Some points from my recent experience. There is a very big cost management aspect of the set up that you did not cover, which is understandable. 1. When you have multiple, thousands of applications, in the cluster, the cost of data transfer for the envoy configs can be crazy. We used sidecars to limit the amount of data that gets shared. The cost for use was cross zone data transfer. 2. On multi-cluster networks the API Servers talk to each other, and if you have cloudwatch logs enabled, this can also increase the operational cost. I am investigating to move these logs to S3 instead. 3) I recently had an issue in production when using self-signed certificate where the ingress was failing with an error that says I am using certificates self-signed certificates. This error never came up in dev or staging cluster, it only happened in production. I am looking into moving to use Vault or KMS and cert manager. My preference would have been to suppress this error for now and do the cert-manager setup later. 4) I also would like to explore the canary upgrades for the control plan to safer deployments. Istio can cause a big headache when stuff breaks in production.
@2164SONUSINGHАй бұрын
I am new to opal, i am not able to figure out how to add data of new user after registration in my application . Can you tell me how to do it.
@chiragchoudha9585Ай бұрын
can we use private link to run multi cluster istio ?
@SanjeevTheTechNinjaАй бұрын
private link is used to establish connectivity between VPCs and AWS services without exposing data to the internet. If you want to establish VPC-VPC connectivity then yes and you could use private link
@MrKofiray712 ай бұрын
Excellent demo, team! This must be the best demonstration of running Istio on EKS. The provided Terraform code works flawlessly, and the tutorials are outstanding. Well done!
@SanjeevTheTechNinjaАй бұрын
thank you
@FlimFlamBougelets2 ай бұрын
Thanks Peter. -- question, is this prod or in beta (ztunnel and waypoint proxy)?
@learncloudnative2 ай бұрын
Hi! This blog post goes into more specific on what's considered in beta and suitable for production with certain precautions: istio.io/latest/blog/2024/ambient-reaches-beta/#what-is-in-the-scope-of-the-beta
@arozendojr2 ай бұрын
It is possible with ingress in kubernetes to place a rule, rules, so that if the authService service receives a body with name property equal to teste200, send it to the authServiceBeta_1.3 service
@paulfx50192 ай бұрын
Hi Peter, Great deep dive into k8s & cilium networking. I do have a question though with on-prem baremetal deployment, do I still need to use MetalLB or can I use Cilium instead?
@learncloudnative2 ай бұрын
You could -- check out these docs: docs.cilium.io/en/latest/network/l2-announcements/
@chandrasekharkolla98792 ай бұрын
What is the need to do a port forward for Kiali as we have istioctl installed, can't we just do istioctl dashboard kiali instead? What is the difference between these two methods of accessing the Kiali dashboard? Is it the same or anything different if we access in one way than the other?
@learncloudnative2 ай бұрын
Hi! Yes, you can do istioctl dashboard kiali (which underneath does the port-forward command); in the end it works more or less the same. If you wanted to make this accessible to internal users for example, you'd expose the Kiali service through your ingress API gateway.
@user-uq7hg9zw5j3 ай бұрын
Hi really nice demo! I would like to use envoy without docker , where can i find the envoy.exe?
@MKLUPO3 ай бұрын
Is there a CVE for this?
@learncloudnative3 ай бұрын
Cilium's mutual authentication mechanism is still marked as Beta and there ar issues/work items opened that will try to address this. github.com/cilium/cilium/issues/28986
@FlimFlamBougelets3 ай бұрын
@@learncloudnative Thanks Peter. Do you have a GA date?
@learncloudnative3 ай бұрын
@@FlimFlamBougelets unfortunately I don't. The issue mentioned "work for 1.15 and beyond" -- it might be best if you ask the question there.
@johnkapukian58033 ай бұрын
which gloo gateway you installing? link to documentation? why presenting with no link to github.
@CallMeAlade3 ай бұрын
How is the gloo gateway programmed?
@ramvennam78703 ай бұрын
Gloo extends Kubernetes with CRDs. This allows Gloo to be programmed using Kubernetes Custom Resources, making it declarative and GitOps friendly.
@AshishAgarwal-bs2sx3 ай бұрын
Rate limit headers are not being propagated to upstream. ANy idea on how to get that resolved?
@javadahmadian77823 ай бұрын
So helpful thanks
@learncloudnative3 ай бұрын
Thank you!
@user-ym6lf8wd8o4 ай бұрын
Does Istio not support JWT authentication as well?
@learncloudnative4 ай бұрын
Istio supports JWT for user authentication. In this stream we talked about using JWT vs. mTLS for service to service authentication.
