Release or Deployment? • A canary deployment, or canary release, is a deployment pattern that allows you to roll out new code/features to a subset of users as an initial test. Deployment Canary Releases Using Kubernetes Deployment POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S 50% 50% Deployment Canary Releases Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary

Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: eBay at ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto

security-related topics to a single page. Right now there are “Security” topics included within Deployment, Configuration, Best Practices, and Common Problems but there are also topics that are security in a DoS attack if a large request is made repeatedly. Description Pilot, runs in the “istiod” Deployment within the Istio control plane along with a set of TCP services that it exposes. One of which is of extra features • empty: provides a template • minimal: minimal config to get an operational deployment • preview: enables experimental features The “default” profile (used to generate the Kubernetes

灰度发布：灰度版本存在形式 kind: Deployment metadata: name: rating-v1 spec: replicas: 2 template: metadata: labels: app: rating version: v1 spec: containers: - image: rating-v1 ... --- kind: Deployment metadata: spec: containers: - image: rating-v2 ... Kubernetes Service Version Version Service Deployment Deployment Label selector Istio Istio几种重要资源对象 • 入口资源对象 • VirtualService • DestinationRule • 重要属性

灰度发布：灰度版本存在形式 kind: Deployment metadata: name: rating-v1 spec: replicas: 2 template: metadata: labels: app: rating version: v1 spec: containers: - image: rating- v1 kind: Deployment metadata: name: spec: containers: - image: rating- v2 Kubernet es Service Version Version Service Deployment Deployment Label selector Istio25 Istio几种重要资源对象 • 入口资源对象 – VirtualService – DestinationRule •

istio-init容器添加用于配置容器网络内iptables规则 • istio-proxy容器启动pilot-agent进程，使用UID=1337 GID=1337创建Envoy启动命令行与配置文件 • 可以通过自定义deployment内istio注解sidecar.istio.io/inject: “false”跳过自动注入过程，或修改部分启动参数。 • 2. 控制面通信 • Pilot-agent进程本身创建UDS envoy二进制后替换现有envoy镜像并配置到自定义deployment的image中， • Dockerfile: • From istio/proxyv2:1.9.0 COPY envoy /usr/local/bin/envoy COPY pilot-agent /usr/local/bin/pilot-agent • 可以通过自定义deployment内istio注解修改部分启动参数。 • proxy 14的高性能服务网格数据面代理 xDS Envoy与上层控制面如istiod使用的基于gRPC的应用层协议，用于传输配置变更。 自动注入及流量拦截 POD创建时，由istiod进行自动修改deployment并将istio-init, istio-proxy容器注入到 新创建POD内；当发生调用时，iptables规则将自动拦截出入流量进入Envoy代理。 线程模型 Envoy采用每个工作线程

inbound: - name: consumer-a nais.yaml cluster kubectl apply -f nais.yaml application deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding serviceentry local secrets: true accessPolicy: inbound: - name: consumer-a deployment service autoscaler deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding

dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� ������������� ASMFilter Deployment 资源对象 Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 workloadSelector: labels: app: productpage version: v1 20 更新后的Deployment - 以hostpath方式挂载wasm filter文件到Proxy容器 apiVersion: extensions/v1beta1 kind: Deployment metadata: .… spec: …. template: metadata: annotations:

用户请求和批处理任务隔离(Dubbo) 1. 在 dubbo: application 配置中为 Provider 增加 service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs application 配置中为 Provider 增加 aeraki_meata_locality 自定义属性 2. 在 provider 的 deployment 中通过环境变量设置其所属地域 3. 在 consumer 的 deployment 中通过 label 声明其所处的 region 和 zone 4. 通过 dr 规则启用 locality load balancing https://docs

Create a new Deployment with new name (immutable field) with the app and version labels 2. Make sure the Service is serving both Deployments 3. Create HPAs to target the new Deployment 4. Delete old old Deployment Simple, isn’t it? Now, repeat for hundreds of services! Good luck :D 51 Label selector updates for app and version labels Adopting Istio A more sustainable approach: ● Use your CD tooling