《了解多集群 Kubernetes 连接选项.pdf》由会员分享,可在线阅读,更多相关《了解多集群 Kubernetes 连接选项.pdf(75页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveShannon McFarland,CCIE#5245Distinguished Engineer,Emerging Technologies&Incubationeyepv6Understanding Multicluster Kubernetes Connectivity OptionsBRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3
2、Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until Jun
3、e 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive4BRKETI-2003Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicMulticluster Connectivity Pain pointsKuber
4、netes Services,Ingress,Load BalancerCilium Cluster MeshService MeshLinkerdIstioBRKETI-20035 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulticluster Connectivity What is all the fuss about?There are several reasons for establishing connectivity between Kubernetes clust
5、ers to include:Service load balancingData replicationService dependenciesPartner-provided service connectivityetc.Today,many assumptions are made about the underlying infrastructure that exists underneath and in between these clusters:Use ingress/load balancers and let basic networking and name reso
6、lution sort it outIntra-VPC/Intra-network Deploy the clusters in the same VPCs/networks to facilitate easier connectivityInter-VPC/Inter-network Networking is already built and managed(Hybrid cloud,VPC peering,etc.)Regardless of the assumptions or justification,something and someone has to deal with
7、 service-to-service connectivity lets explore some options6BRKETI-2003App PodCNIApp PodApp PodCNIApp PodFWVPNNetwork Services 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulticluster Connectivity Options Galore!There are many solutions for linking workloads that are ho
8、sted on different Kubernetes clusters lets look at a few of themCNI-basedCilium Cluster Mesh Global load balancing is great Service-to-service can be diceyGateway-basedSubmariner A Layer 3/4 centric approach Service-to-service is a strength-Not the smoothest implementationApplication Service Mesh-ba
9、sed Layer 4/7 networking,robust security and observabilityLinkerdIstio7BRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Couple of Use Cases8BRKETI-2003Load BalancerServicePodLoad BalancerServicePodCluster1Cluster1Cluster2Cluster2Load BalancerDNSGlobal Load Bal
10、ancingGlobal Load BalancingLoad BalancerServicePodLoad BalancerServicePodCluster1Cluster1Cluster2Cluster2Load BalancerDNSServiceService-toto-Service/PodService/Pod-toto-PodPod 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Note About Shared Service Naming9BRKETI-2003Cil
11、ium Cluster MeshSubmarinerLinkerdIstioCisco Calisti(Istio)Service NameUnchanged Global LBCustom service-Create phantom/ghost service for service-to-service use case.default.svc.default.svc.cluclustersetsterset.local.local -.default.svc.cluster.local.default.svc.cluster.localUnchanged Global LBCustom
12、 service Create phantom/ghost service for service-to-service use caseSame as IstioExamplemymy-customcustom-serviceservice-namename.default.svc.cluster.local.default.svc.cluster.localredisredis-cart.default.svc.cart.default.svc.clustersclustersetet.local.localredisredis-cartcart-cluster1cluster1.defa
13、ult.svc.cluster.lo.default.svc.cluster.localcalmymy-customcustom-serviceservice-namename.default.svc.cluster.local.default.svc.cluster.localSame as IstioSpecial Configkind:Servicekind:Servicemetadata:metadata:name:name:redisredis-cartcartannotations:annotations:io.ciliumio.cilium/global/global-servi
14、ce:trueservice:trueReferenceKubernetes Services,Ingresses,Load Balancers 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Using Ingress,Services,LBs11BRKETI-2003DNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.Load Bala
