer for handling service-to-
service communication. It’s responsible for the reliable delivery of requests
through the complex topology of services that comprise a modern, cloud
native application. In practice, the service mesh is typically implemented as
an array of lightweight network proxies that are deployed alongside
application code, without the application needing to be aware
https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/
Service Mesh Defined
37. Microservices embedding Capabilities
@burrsutter
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service A
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service C
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Before Istio
40. • Kubernetes for control plane, management of microservices
• Scaling
• OpenShift for making day-2 ops easy
• Builds/deployments
• Software Defined Storage and Networking
• Logging and Metrics
• Service Mesh for Run-time Governance, Policy Enforcement and Traffic shaping
• Use cases listed in a separate page
Service Mesh
41. Use cases- Service Mesh
• Policy Enforcement, Run-time Governance
• Intelligent Routing and Load-Balancing
• Request routing amongst multiple service versions
• A/B testing: Request routing based on user or other http headers
• Traffic Shifting: Smarter Canary Releases
• Chaos: Fault Injection/Delays – Are we resilient, or getting timeouts/errors
• Resilience: Circuit Breakers
• Cluster max connections, max/pending requests, max retries etc
• Rate limiting
• Observability/Ops Visibility
• Metrics and Tracing
• Transaction flow through microservices
• Latency
• Security
42. Pod
Container
JVM
Service A
Envoy Side-car
Pod
Container
JVM
Service B
Envoy Side-car
Pod
Container
JVM
Service C
Envoy Side-car
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
Istio Pilot Istio Mixer Istio Auth
istioctl, API, config Quota, Telemetry
Rate Limiting, ACL
CA, SPIFFE
@burrsutter
Istio Control Plane
44. GOAL FOR LAB
In this lab you will learn:
● How to install Istio onto OpenShift Container Platform
● How to deploy apps with sidecar proxies
● How to generate and visualize deep metrics for apps
● How to alter routing dynamically
● How to inject faults for testing
● How to do rate limiting
● How Istio implements circuit breaking and distributed tracing
48. RESULT OF LAB
In this lab you learned:
● How to install Istio onto OpenShift Container Platform
● How to deploy apps with sidecar proxies
● How to generate and visualize deep metrics for apps
● How to alter routing dynamically
● How to inject faults for testing
● How to do rate limiting
● How Istio implements circuit breaking and distributed tracing
● Use cases for service mesh
Speaker:
* This is a high level architecture diagram of the OpenShift 3 platform. On the subsequent slides we will dive down and investigate how these components interact within an OpenShift infrastructure.
Discussion:
* Set the stage for describing the OpenShift architecture.
Transcript:
OpenShift has a complex multi-component architecture. This presentation is usable to help prospects understand how the components work together.