This session we want to focus on the use case of multi-tenancy on your Kubernetes cluster with Istio service mesh.
We will explain how API Gateways, Ingress Controllers, and Service Mesh are different and also work together to achieve this use case.
In this session we'll:
Discuss the core concept
Challenges for application developers and cluster operators
Walk through how that problem has been solved historically
Review how implementing a service mesh can help solve that problem differently
Demos, demos, demos
Recap of the latest release of Istio
Video here
https://https://www.youtube.com/watch?v=HO7pqNUbUFk&list=PLBOtlFtGznBim4rBEXMl87Pt9qJT_3G1Y
Learn More
https://solo.io and https://gloo.solo.io
https://istio.io
https://cloud.google.com
5. What is multi-ingress?
When running large multi-
tenant deployments, teams
or workloads may need
their own dedicated
ingress, or apps may need
different ingress setups.
6. Isolation for individual teams
and logical workloads
Why multi-ingress?
Multiple ingress types like APIs
vs user-facing services
Serving multiple applications
out of different domains
Require unique SSL certificates
for each domain being served
10. Isolate teams and
logical workloads
Support for different
ingress types
Each ingress needs
HTTPS support
Top-level requirements
11. Critical features
Platform load
balancer support
SSL certificate
support
Kubernetes-native
service
Traffic management
mechanisms
API gateway
support
Auth support for in-
cluster services
13. Kubernetes Ingress
● More capable than Service
LoadBalancer
● SSL certificate support
● Multiple ingress resources can be
deployed
● Can integrate with L7 platform load
balancers
● Supports single-service, simple
fanout, or name-based virtual hosts
18. Istio Ingress Gateway
● Supports workloads across different
namespaces
● Native Kubernetes Service, integrates
with platform load balancers
● Support for SSL certificates
● Encrypted traffic to downstream
services
31. Istio 1.3 Improve the UX for new users adopting Istio
Key Improve the UX for debugging problems
Themes Support more apps w/o addt’l config
32. Istio 1.3 highlights
containerPort no longer required
Customizable generated Envoy config
Mixer-less telemetry (experimental)
Intelligent protocol detection (experimental)
Operator-based install (experimental)
New commands in istioctl experimental for debugging
33. $ istioctl x --help
Experimental commands that may be modified or deprecated
Usage:
istioctl experimental [command]
Aliases:
experimental, x, exp
Available Commands:
add-to-mesh Add workloads into Istio service mesh
analyze Analyze Istio configuration and print validation messages
auth Inspect and interact with authn/authz policies in the mesh
describe Describe resource and related Istio configuration
kube-uninject Uninject Envoy sidecar from Kubernetes pod resources
manifest Commands related to Istio manifests
metrics Prints metrics for specified workload(s) when running in K8S
profile Commands related to Istio configuration profiles
remove-from-mesh Remove workloads from Istio service mesh
34. $ istioctl x --help
Experimental commands that may be modified or deprecated
Usage:
istioctl experimental [command]
Aliases:
experimental, x, exp
Available Commands:
add-to-mesh Add workloads into Istio service mesh
analyze Analyze Istio configuration and print validation messages
auth Inspect and interact with authn/authz policies in the mesh
describe Describe resource and related Istio configuration
kube-uninject Uninject Envoy sidecar from Kubernetes pod resources
manifest Commands related to Istio manifests
metrics Prints metrics for specified workload(s) when running in K8S
profile Commands related to Istio configuration profiles
remove-from-mesh Remove workloads from Istio service mesh
Analyze YAML files
Analyze live cluster
Simulate effect of applying YAML
35. $ istioctl x --help
Experimental commands that may be modified or deprecated
Usage:
istioctl experimental [command]
Aliases:
experimental, x, exp
Available Commands:
add-to-mesh Add workloads into Istio service mesh
analyze Analyze Istio configuration and print validation messages
auth Inspect and interact with authn/authz policies in the mesh
describe Describe resource and related Istio configuration
kube-uninject Uninject Envoy sidecar from Kubernetes pod resources
manifest Commands related to Istio manifests
metrics Prints metrics for specified workload(s) when running in K8S
profile Commands related to Istio configuration profiles
remove-from-mesh Remove workloads from Istio service mesh
Operator-based install!
Generate and/or apply manifests
Diff against multiple manifests
Migrate from Helm config to Operator
36. What’s Next
Security
Around 3 weeks after the next
Istio release, we’ll dig into
security-centric use cases,
and how Istio can help.
Istio 1.4 → Late Q4 2019
37. Thank You!
Questions or Comments?
Find us @christianposta and @crcsmnky
Learn More
● Istio istio.io
● Google Cloud cloud.google.com
● Solo.io www.solo.io
● Gloo gloo.solo.io
● Service Mesh Hub servicemeshhub.io
Demo
● github.com/crcsmnky/istio-multi-ingress