@user-tl6xo1uq4m4 ай бұрын
How about rotating root certificate with cert-manager?
@learncloudnative4 ай бұрын
The idea is to use the intermediate certificates and not the root cert directly. You can configure cert-manager to manage and handle cacerts and then have istiod automatically reload them.
@BoyanOrion4 ай бұрын
Why nftables were not used instead of iptables during this "transition" period towards ebpf?
@learncloudnative4 ай бұрын
I think k8s added support for nftables in kube-proxy just last year: github.com/kubernetes/kubernetes/pull/121046/files
@BoyanOrion4 ай бұрын
@@learncloudnative Thank you for sharing that. Yeah, it seems they went directly into k8s v1.29. Too late, I already removed kube-proxy from my cluster and went full mode Cilium :)) Anyways, i guess it's worth to have nftables in kube-proxy as an option as well.
@andy.mindful4 ай бұрын
Thank you, great overview for newcomers to K8s world.
@learncloudnative4 ай бұрын
Thank you! Glad it was helpful!
@soloio_inc4 ай бұрын
Thanks for watching!
@garciajero5 ай бұрын
Amazing content and really clear!
@soloio_inc5 ай бұрын
Thanks for watching!
@kbcbala5 ай бұрын
17:00 start after intro
@spiraldynamics60086 ай бұрын
Very usefull Thank you from France Do you have a github to share your yaml files please
@learncloudnative6 ай бұрын
Thank you! You can find the demo here: github.com/solo-io/hoot/tree/master/51-kube-networking-cilium-2
@spiraldynamics60086 ай бұрын
@@learncloudnative thank you !
@spiraldynamics60086 ай бұрын
Thank you Continue please to enter in details more and more 🤪
@thusharajayamanna92546 ай бұрын
Great explanation. Thanks.
@soloio_inc6 ай бұрын
Thanks for watching!
@deepakdeore7 ай бұрын
how did you swap the pod's ip addresses?
@learncloudnative7 ай бұрын
You can check the commands/scripts used here: www.solo.io/blog/could-network-cache-based-identity-be-mistaken/
@deepakdeore7 ай бұрын
actual shared window size became small and not easy to read even on laptop, may be next time videos it can be fixed EDIT: terminal was clear but the diagrams weren't very clear
@learncloudnative7 ай бұрын
Thanks for the feedback! You can get a better resolution of the diagrams in this article: thenewstack.io/how-ciliums-mutual-authentication-can-compromise-security/
@user-wb7xx9du3x7 ай бұрын
LoadBalancer functionality demo
@sarathreddy23567 ай бұрын
Can you please share the github repo?
@learncloudnative7 ай бұрын
The github repo for all episodes is here: github.com/solo-io/hoot
@sarathreddy23565 ай бұрын
Thank you@@learncloudnative
@arozendojr7 ай бұрын
Can you answer a question, is it possible to use jaeger + istio, for every request and response event of each microservice? automatic without changing microservice/pod code? How can I look for the configuration I should do?
@neerajpoddar75597 ай бұрын
Hi Antonio, You're correct that you need to change the app code in order to propagate headers in order to make spans correlate to a trace as requests traverse through multiple microservices. With Istio that's the only change needed in the app (i.e. propagating 5-6 HTTP tracing related headers) and the Envoy proxies deployed as sidecars take care of creating root/child spans and dispatching them to the tracing backend system. Hope that answers your question.
@DeepakKumarGid8 ай бұрын
With istio you can use destination rule to pick pods based on selectors. Is there anyway to achieve that with gateway API since HTTP Route BackendRef only allows pointing to services and no option to choose based on pod selectors
@SuperAleksandar968 ай бұрын
Great show as always keep it up
@soloio_inc7 ай бұрын
Much appreciated
@zous898 ай бұрын
Hello, I would like to ask you, do you offer Gloo Mesh core as a free alternative to Gloo Mesh Enterprise offering or it is just a test bed?
@soloio_inc8 ай бұрын
Gloo Mesh Core is a fully supported commercial offering focused on helping users get the most out Istio. A comparison chart for Gloo Mesh Core and Gloo Mesh Enterprise can be found at www.solo.io/products/gloo-mesh/. You can get started with Gloo Mesh Core with a free trial: www.solo.io/free-trial/
@letme4u8 ай бұрын
Wonderful session with so much clarity. thanks for your efforts.
@soloio_inc7 ай бұрын
Glad it was helpful!
@itcloudguy8 ай бұрын
Good book. But too much typo and mistakes in commands and almost no explanation of the YAML files. The reader has to google them and fix typos.
