qstockmedia - Fotolia
Enterprise IT operations pros who support microservices face a thorny challenge with Kubernetes networking, but service mesh architectures could help address their concerns.
Kubernetes networking under traditional methods faces performance bottlenecks. Centralized network resources must handle an order of magnitude more connections once the user migrates from VMs to containers. As containers appear and disappear much more frequently, managing those connections at scale quickly can create confusion on the network, and stale information inside network management resources can even misdirect traffic.
IT pros at KubeCon this month got a glimpse at how early adopters of microservices have approached Kubernetes networking issues with service mesh architectures. These network setups are built around sidecar containers, which act as a proxy for application containers on internal networks. Such proxies offload networking functions from application containers and offer a reliable way to track and apply network security policies to ephemeral resources from a centralized management interface.
Proxies in a service mesh better handle one-time connections between microservices than can be done with traditional networking models. Service mesh proxies also tap telemetry information that IT admins can't get from other Kubernetes networking approaches, such as transmission success rates, latencies and traffic volume on a container-by-container basis.
"The network should be transparent to the application," said Matt Klein, a software engineer at San Francisco-based Lyft, which developed the Envoy proxy system to address networking obstacles as the ride-sharing company moved to a microservices architecture over the last five years.
"People didn't trust those services, and there weren't tools that would allow people to write their business logic and not focus on all the faults that were happening in the network," Klein said.
With a sidecar proxy in Envoy, each of Lyft's services only had to understand its local portion of the network, and the application language no longer factored in its function. At the time, only the most demanding web application required proxy technology such as Envoy. But now, the complexity of microservices networking makes service mesh relevant to more mainstream IT shops.
The National Center for Biotechnology Information (NCBI) in Bethesda, Md., has laid the groundwork for microservices with a service mesh built around Linkerd, which was developed by Buoyant. The bioinformatics institute used Linkerd to modernize legacy applications, some as many as 30 years old, said Borys Pierov, a software developer at NCBI.
Any app that uses the HTTP protocol can point to the Linkerd proxy, which gives NCBI engineers improved visibility and control over advanced routing rules in the legacy infrastructure, Pierov said. While NCBI doesn't use Kubernetes yet -- it uses HashiCorp Consul and CoreOS rkt container runtime instead of Kubernetes and Docker -- service mesh will be key to container networking on any platform.
"Linkerd gave us a look behind the scenes of our apps and an idea of how to split them into microservices," Pierov said. "Some things were deployed in strange ways, and microservices will change those deployments, including the service mesh that moves us to a more modern infrastructure."
Kubernetes networking will cozy up with service mesh next year
Linkerd is one of the most well-known and widely used tools among the multiple open source service mesh projects in various stages of development. However, Envoy has gained notoriety because it underpins a fresh approach to the centralized management layer, called Istio. This month, Buoyant also introduced a better performing and efficient successor to Linkerd, called Conduit.
Borys Pierovsoftware developer, National Center for Biotechnology Information
It's still too early for any of these projects to be declared the winner. The Cloud Native Computing Foundation (CNCF) invited Istio's developers, which include IBM, Microsoft and Lyft, to make the Istio CNCF project, CNCF COO Chris Aniszczyk said at KubeCon. But Buoyant also will formally present Conduit to the CNCF next year, and multiple projects could coexist within the foundation, Aniszczyk said.
Kubernetes networking challenges led Gannett's USA Today Network to create its own "terrible, over-orchestrated" service mesh-like system, in the words of Ronald Lipke, senior engineer on the USA Today platform-as-a-service team, who presented on the organization's Kubernetes experience at KubeCon. HAProxy and the Calico network management system have supported Kubernetes networking in production so far, but there have been problems under this system with terminating nodes cleanly and removing them from Calico quickly so traffic isn't misdirected.
Lipke likes the service mesh approach, but it's not yet a top priority for his team at this early stage of Kubernetes deployment. "No one's really asking for it yet, so it's taken a back seat," he said.
This will change in the new year. The company plans to rethink the HAproxy approach to reduce its cloud resource costs and improve network tracing for monitoring purposes. The company has done proof-of-concept evaluations around Linkerd and plans to look at Conduit, he said in an interview after his KubeCon session.