15、ncerdb-follower-podServiceDeploymentIngressdb-followerLoad Balancerdb-leader-podServiceDeploymentIngressdb-leaderdb-db-Pain:Global DNS Multiple trust boundaries HTTP/TCP centric connections Operational boundaries No single view of service connectivity Finger pointing Horrid root cause analysisCilium
16、 CNI+Cilium Cluster Mesh 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCilium Cluster MesheBPF-based Networking,Observability and Security:https:/cilium.io/A CNCF projectCilium Cluster Mesh:https:/docs.cilium.io/en/stable/gettingstarted/#cluster-meshhttps:/cilium.io/blog
17、/2019/03/12/clustermeshIt isnt a traditional Application Service Mesh Define globally load balanced services that span Kubernetes clustersetcd state shared via load-balancers/Nodes communicate over VXLAN/Encryption over IPSecSelective load balancing to remote clusters is possible but difficult depen
18、ding on the scenarioConnect to external workloads(e.g.,VMs)Outcome:It just worked,but it may not be what you needStay tuned for more info,use cases and demos of the upcoming Cilium Mesh:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMicroservices Demo TopologyClus
19、ter1Cluster1Cluster2Cluster2https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Global Service LBSetupDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-car
20、tIngressfrontend#cilium install-cluster-name shmcfarl-mc-1-cluster-id 1#cilium install-cluster-name shmcfarl-mc-2-cluster-id 2-context shmcfarlshmcfarl-mc-2.us-west-2.eksctl.io-inherit-ca shmcfarlshmcfarl-mc-1.us-west-2.eksctl.ioControl Plane Connectivity:LoadBalancer,NodePort,ClusterIP#cilium clust
21、ermesh enable-context shmcfarlshmcfarl-mc-1.us-west-2.eksctl.io#cilium clustermesh enable-context shmcfarlshmcfarl-mc-2.us-west-2.eksctl.ioCilium Cluster MeshLoad BalancerLoad Balancer#cilium clustermesh connect-context shmcfarlshmcfarl-mc-1.us-west-2.eksctl.io-destination-context shmcfarlshmcfarl-m
22、c-2.us-west-2.eksctl.ioVXLANBRKETI-200315 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Global Service LBVXLANDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.#cilium bpf tunnel listTUNNEL VALUE172.17.0.0:0 10.10.123
23、.229:0172.18.0.0:0 10.11.121.200:0Load BalancerLoad BalancerVXLANNode IP:10.10.123.229Cluster CIDR:172.17.0.0/16Node IP:10.11.121.200Cluster CIDR:172.18.0.0/1610.10.123.22910.11.121.200Cluster 172.17.0.0/16Cluster 172.18.0.0/16VXLANBRKETI-200316 2023 Cisco and/or its affiliates.All rights reserved.C
24、isco Public#CiscoLiveK8s Multicluster Connectivity Global Service LBGlobal LBK8s ClusterK8s Clusterredis-cartredis-cartredis-cartcartserviceredis-cartIngressfrontendCilium Cluster Mesh10.10.80.2:6379#cilium service listID Frontend Service Type Backend20 172.17.17.201:6379ClusterIP1=10.11.126.169:637
25、92=10.10.80.2:6379#cilium service listID Frontend Service Type Backend7 172.18.115.114:6379ClusterIP1=10.10.80.2:63792=10.11.126.169:637910.11.126.169:6379172.18.115.114:6379apiVersion:v1kind:Servicemetadata:name:redis-cartannotations:io.cilium/global-service:trueGlobal service defined172.17.17.201:
26、6379BRKETI-200317 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Service-to-ServiceDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontendCilium
27、 Cluster Mesh10.244.1.231:637910.11.126.169:6379172.18.115.114:637910.96.144.119:6379redis-cart-cls1apiVersion:v1kind:Servicemetadata:name:redis-cart-cls1annotations:io.cilium/global-service:truespec:type:ClusterIPselector:app:redis-cartapiVersion:v1kind:Servicemetadata:name:redis-cart-cls1annotatio
28、ns:io.cilium/global-service:truespec:type:ClusterIPNOTE:No selector for“redis-cart”appredis-cart-cls1BRKETI-200318 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Service-to-ServiceK8s ClusterK8s Clusterredis-cartredis-cartLoad Balancerredis-c
