last day2 talk

2024-03-20 17:58:13 +01:00 · 2024-03-20 17:58:13 +01:00 · 00d8ae29c4
commit 00d8ae29c4
parent 33f615aaf0
1 changed files with 153 additions and 0 deletions
--- a/content/day2/11_sidecarless.md
+++ b/content/day2/11_sidecarless.md
@ -0,0 +1,153 @@
+---
+title: Comparing sidecarless service mesh from cilium and istio
+weight: 11
+---
+
+Global field CTO at Solo.io with a hint of servicemesh background.
+
+## History
+
+* LinkerD 1.X was the first moder servicemesh and basicly a opt-in serviceproxy
+* Challenges: JVM (size), latencies, ...
+
+### Why not node-proxy?
+
+* Per-node resource consumption is unpredictable
+* Per-node proxy must ensure fairness
+* Blast radius is always the entire node
+* Per-node proxy is a fresh attack vector
+
+### Why sidecar?
+
+* Transparent (ish)
+* PArt of app lifecycle (up/down)
+* Single tennant
+* No noisy neighbor
+
+### Sidecar drawbacks
+
+* Race conditions
+* Security of certs/keys
+* Difficult sizing
+* Apps need to be proxy aware
+* Can be circumvented
+* Challenging upgrades (infra and app live side by side)
+
+## Our lord and savior
+
+* Potential solution: eBPF
+* Problem: Not quite the perfect solution
+* Result: We still need a L7 proxy (but some L4 stuff can be implemented in kernel)
+
+### Why sidecarless
+
+* Full transparency
+* Optimized networking
+* Lower ressource allocation
+* No race conditions
+* No manual pod injection
+* No credentials in the app
+
+## Architecture
+
+* Control Plane
+* Data Plane
+* mTLS
+* Observability
+* Traffic Control
+
+## Cilium
+
+### Basics
+
+* CNI with eBPF on L3/4
+* A lot of nice observability
+* Kubeproxy replacement
+* Ingress (via Gateway API)
+* Mutual Authentication
+* Specialiced CiliumNetworkPolicy
+* Configure Envoy throgh Cilium
+
+### Control Plane
+
+* Cilium-Agent on each node that reacts to scheduled workloads by programming the local dataplane
+* API via Gateway API and CiliumNetworkPolicy
+
+```mermaid
+flowchart TD
+    subgraph kubeserver
+        kubeapi
+    end
+    subgraph node1
+        kubeapi<-->control1
+        control1-->data1
+    end
+    subgraph node2
+        kubeapi<-->control2
+        control2-->data2
+    end
+    subgraph node3
+        kubeapi<-->control3
+        control3-->data3
+    end
+```
+
+### Data plane
+
+* Configured by control plane
+* Does all of the eBPF things in L4
+* Does all of the envoy things in L7
+* In-Kernel Wireguard for optional transparent encryption
+
+### mTLS
+
+* Network Policies get applied at the eBPF layer (check if id a can talk to id 2)
+* When mTLS is enabled there is a auth check in advance -> It it fails, proceed with agents
+* Agents talk to each other for mTLS Auth and save the result to a cache -> Now ebpf can say yes
+* Problems: The caches can lead to id confusion
+
+## Istio
+
+### Basiscs
+
+* L4/7 Service mesh without it's own CNI
+* Based on envoy
+* mTLS
+* Classicly via sidecar, nowadays
+
+### Ambient mode
+
+* Seperate L4 and L7 -> Can run on cilium
+* mTLS
+* Gateway API
+
+### Control plane
+
+```mermaid
+flowchart TD
+    kubeapi-->xDS
+
+    xDS-->dataplane1
+    xDS-->dataplane2
+
+    subgraph node1
+        dataplane1
+    end
+
+    subgraph node2
+        dataplane2
+    end
+```
+
+* Central xDS Control Plane
+* Per-Node Dataplane that reads updates from Control Plane
+
+### Data Plane
+
+* L4 runs via zTunnel Daemonset that handels mTLS
+* The zTunnel traffic get's handed over to the CNI
+* L7 Proxy lives somewhere™ and traffic get's routed through it as an "extra hop" aka waypoint
+
+### mTLS
+
+* The zTunnel creates a HBONE (http overlay network) tunnel with mTLS