GH GambleHub

Service Mesh: Istio, Linkerd

Service Mesh: Istio, Linkerd

1) Hyzmat Mesh näme we zerur bolanda

Service Mesh, mTLS-den geçmegi, marşrutlaşdyrmagy, şowsuzlyga çydamlylygy we kodlary täzeden ýazmazdan hyzmatlaryň arasynda syn edilmegini üpjün edýän maglumatlaryň/dolandyryşyň tor tekizliginiň gatlagydyr.

Maksatlar:
  • Howpsuzlyk (zero-trust, hyzmatlaryň şahsyýeti, giriş syýasaty).
  • Traffigi dolandyrmak (Canary/Blue-Green, A/B, shadowing).
  • Ygtybarlylyk (retralar, wagtlar, circuit breaking).
  • Syn edilişi (metrikler, loglar, treýslar).
  • Amal standartlaşdyrmasy (kod hökmünde syýasatlar, GitOps).
Haçan mesh almaly:
  • Köp dillilik we mTLS talaby bilen köp mikroservisler.
  • Programmany üýtgetmezden ösen marşrutlaşdyryş/synag ssenarileri gerek.
  • Tor derejesinde auditiň/syýasatyň talaplary bar.

2) Istio vs Linkerd - gysgaça deňeşdirme

TarapyIstioLinkerd
ProxyEnvoy (L7)rust-proxy (L7 для http/grpc) + minimalist
GurnamaIstioOperator/helm`linkerd install`/helm
HowpsuzlykmTLS, AuthorizationPolicy, PeerAuthentication, WASM-фильтрыmTLS, ýönekeý syýasatlar ('policy', 'server', 'serverauthorization')
Trafik dolandyryşyVirtualService, DestinationRule, Gateway, EnvoyFilterServiceProfile, TrafficSplit (SMI), retries/timeouts
Syn edilişPrometheus, Telemetry API, Envoy access logs, OpenTelemetry'linkerd viz' (tap/edges/routes), Prometheus, Integrasiýa myhmanhanasy
Köp klasterNative multi-cluster, east-west gateway`linkerd multicluster` (gateways + service mirror)
Ýerleşdiriş modeliSidecar и Ambient Mesh (ztunnel + waypoint)Sidecar
ÇylşyrymlylykFunksional taýdan baý, has çylşyrymlyHas aňsat, has minimalist, has az
GiňeltmekWASM/EnvoyFilter, daşarky awtorizatorlarÇäkli, ýöne öňünden aýdyp boljak

3) Arhitektura we ýerleşdiriş modelleri

3. 1 Sidecar mesh (nusgawy)

Her Pod proxy-saidkar alýar.
Artykmaçlyklary: kämillik, doly L7-gözegçilik.
Minuslar: CPU/RAM-yň goşmaça çykdajylary, deploýlaryň/düzedişleriň çylşyrymlaşmagy.

3. 2 Istio Ambient Mesh

ztunnel (L4) düwünde + waypoint proxies (L7) zerur.
Plýuslar: arzan bahasy we çylşyrymlylygy, L7-ni kem-kemden goşmak.
Minuslar: täze, ähli L7 hadysalary waypoint bolmasa elýeterli däl.

4) Şahsyýet we mTLS (zero-trust)

4. 1 SPIFFE/SPIRE we şahadatnamalar

Her workloada SPIFFE ID: 'spiffe ://cluster berilýär. local/ns/NS/sa/SA`.
Tassyklamak: hyzmatlaryň arasynda özara TLS.
Açarlaryň aýlanmagy - awtomatiki (gysga TTL).

4. 2 Istio (PeerAuthentication + DestinationRule)

yaml apiVersion: security. istio. io/v1 kind: PeerAuthentication metadata: { name: default, namespace: payments }
spec:
mtls: { mode: STRICT }
apiVersion: networking. istio. io/v1 kind: DestinationRule metadata: { name: payments-dr, namespace: payments }
spec:
host: payments. svc. cluster. local trafficPolicy:
tls: { mode: ISTIO_MUTUAL }

4. 3 Linkerd - mTLS

'linkerd install' + 'linkerd inject' -den soň açylýar.
Klasterler - öz trust-anchor, rotasiýa awtomatiki.

5) Trafik dolandyryşy

5. 1 Istio: VirtualService (marşrutlar, kanareýkalar)

yaml apiVersion: networking. istio. io/v1 kind: VirtualService metadata: { name: payments }
spec:
hosts: ["payments"]
http:
- route:
- destination: { host: payments, subset: v1 } # stable weight: 90
- destination: { host: payments, subset: v2 } # canary weight: 10 retries: { attempts: 2, perTryTimeout: 300ms }
timeout: 2s
DestinationRule (LB/CB): 
yaml apiVersion: networking. istio. io/v1 kind: DestinationRule metadata: { name: payments }
spec:
host: payments subsets:
- name: v1 labels: { version: v1 }
- name: v2 labels: { version: v2 }
trafficPolicy:
loadBalancer: { simple: LEAST_CONN }
outlierDetection:
consecutive5xx: 5 interval: 5s baseEjectionTime: 30s maxEjectionPercent: 50