29、artcartserviceredis-cartIngressfrontendCilium Cluster Mesh10.244.1.231:637910.245.1.219:637910.97.136.93:6379#cilium service listID Frontend Service Type Backend23 10.96.89.208:6379 ClusterIP1=10.244.1.231:637930 10.96.144.119:6379ClusterIP1=10.244.1.231:637910.96.144.119:6379redis-cart-cls1apiVersi
30、on:v1kind:Servicemetadata:name:redis-cart-cls1annotations:io.cilium/global-service:truespec:type:ClusterIPNOTE:No selector for“redis-cart”appredis-cart-cls1#cilium service listID Frontend Service Type Backend26 10.97.136.93:6379 ClusterIP1=10.245.1.219:637932 10.97.246.126:6379ClusterIP1=10.244.1.23
31、1:637910.96.89.208:637910.97.246.126:6379BRKETI-200319 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Service-to-ServiceK8s ClusterK8s Clusterredis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontendCilium Cluster Mesh10
32、.244.1.231:637910.245.1.219:637910.97.136.93:6379#cilium service listID Frontend Service Type Backend23 10.96.89.208:6379 ClusterIP1=10.244.1.231:637930 10.96.144.119:6379ClusterIP1=10.244.1.231:637910.96.144.119:6379redis-cart-cls1redis-cart-cls1#cilium service listID Frontend Service Type Backend2
33、6 10.97.136.93:6379 ClusterIP1=10.245.1.219:637932 10.97.246.126:6379ClusterIP1=10.244.1.231:637910.96.89.208:637910.97.246.126:6379127.0.0.1:6379 replicaof redis-cart-cls1.default.svc.cluster.local 6379127.0.0.1:6379 keys*1)5c605f89-0f26-41e5-a3b2-fe6d1962be7f”BRKETI-200320Submariner 2023 Cisco and
34、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSubmarinerGateway-based multicluster connectivity for Kubernetes services:https:/submariner.io/A CNCF projectWhat is it?Gateway-based with support for IPSec(libreswan),WireGuard and VXLANConnect exported services between clustersCan be use
35、d as a transport for other stuff like Istio:https:/ is a very bumpy deployment.Fairly smooth on OpenShift,but bumpy on most other platforms due to out-of-date docs and buggy dependency scriptsThings to watch out:MTU on pods Must account for overhead of IPSec/Wireguard/VXLANSecurity groups pay close
36、attention to the SG dependencies per encap type22BRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMicroservices Demo TopologyCluster1Cluster1Cluster2Cluster2FollowerLeaderhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Mult
37、icluster Connectivity Submariner Service ExportDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartredis-cartcartserviceredis-cartIngressfrontendBroker#subctl deploy-broker#subctl export service-namespace default redis-cartRA=Route AgentGA=Gateway AgentLA=Li
38、ghthouse AgentRAGA#subctl join broker-info.subm-clusterid cluster1 LARAGA#subctl join broker-info.subm-clusterid cluster2 LAIPSec,WireGuard,VXLAN#subctl show allGATEWAY CLUSTER REMOTE IP NAT CABLE DRIVER SUBNETS STATUS RTT avg.cluster2-worker cluster2 172.18.0.5 no libreswan100.2.0.0/16,10.2.0.0/16
39、connected152.062scluster-2cluster-1BRKETI-200324Setup 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Submariner Service ExportMake the Service KnownDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cart
40、redis-cartcartserviceredis-cartIngressfrontendBroker#subctl export service-namespace default redis-cartIPSec,WireGuard,VXLANRAGALARAGALA#kubectl get serviceexport-ANAMESPACE NAME AGEdefault redis-cart11m#kubectl get serviceimport-ANAMESPACE NAME TYPE IP AGEsubmariner-operator redis-cart-default-clus
41、ter1ClusterSetIP100.1.39.208 13m100.1.39.208:6379100.1.39.208=redis-cart.default.svc.clusterset.localcluster-2cluster-1BRKETI-200325 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Submariner Service Export26DNSCAK8s ClusterK8s ClusterNetworki
