This repository demonstrates capabilities of Anthos Service mesh
anthos-service-mesh's Introduction
Anthos Service Mesh
Deploying sample micro-services application
mkdir asm
cd asm
# Get online boutique code from git
kpt pkg get \
https://github.com/japneet-sahni/anthos-service-mesh.git/online-boutique \
online-boutique
# Deploy application using kubernetes manifests
kubectl apply -f online-boutique/kubernetes-manifests/namespaces
kubectl apply -f online-boutique/kubernetes-manifests/deployments
kubectl apply -f online-boutique/kubernetes-manifests/services
# Check all application namespaces and pods
kubectl get ns --show-labels | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'
kubectl get pods -A | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'# Get Loadbalancer IP and hit through browser
kubectl get svc -n frontend
Challenges
How different micro-services are actually connected (if we want to understand the communication schema in our cluster.)
No metrics (how many requests? what's the error rate)
No distributed tracing (which service takes how much time for a request)
Timeline (what if we want to dig into past)
Security (what all traffic is encrypted and which service allows what)
Traffic Management (what is the traffic split between different versions of micro-services)
# check namespace labels before enabling automatic sidecar injection
kubectl get ns --show-labels | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'# Adding automatic sidecar injection label for all application namespacesfornsin ad cart checkout currency email frontend loadgenerator \
payment product-catalog recommendation shipping;do
kubectl label namespace $ns istio-injection=enabled --overwrite
done;# check namespace labels after enabling automatic sidecar injection
kubectl get ns --show-labels | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'# Sidecars are not injected unless the deployments are restarted
kubectl get pods -A | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'# Restart all application deployments in order to get sidecar injectedfornsin ad cart checkout currency email frontend loadgenerator \
payment product-catalog recommendation shipping;do
kubectl rollout restart deployment -n ${ns}done;# check pods after enabling automatic sidecar injection
kubectl get pods -A | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'
Install Istio Ingress gateway
kubectl create namespace gatewayns
kubectl label namespace gatewayns istio-injection=enabled --overwrite
kubectl apply -n gatewayns -f asm-install/samples/gateways/istio-ingressgateway
# Gateway and VS for frontend
kubectl apply -f online-boutique/istio-manifests/frontend-gateway.yaml
# Access application now using istio ingress gateway
kubectl get service istio-ingressgateway -n gatewayns
Observability
Topology
Service Dashboard
Timeline
Traffic
Security
Mutual TLS
In Anthos Service Mesh 1.5 and later, auto mutual TLS (auto mTLS) is enabled by default. With auto mTLS, a client sidecar proxy automatically detects if the server has a sidecar. The client sidecar sends mTLS to workloads with sidecars and sends plaintext to workloads without sidecars. Note, however, services accept both plaintext and mTLS traffic. As you inject sidecar proxies to your Pods, we recommend that you also configure your services to only accept mTLS traffic.
With Anthos Service Mesh, you can enforce mTLS, outside of your application code, by applying a single YAML file.
Go to Anthos Security -> Policy Audit
# Go to both loadbalancer before below change# Apply Strict authentication modefornsin ad cart checkout currency email frontend loadgenerator \
payment product-catalog recommendation shipping;do
kubectl apply -n $ns -f online-boutique/istio-manifests/peer-authentication.yaml
done
Hit Ingress Gateway LB directly (Pass)
Hit Frontend LB directly (Fail)
Go to Anthos Security -> Policy Audit
# Deploy your VirtualService and DestinationRule for v1 of productcatalog:
kubectl apply -f online-boutique/istio-manifests/canary/destination-vs-v1.yaml
# Deploy v2 of productcatalog
kubectl apply -f online-boutique/istio-manifests/canary/productcatalogservice-v2.yaml
# Get all pods
kubectl get pods -A | grep -w 'ad\|cart\|checkout\|currency\|email\|frontend\|loadgenerator\|payment\|product-catalog\|recommendation\|shipping'## Apply destination rule for v2
kubectl apply -f online-boutique/istio-manifests/canary/destination-v1-v2.yaml
## Apply destination rule for v2
kubectl apply -f online-boutique/istio-manifests/canary/vs-split-traffic.yaml