5. 2 Linkerd: ServiceProfile + TrafficSplit

yaml apiVersion: linkerd. io/v1alpha2 kind: ServiceProfile metadata:
name: payments. default. svc. cluster. local spec:
routes:
- name: POST /withdraw condition:
method: POST pathRegex: "/withdraw"
isRetryable: true timeout: 2s apiVersion: split. smi-spec. io/v1alpha2 kind: TrafficSplit metadata: { name: payments }
spec:
service: payments backends:
- service: payments-v1 weight: 90
- service: payments-v2 weight: 10

6) Ingress/Egress we API şlýuzlary

Istio Gateway (ingress/egress) - gelýän/çykýan traffigi dolandyrýar, TLS termination, mTLS passthrough.
Linkerd bar bolan ingress-dolandyryjylar (NGINX/Contour/Traefik) bilen işleýär; egress - NetworkPolicy/egress-gateway-patternleri arkaly.
Egress syýasatlary: ak domen sanawlary, SNI-policy, göni interneti gadagan etmek.

7) Ygtyýarlylandyrmak we syýasat

7. 1 Istio AuthorizationPolicy (RBAC/ABAC)

yaml apiVersion: security. istio. io/v1 kind: AuthorizationPolicy metadata: { name: allow-withdraw, namespace: payments }
spec:
selector: { matchLabels: { app: payments } }
action: ALLOW rules:
- from:
- source:
principals: ["spiffe://cluster. local/ns/api/sa/gateway"]
to:
- operation:
methods: ["POST"]
paths: ["/withdraw"]
when:
- key: request. auth. claims[role]
values: ["cashout"]

7. 2 Linkerd policy (server + serverauthorization)

yaml apiVersion: policy. linkerd. io/v1beta3 kind: Server metadata: { name: payments-server, namespace: payments }
spec:
podSelector: { matchLabels: { app: payments } }
port: 8080 apiVersion: policy. linkerd. io/v1beta3 kind: ServerAuthorization metadata: { name: allow-gateway, namespace: payments }
spec:
server: { name: payments-server }
client:
meshTLS:
identities: [".ns. api. serviceaccount. identity. linkerd. cluster. local"]

8) Synlamak we telemetriýa

8. 1 Metrikler

Istio Telemetry API → Prometheus: `istio_requests_total`, `istio_request_duration_milliseconds_bucket`, `istio_tcp_received_bytes_total`.
Linkerd viz: `request_total`, latency p50/p95/p99, `success_rate`.

8. 2 Söwda we girdejiler

W3C Trace Context.
Istio/Envoy → OTLP в OpenTelemetry Collector; Linkerd - sidecar-logger/app-SDK arkaly.

8. 3 Nusgalar (Exemplars)

"Jump-to-trace" üçin gistogrammalara 'trace _ id' goşuň.

9) Rate limits, WAF, süzgüçler

Istio: Lokal rate limits, eksternal-rate-limit service (Redis), şeýle hem WAF-logika (Lua/WASM) üçin EnvoyFilter/WASM.
Linkerd: çäkli ýerli goldaw; rate limit - ingress/şlýuz derejesinde.

10) Köp klasterlik

Istio: east-west gateway, umumy PKI ýa-da trust-bundle, ServiceEntry, Federasiýa arkaly hyzmat-diskaveri.
Linkerd: `linkerd multicluster link`, gateway per cluster, service-mirror контроллер.

Use-cases: aktiw-aktiw sebitler, traffigiň lokalizasiýasy, federal zero-trust.

11) Öndürijiligi we bahasy

Sidecar mesh: her Pod üçin artykmaç CPU/RAM, giňeldilen latentlik (adatça stady-state-de hop üçin + 1-3 ms).
Ambient (Istio): L4, L7 üçin az sarp etmek nokat bilen açylýar.
Linkerd: ýeňil proxy, adatça, overhead az, ýöne L7-iň aşa mümkinçilikleri az.
Amal: p95/CPU öň/soň ölçäň, SLO-geýtleri zaýalanmak üçin saklaň.

12) Howpsuzlyk

mTLS hemme ýerde, gysga TTL, awtomatiki aýlanyş.
Policy as Code (OPA/Gatekeeper, Kyverno) gadaganlyklar üçin 'authorizationPolicy: ALLOW all'.
Syrlar - manifestlerde däl-de, CSI/Vault arkaly.
Egress-gözegçilik: deny-by-default, aç-açan allow-listler.
Gurşaw üçin aýratyn trust domains (prod/stage).

13) Relizler we SLO-geýting bilen integrasiýa

Canary/Blue-Green mesh marşrutlary arkaly amala aşyrylýar (mysallara serediň).
Metrikleri seljermek (Prometheus/SpanMetrics) -da Argo Rollouts AnalysisTemplate - burn-rate/p95/5xx.
Grafana neşirleriniň düşündirişleri: deňeşdirme 'version = stable' canary '.