42、ng ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartredis-cartcartserviceredis-cartIngressfrontendBroker#subctl export service-namespace default redis-cartIPSec,WireGuard,VXLANRAGALARAGALA#kubectl get serviceexport-ANAMESPACE NAME AGEdefault redis-cart 11m127.0.0.1:6379 replicaof redis-cart.d
43、efault.svc.clusterset.local 6379127.0.0.1:6379 keys*1)1991ffa8-ffa0-49d4-91d2-d165590b35b0127.0.0.1:6379 client list.id=29 addr=100.1.39.208:6379100.1.39.208:6379100.1.39.108=redis-cart.default.svc.clusterset.localcluster-2cluster-1Redis ReplicationLinkerd 2023 Cisco and/or its affiliates.All rights
44、 reserved.Cisco Public#CiscoLive28An open source service meshservice meshand CNCF project.5 years 5 years in production7,500+7,500+Slack channel members10,000+10,000+GitHub stars200+200+contributors 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKETI-2003 2023 Cisco and/or its af
45、filiates.All rights reserved.Cisco Public#CiscoLiveWhat does it do?Observability:Service-level golden metrics:success rates,latencies,throughput.Service topologies.Reliability:Retries,timeouts,load balancing,circuit breakingSecurity:Transparent mTLS,cert management and rotation,policyIn an ultraligh
46、t package focused on operational simplicity first and foremost.BRKETI-200329 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLinkerd DesignIn short,do less,not moreJust works:Zero config,out of the box,for any Kubernetes appUltralight:Introduce the bare minimum perf and re
47、source costSimple:Reduce operational complexity in every possible wayMinimal overhead:Control plane:Go.200mb RSS(excluding metrics data).(Repo:linkerd/linkerd2).Data plane:Rust.10mb RSS(Resident Set Size),(kubectl-context=linkerd-mc-1 apply-f-)(kubectl-context=linkerd-mc-2 apply-f-)https:/linkerd.io
48、/2.13/getting-started/https:/linkerd.io/2.13/tasks/installing-multicluster/Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSample of“link”YAML output(highly reduced output)apiVersion:multicluster.linkerd.io/v1alpha1kind:Linkmetadata:name:linkerd-mc-1namespace:lin
49、kerd-multiclusterspec:clusterCredentialsSecret:cluster-credentials-linkerd-mc-1gatewayAddress:a9d97fc75ed1d43b19e2a3344ad734cc-1322698043.us-west-gatewayIdentity:linkerd-gateway.linkerd-multicluster.serviceaccount.identity.linkerd.cluster.localgatewayPort:4143probeSpec:path:/readyperiod:3sport:4191s
50、elector:matchExpressions:-key:mirror.linkerd.io/exportedoperator:ExiststargetClusterDomain:cluster.localtargetClusterLinkerdNamespace:linkerdtargetClusterName:linkerd-mc-1-apiVersion:v1kind:Servicemetadata:name:probe-gateway-linkerd-mc-1namespace:linkerd-multiclusterlabels:mirror.linkerd.io/mirrored
51、-gateway:truemirror.linkerd.io/cluster-name:linkerd-mc-1spec:ports:-name:mc-probeport:4191protocol:TCPReferenceBRKETI-200339 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLinkerd Multicluster Redis ReplicationMulticluster GatewayMulticluster GatewayLoad BalancerLoad Bala
52、ncerservice:redis-cartpod:redis-cartpod:redis-cartservice mirror:redis-cart-linkerd-mc-1172.20.124.207127.0.0.1:6379 replicaof redis-cart-linkerd-mc-1.default.svc.cluster.local 6379127.0.0.1:6379 keys*1)72c6d371-812f-4778-80c8-c41366d956a6”BRKETI-200340Istio 2023 Cisco and/or its affiliates.All righ
53、ts reserved.Cisco Public#CiscoLiveIstio OverviewAn open-source project started by Google and IBM with help from the Envoy team at Lyfthttps:/istio.io/https:/ load balancing for HTTP,gRPC,WebSocket,and TCP trafficRobust multicluster connectivityFine-grained control of traffic behavior with rich routi
54、ng rules,retries,failovers,and fault injectionA pluggable policy layer and configuration API supporting access controls,rate limits and quotasAutomatic metrics,logs,and traces for all traffic within a cluster,including cluster ingress and egressSecure service-to-service authentication with strong id