@christianposta8 ай бұрын
thanks for the feedback! we worked hard to avoid typos especially in the commands, ie, we run the commands for our testing directly from the text in the book. if you find errata can you please report it so we can fix it?
@davidnassau239 ай бұрын
Dude you need to slow down. Give people a chance to look at the screens. I think you should go half this speed.
@soloio_inc9 ай бұрын
Thanks for the feedback! We will keep this in mind for future demos. In the meantime, you can watch this at a slower speed by clicking the settings wheel in the bottom right of the video and then selecting "Playback speed."
@learncloudnative9 ай бұрын
Thanks everyone for joining! Check out the demos here: github.com/peterj/jwts-for-services Feel free to reach out if you have any more questions!
@Babbili10 ай бұрын
thank you guys, i was trying 2days ago to use Cilium IPAM and BGP instead of MetalLB
@benbaker769 ай бұрын
I just switched from MetalLB to Cilium IPAM and BGP :)
@Babbili9 ай бұрын
@@benbaker76can i use Cilium with Istio, or i'm gonna have some issues,,, seems like if you're using Cilium then you gotta use it for all
@olasumbo266311 ай бұрын
It is not odd to Nigerians based in Nigeria watching Cilium..Remember there are so many Nigeria based in the US working in the devops space. Lol. We are starting to mentor Nigerians who are based in Nigeria about kubernetes. Nigerians banks and companies are some of the biggest in Africa.
@tusharmath11 ай бұрын
They could have edited the part where Lin froze 🤣
@chahatnayyar593111 ай бұрын
I have implemented rate limits of path prefix match and exact match as well. But I’m struggling to match regex patterns in Envoy and how to define wildcard is descriptors in configmap. Can anyone let me know how we can implement rate limit on nested paths eg /api/v1/products/*
@YuvalKohavi11 ай бұрын
if you have a route matching that path, what about adding a constant generic key representing this path and its sub path? i.e. on that route add a generic_key action with value "products"
Is gloo platform fully paid or we can use open source version?
@eduardosanzb Жыл бұрын
thanks; I love your videos! It would be wonderful to get some videos explaining : 1. Structure of envoyFilters 2. Common patterns (e.g. filtering per service/ svn/path) with plenty of diagrams like this one! love them! Thanks again!!!!
@valour.se47 Жыл бұрын
Interesting 🧐 results are promising
@jithutube Жыл бұрын
Sir, is there a mechanism to intercept the response path?.. For ex, if I need to analyse the response headers and content and then modify the response or status code, how do i get a hook for that.
@soloio_inc Жыл бұрын
Hi! The ext-authz filter does not allow you to modify the response. A newer filter called ext_proc was added to Envoy that allows you to do that. See here for more info: www.envoyproxy.io/docs/envoy/v1.26.2/configuration/http/http_filters/ext_proc_filter.html
@TheTobacko1 Жыл бұрын
Love INVITAE. Great company ❤❤❤❤❤
@user-cw2sh2ng6k Жыл бұрын
How can i set up the environment to demo follow you. Thanks
@soloio_inc Жыл бұрын
You can see the code and configs used in the demo right here: github.com/solo-io/hoot/tree/master/01-intro
@nikhilsrivastava9120 Жыл бұрын
This was awesome, thanks a ton !! Can you explain in next video how can we assign a custom Security Identity to a subset of cilium endpoints based on some custom logic. Example - say a pod has multiple IP addresses (say 50) (due to multiple network interfaces on it) and then out of 50 IP addresses, I want to create a network policy to filter just 10 IP addresses from that pod. In that case a pod label based policy won't work. Hence, I was thinking if we can assign a custom security identity to those 10 endpoints and then stick that security identity in the network policy to entertain traffic originating from a subset of endpoints associated with a single pod.
@learncloudnative Жыл бұрын
Hi @nikhilsrivastava9120! I'd like to learn more about your scenario, can you ping me on Solo Slack? (slack.solo.io)
@nishantagrawal6244 Жыл бұрын
This is super helpful. Thanks a lot. But i have a minor confusion with terminologies. 1. When you say, Envoy, whose server you ran on right, that envoy means the proxy/gateway server which uses envoy rate limiter. Is it correct ? 2. Whenever a request is sent, Does it first go to the gateway/proxy or first go to the rate limit service (whose server you started on left)
@learncloudnative Жыл бұрын
With the global rate limiting there are multiple components in place. You need a Redis instance that connects to the rate limiting service. Then, on the other side you have an Envoy proxy. The proxy is configured to talk to the rate limiting service to get information about rate limits and to enforce them.
@YuvalKohavi11 ай бұрын
1. Yes 2. Request goes to envoy first. Envoy queries rate limit service transparently to the client