14) Anti-patternler

Mesh "hemme ýerde we birbada" açyň → infrastruktura zarbasy.
Proxy → TSDB/log ammarynyň artykmaç ýüklenmegi.
mTLS-i PERMISSIVE/opaque re modeiminde hemişelik goýuň.
gateway/programmanyň ýerine EnvoyFilter-iň içinde çylşyrymly WAF/iş logikasyny etmäge synanyşyň.
Egress syýasaty ýok - internete syzmak/gabat gelmek.
Proxy s ': 15000' debug açyk.

15) Giriş çek-sanawy (0-60 gün)

0-15 gün

Modeli saýlamak: Sidecar vs Ambient (Istio )/Linkerd ýükleriň profiline görä.
mTLS STRICT, 1-2 möhüm hyzmatlar üçin esasy ygtyýarnama syýasatlaryny goşuň.
Esasy ugurlar (timeout/retries), RED/SLO dashbordlary.

16-30 gün

Canary/TrafficSplit, outlier detection/circuit breaking.
MYHMANHANA integrasiýasy: söwda + Exemplars; burn-rate alertleri.
Egress-gateways we ak domen sanawlary; deny-by-default.

31-60 gün

Köp klasterli link (zerur bolsa), federasiýa trust.
Policy as Code на AuthorizationPolicy/ServerAuthorization.
Game-day: hadysanyň simulýasiýasy we marşrutlaryň/syýasatlaryň yza gaýdyp gelmegi.

16) Kämillik ölçegleri

mTLS (STRICT/auto-rotate) hyzmatlarynyň 95% -ini ≥.
Kanar/progressiw goýberilişler arkaly traffigiň paýy ≥ 80%.
Orta overhead p95 <5% esasy setirden (optimizasiýadan soň).
0 açyk rugsatsyz egress, esasy AuthZ bilen 100% hyzmatlar.
RCA "grafikden trasa" ≤ 2 minut (p50).

17) "Kod hökmünde syýasatyň" mysallary

Gatekeeper (PERMISSIVE gadaganlygy)

yaml apiVersion: constraints. gatekeeper. sh/v1beta1 kind: K8sIstiomTLSStrict metadata: { name: deny-permissive-prod }
spec:
match:
kinds: [{ apiGroups: ["security. istio. io"], kinds: ["PeerAuthentication"] }]
namespaces: ["prod-"]
parameters:
allowedModes: ["STRICT"]

Kyverno (VS/DR üçin hökmany labels)

yaml apiVersion: kyverno. io/v1 kind: ClusterPolicy metadata: { name: require-mesh-labels }
spec:
rules:
- name: vs-dr-labels match:
any:
- resources:
kinds: ["VirtualService","DestinationRule"]
validate:
message: "owner and service labels required"
pattern:
metadata:
labels:
owner: "?"
service: "?"

18) Ekspluatasiýa geňeşleri

Syýasatlary we ugurlary wersiýa ediň (semver), GitOps arkaly mahabatlandyrylýar.
Proksiniň syn edilmegi: "proxy saturation" (CPU/heap, retries, 429/503) aýry-aýry daşbordlar.
Kardinallyk býudjeti: 'route', 'code', 'destination' bellikleri - diňe şablon.
Namespace (NetworkPolicy/LimitRange) derejesi üçin ulgam çäkleri/kwotalary.
Buýruk resminamalary: runbook "mTLS marşrutlaryny/syýasatyny/açarlaryny nädip yzyna almaly".

19) Netijenama

Istio we Linkerd bir meseläni çözýärler - hyzmatara aragatnaşyklaryň howpsuzlygyny, ygtybarlylygyny we görünmegini standartlaşdyrmak - ýöne muny dürli çuňluklar we eýeçilik bahasy bilen edýärler.

Baý L7 mümkinçilikleri we çeýe syýasatlar gerek - Istio-ny alyň (tölegleri azaltmak üçin Ambiente serediň).
Ýönekeýlik we kiçijik overhead gerek - Linkerd alyň.

Haýsy mesh saýlasaňyz-da: mTLS-i açyň, marşruty kod hökmünde dolandyryň, metrikleri treýsler bilen baglanyşdyryň, egresi ýapyň we SLO geýtingini neşirlere goşuň. Şonda tor gatlagy "gara guty" bolmagyny bes eder we durnuklylygyň we üýtgeşmeleriň tizliginiň öňünden aýdyp boljak guralyna öwrüler.

Contact

Biziň bilen habarlaşyň

Islendik sorag ýa-da goldaw boýunça bize ýazyp bilersiňiz.Biz hemişe kömek etmäge taýýar.

Telegram
@Gamble_GC
Integrasiýany başlamak

Email — hökmany. Telegram ýa-da WhatsApp — islege görä.

Adyňyz obýýektiw däl / islege görä
Email obýýektiw däl / islege görä
Tema obýýektiw däl / islege görä
Habar obýýektiw däl / islege görä
Telegram obýýektiw däl / islege görä
@
Eger Telegram görkezen bolsaňyz — Email-den daşary şol ýerden hem jogap bereris.
WhatsApp obýýektiw däl / islege görä
Format: ýurduň kody we belgi (meselem, +993XXXXXXXX).

Düwmäni basmak bilen siz maglumatlaryňyzyň işlenmegine razylyk berýärsiňiz.