55、entity assertions between services in a cluster42BRKETI-2003Now a CNCF Project!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveistiodPilot Handles service discovery and config data Provides the Envoy proxies with the mesh topology and route rulesGalleyValidates user author
56、ed Istio API configuration on behalf of other control plane componentsTop-level config ingestion,processing and distributionCitadelProvides certificates to the Envoy proxies for authentication and authorization EnvoyA proxy attached to every microservice The connection point for a microservice to at
57、tach to the meshIstio Architecturehttps:/istio.io/latest/docs/ops/deployment/architecture/BRKETI-200343 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnvoyImplemented by LyftA C+based L4/L7 proxyCan be used independently of any service mesh(Istio)API drivenTraffic routin
58、g and splittingTransparent proxyingHealth checks,circuit breakers,etc.https:/www.envoyproxy.iohttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIstio:How Do I Get It?Where to get it:Istio currently is available directly from the Istio community at:https:/istio.io/abo
59、ut/community/join/It can also be built directly:https:/ can be enabled as an infrastructure option in GKEHow to install it(Kubernetes):https:/istio.io/docs/setup/getting-started/Kubernetes installation is a prerequisiteDirectly from the manifests included in the releaseUsing Helm charts included in
60、the release45BRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContributionContribution Readme:https:/ Contributing to the Docs:https:/istio.io/about/contribute/Istio Discussion:https:/discuss.istio.io/46BRKETI-2003Reference 2023 Cisco and/or its affiliates.All r
61、ights reserved.Cisco Public#CiscoLiveIstio Multiclusterhttps:/istio.io/latest/docs/ops/deployment/deployment-models/Primary-Remote single network,Primary-Remote multiple networksMulti-Primary single network,Multi-Primary multiple networks“single network”-“flat networking”,“shared networking”=full re
62、achability between workloads without an Istio gateway“multiple network”Workloads reach each other via an Istio gatewayhttps:/istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/We are building thisPre-planning:Other Multicluster installation references:Gateway:https:/istio.io
63、/v1.1/docs/setup/kubernetes/install/multicluster/gateways/VPN:https:/istio.io/v1.1/docs/setup/kubernetes/install/multicluster/vpn/Service namingIstio DNS proxyService sharing/exposure Control at the gateway or via Istio Authorization:https:/istio.io/latest/docs/reference/config/security/authorizatio
64、n-policy/47BRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMicroservices Demo TopologyCluster1Cluster1Cluster2Cluster2FollowerLeaderhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive49Istio Multicluster Setup Pre-setup StuffBRKE
65、TI-2003Create certs and secrets on first cluster and 2ndclustersExport context info for future use with kubectl and istioctl commands#make-f./tools/certs/Makefile.selfsigned.mk root-ca#make-f./tools/certs/Makefile.selfsigned.mk cluster1-cacerts#kubectl create namespace istio-system#kubectl create se
66、cret generic cacerts-n istio-system-from-file=cluster1/ca-cert.pem-from-file=cluster1/ca-key.pem-from-file=cluster1/root-cert.pem-from-file=cluster1/cert-chain.pem#make-f./tools/certs/Makefile.selfsigned.mk cluster2-cacerts#kubectl create namespace istio-system#kubectl create secret generic cacerts-
67、n istio-system-from-file=cluster2/ca-cert.pem-from-file=cluster2/ca-key.pem-from-file=cluster2/root-cert.pem-from-file=cluster2/cert-chain.pemhttps:/istio.io/latest/docs/setup/install/multicluster/before-you-begin/#export CTX_CLUSTER1=istio-mc-1#export CTX_CLUSTER2=istio-mc-2Reference 2023 Cisco and
68、/or its affiliates.All rights reserved.Cisco Public#CiscoLive50K8s Multicluster Connectivity Istio MulticlusterBRKETI-2003Setup “istio-mc-1”DNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontend#cat is
69、tio-mc-1.yamlapiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:values:global:meshID:mesh1multiCluster:clusterName:istio-mc-1network:network1EOFistio-mc-1istio-mc-2#istioctl install-context=$CTX_CLUSTER1-f istio-mc-1.yamlLoad Balanceristio-ingress#samples/multicluster/gen-eastwest-gateway.sh
70、-mesh mesh1-cluster istio-mc-1-network network1|istioctl-context=$CTX_CLUSTER1 install-y-f-Load Balanceristio-eastwest-gw#*kubectl-context=$CTX_CLUSTER1 label namespace istio-system topology.istio.io/network=network1network1*Do this on existing Istio deployment 2023 Cisco and/or its affiliates.All r
71、ights reserved.Cisco Public#CiscoLive51K8s Multicluster Connectivity Istio MulticlusterBRKETI-2003Setup “istio-mc-2”DNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontend#cat istio-mc-2.yamlapiVersion:
72、install.istio.io/v1alpha1kind:IstioOperatorspec:values:global:meshID:mesh1multiCluster:clusterName:istio-mc-2network:network2EOFistio-mc-1istio-mc-2#istioctl install-context=$CTX_CLUSTER2-f istio-mc-2.yamlLoad Balanceristio-ingress#samples/multicluster/gen-eastwest-gateway.sh-mesh mesh1-cluster isti
73、o-mc-2-network network2|istioctl-context=$CTX_CLUSTER2 install-y-f-Load Balanceristio-eastwest-gw#kubectl-context=$CTX_CLUSTER2 label namespace istio-system topology.istio.io/network=network2network1network2Load Balanceristio-ingressLoad Balanceristio-eastwest-gw 2023 Cisco and/or its affiliates.All
74、 rights reserved.Cisco Public#CiscoLiveWarning:It is ALWAYS DNS that kills you 52BRKETI-2003By default,Istio does not enable DNS proxy for services that are exposed to another clusterhttps:/istio.io/latest/docs/ops/configuration/traffic-management/dns-proxy/#getting-startedWithout enabling DNS proxy
75、,“redisredis-cartcart-cls1.default.svc.cluster.localcls1.default.svc.cluster.local”will not be resolvable on the 2ndclusterapiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:defaultConfig:proxyMetadata:#Enable basic DNS proxyingISTIO_META_DNS_CAPTURE:trueAdd to the Istio Operator
76、Config#kubectl edit istiocontrolplanes-n istio-systemmeshConfig:defaultConfig:.proxyMetadata:ISTIO_META_ALS_ENABLED:trueISTIO_META_DNS_CAPTURE:truePROXY_CONFIG_XDS_AGENT:trueOR edit the config post-deployment 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster
77、 Connectivity Istio MulticlusterExpose Services “istio-mc-1”DNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontend#cat expose-services.yamlapiVersion:networking.istio.io/v1alpha3kind:Gatewaymetadata:na
78、me:cross-network-gatewayspec:selector:istio:eastwestgatewayservers:-port:number:15443name:tlsprotocol:TLStls:mode:AUTO_PASSTHROUGHhosts:-*.local”EOFistio-mc-1istio-mc-2Load Balanceristio-ingressLoad Balanceristio-eastwest-gw#kubectl-context=$CTX_CLUSTER1 apply-n istio-system-f expose-services.yamlne
79、twork1network2Load Balanceristio-ingressLoad Balanceristio-eastwest-gwhosts:-”.default.svc.cluster.local”Service-specific Example:Expose servicesBRKETI-200353 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIstio Multicluster Setup Endpoint Discovery54BRKETI-2003Install re
80、mote secrets in both clusters so that each cluster has API server access to the other cluster#istioctl x create-remote-secret-context=$CTX_CLUSTER1-name=istio-mc-1|kubectl apply-f-context=$CTX_CLUSTER2#istioctl x create-remote-secret-context=$CTX_CLUSTER2-name=istio-mc-2|kubectl apply-f-context=$CTX
81、_CLUSTER1Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIstio Multicluster Redis ReplicationService Mirror Phantom/Ghost Servicesservice:redis-cartpod:redis-cartpod:redis-cartreplica172.17.43.144Load Balanceristio-eastwest-gwAWS LB:52.11.49.96istioctl proxy-conf
82、ig listeners-context$CTX_CLUSTER2 redis-cart-5b569cd47-6ppzm-port 6379-o json.name:172.17.43.144_6379, proxy-config endpoints-context$CTX_CLUSTER2 redis-cart-5b569cd47-6ppzm-cluster outbound|6379|redis-cart-cls1.default.svc.cluster.localENDPOINT STATUS OUTLIER CHECK CLUSTER52.11.49.96:15443 HEALTHY
83、OK outbound|6379|redis-cart-cls1.default.svc.cluster.localname:cross-network-gatewayspec:selector:istio:eastwestgatewayservers:-port:number:15443name:tlsprotocol:TLShosts:-*.local”redis-cart-cls1service:redis-cart127.0.0.1:6379 replicaof redis-cart-cls1.default.svc.cluster.local 6379 2023 Cisco and/
84、or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample of redis-cart-cls1 service56BRKETI-2003kubectl apply-f-EOFapiVersion:v1kind:Servicemetadata:name:redis-cart-cls1spec:type:ClusterIPselector:app:redis-cartports:-name:tcp-redisprotocol:TCPport:6379targetPort:6379EOFCisco Calisti A Se
85、rvice Mesh Manager 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive58Cisco Calistihttps:/calisti.app/BRKETI-2003MultiMulti-cloud,multicloud,multi-cluster connectivity and cluster connectivity and observabilityobservabilityConnect any onConnect any on-prem and public cloud
86、togetherprem and public cloud togetherSimplifies service mesh managementSimplifies service mesh managementSingle pane of glass,in depth metricsSingle pane of glass,in depth metricsPolicyPolicy-based app networking&securitybased app networking&securityPolicy management for DevOps teamsPolicy manageme
87、nt for DevOps teamsTraffic management Traffic management ensures smooth app updatesComplete application and health observabilityobservabilitySecuritySecurity at all layers between clusters and cloudsOperationalize the Service MeshApache Kafka on Kubernetes&Service MeshApache Kafka on Kubernetes&Serv
88、ice MeshLifecycle management of Apache Kafka and Lifecycle management of Apache Kafka and componentscomponents 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Calisti BenefitsPolicy based n/w&Security3 Simplified application deployment via security,observability and
89、platform traffic management Respond quickly to security vulnerabilities via policy enforcement Avoid issues via canary deployments,circuit breakers DevOps friendly traffic debuggingSimplified mesh&traffic management Complete Istio lifecycle mgmt.Ensure High Availability via automated tooling,metrics
90、 Rich,comprehensive operations focused dashboard Enterprise-grade security hardening&lifecycle Reduced risk of day 2 deployments via canary upgrades Reduce human error via config validation VM-extensions for brownfield and external service linkage2Multi-Cluster Observability1 Proactive issue resolut
91、ion using SLO1,error budgeting,actionable alerting when SLOs are endangered Faster root cause resolution using timeline view,outlier detection,traffic tapping/tracing Better visibility into service-to-service performance through Traffic Analytics 1S Service L Level O ObjectivesBRKETI-200359 2023 Cis
92、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMicroservices Demo TopologyCluster1Cluster1Cluster2Cluster2FollowerLeaderhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive61Cisco Calisti Setup From 19 steps to 3 BRKETI-20031)Install Cisco Calisti a
93、nd identify the first cluster name:2)Install Cisco Calisti with a full Istio control plane and attach the 2ndcluster to the 1stcluster:3)Enable Istio sidecar injection on a namespace:#smm install-a-cluster-name smm-mc-1#smm istio cluster attach smm-mc-2.yaml-active-istio-control-planehttps:/calisti.
94、app/#smm istio cluster statusClusters-Name Type Provider Regions Version Distribution Status Messagesmm-mc-1 Local amazon us-east-2 v1.21.2-13+d2965f0db10712 EKS Readysmm-mc-2 Peer amazon us-east-2 v1.21.2-13+d2965f0db10712 EKS ReadyControlPlanes-Cluster Name Version Trust Domain Pods Proxiessmm-mc-
95、1 cp-v111x.istio-system 1.11.4 cluster.local istiod-cp-v111x-75b7ccbb76-6szk9.istio-system 32/32smm-mc-2 cp-v111x.istio-system 1.11.4 cluster.local istiod-cp-v111x-6f5d85c56f-vw2k7.istio-system 5/5#smm sidecar-proxy auto-inject on defaultDemo 2023 Cisco and/or its affiliates.All rights reserved.Cisc
96、o Public#CiscoLiveK8s Multicluster Connectivity Cisco CalistiMulticlusterDNSCAK8s ClusterK8s ClusterNetworking ServiceVPC peering,Hybrid Cloud,etc.redis-cartredis-cartLoad Balancerredis-cartcartserviceredis-cartIngressfrontendsmm-mc-1smm-mc-2Load Balanceristio-ingressLoad Balanceristio-meshexpansion
97、network1network2Load Balanceristio-ingressLoad Balanceristio-meshexpansionChanges from earlier Istio example:-New eastwestgateway name-2ndclusters network name is the same as the cluster nameBRKETI-200363 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBy default,Istio doe
98、s not enable DNS proxy for services that are exposed to another clusterhttps:/istio.io/latest/docs/ops/configuration/traffic-management/dns-proxy/#getting-startedWithout enabling DNS proxy,“redisredis-cartcart-cls1.default.svc.cluster.localcls1.default.svc.cluster.local”will not be resolvable on the
99、 2ndcluster2ndWarning:It is ALWAYS DNS that kills you 64BRKETI-2003apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:defaultConfig:proxyMetadata:#Enable basic DNS proxyingISTIO_META_DNS_CAPTURE:trueAdd to the Istio Operator Config#kubectl edit istiocontrolplanes-n istio-systemmes
100、hConfig:defaultConfig:.proxyMetadata:ISTIO_META_ALS_ENABLED:trueISTIO_META_DNS_CAPTURE:truePROXY_CONFIG_XDS_AGENT:trueOR edit the config post-deploymentReference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveK8s Multicluster Connectivity Cisco CalistiMulticlusterBrute fo
101、rce Control which services are exposed/shared at the gatewayIstio Authorization Policy:https:/istio.io/latest/docs/reference/config/security/authorization-policy/Microscopic control of which things talk to which other things and how65BRKETI-2003#kubectl edit-n istio-system gw istio-cross-network-cp-
102、v111xapiVersion:networking.istio.io/v1alpha3kind:Gatewaymetadata:name:istio-cross-network-cp-v111xspec:servers:-hosts:-*.local”hosts:-”.default.svc.cluster.local”Service-specific Example:2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Calisti Multicluster Redis Repli
103、cationService Mirror Phantom/Ghost Services66service:redis-cartpod:redis-cartpod:redis-cartreplica10.100.55.204Load Balanceristio-meshexpansionAWS LB:52.14.79.204#istioctl proxy-config listeners redis-cart-5b569cd47-brxgr-port 6379-o json.name:”10.100.55.204_6379, replicaof redis-cart-cls1.default.s
104、vc.cluster.local 6379#istioctl proxy-config endpoints redis-cart-5b569cd47-brxgr-cluster outbound|6379|redis-cart-cls1.default.svc.cluster.local”ENDPOINT STATUS OUTLIER CHECK CLUSTER52.14.79.204:15443 HEALTHY OK outbound|6379|redis-cart-cls1.default.svc.cluster.localBRKETI-2003 2023 Cisco and/or its
105、 affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Calisti Multicluster Multi-Control PlaneReferenceBRKETI-200367 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Calisti-TopologyReference68BRKETI-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisc
106、o Public#CiscoLiveSummaryThere are many options available for K8s-based multicluster connectivityCilium Cluster Mesh Global Load-balancingSubmariner Gateway-based service-to-service connectivityService Meshes L4-7 service-to-service connectivityNetwork Service Mesh-https:/networkservicemesh.io/Check
107、 out Cisco Calisti Get started for free(Up to 10 nodes and 2 clusters):https:/calisti.app/For specialized per-service cross-cluster connectivity,special care must be taken to select a solution that provides a balance of use-case flexibility and operational supportabilityBRKETI-200369 2023 Cisco and/
108、or its affiliates.All rights reserved.Cisco Public#CiscoLive70Session_ID 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(wh
109、ile supplies last)!71BRKETI-2003These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue
110、your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights res
111、erved.Cisco Public#CiscoLive74Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123474 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKETI-2003#CiscoLive