LazyXds enables Istio only push needed xDS to sidecars to reduce resource consumption and speed up xDS configuration propagation.

LazyXds

LazyXds enables Istio only push needed xDS to sidecars to reduce resource consumption and speed up xDS configuration propagation.

Problems to solve

SotW xDS

Architecture

SotW xDS

Build

# build lazyxds binary on linux
make build.lazyxds

# build lazyxds binary on darwin
make build-mac.lazyxds

Build Image

# build lazyxds docker image with the default latest tag
make docker-build.lazyxds

# build lazyxds docker image with xxx tag
make docker-build.lazyxds tag=xxx

# build lazyxds e2e docker image
make docker-build-e2e.lazyxds

Install

Pre-requirements:

  • A running Kubernetes cluster, and istio(version >= 1.10.0) installed
  • Kubectl installed, and the ~/.kube/conf points to the cluster in the first step

Install Lazyxds Egress and Controller

kubectl apply -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-egress.yaml
kubectl apply -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-controller.yaml

The above commands install the lazyxds egress and controller into the istio-system namespace.

How to enable LazyXDS

You can choose to enable lazyXDS on some particular services or enable it namespace wide. To enable lazyXDS on a service or a namespace, you just need to add an annotation lazy-xds: "true" to the target service or namespace.

Enable on a Service

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    lazy-xds: "true"
spec:

or use kubectl:

kubectl annotate service my-service lazy-xds=true --overwrite

Enable on a Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: my-namespace
  annotations:
    lazy-xds: "true"
spec:

or use kubectl:

kubectl annotate namespace my-namespace lazy-xds=true --overwrite

Bookinfo Demo

  1. Install istio(version >= 1.10.0), and enable access log for debug purpose.

    istioctl install -y --set meshConfig.accessLogFile=/dev/stdout

  2. Install lazyXds by following the instructions in Install Lazyxds egress and controller.

  3. Install bookinfo application:

    kubectl label namespace default istio-injection=enabled
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.10/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.10/samples/bookinfo/networking/bookinfo-gateway.yaml

    Determine the ingress IP, and we use 80 as the ingress port by default.

    export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

    Save product page pod name to env for later use.

    export PRODUCT_PAGE_POD=$(kubectl get pod -l app=productpage -o jsonpath="{.items[0].metadata.name}")

    Check the eds of product page pod, we can see product page gets all eds of bookinfo, though it does not need all of them:

    istioctl pc endpoints $PRODUCT_PAGE_POD | grep '9080'
172.22.0.10:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.11:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.12:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.13:9080                 HEALTHY     OK                outbound|9080||productpage.default.svc.cluster.local
172.22.0.8:9080                  HEALTHY     OK                outbound|9080||details.default.svc.cluster.local
172.22.0.9:9080                  HEALTHY     OK                outbound|9080||ratings.default.svc.cluster.local

  4. Enable lazyXds for the productpage service:

    kubectl annotate service productpage lazy-xds=true --overwrite

    Check the eds of product page:

    istioctl pc endpoints $PRODUCT_PAGE_POD | grep '9080'
// no eds show

    Once enabling lazyXds, product page pod won't get any endpoints of bookinfo.

  5. Access bookinfo the first time:

    curl -I "http://${INGRESS_HOST}/productpage"

    check the access log of product page pod:

    kubectl logs -c istio-proxy -f $PRODUCT_PAGE_POD

    access to egress

    We can see the first request form product page to details and reviews has been redirected to istio-egressgateway-lazyxds

    Check the eds of product page again:

    172.22.0.10:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.11:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.12:9080                 HEALTHY     OK                outbound|9080||reviews.default.svc.cluster.local
172.22.0.8:9080                  HEALTHY     OK                outbound|9080||details.default.svc.cluster.local

    Only reviews and details endpoints are in the eds, which are the exact endpoints product page needs.

  6. Access bookinfo again:

    curl -I "http://${INGRESS_HOST}/productpage"

    Check the access log of product page pod:

    kubectl logs -c istio-proxy -f $PRODUCT_PAGE_POD

    access to egress

    Now the traffic goes directly to the target services since the sidecar proxy already has all the endpoints it needs.

Uninstall

kubectl delete -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-controller.yaml
kubectl delete -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-egress.yaml

Performance

We have set up two bookinfo applications in an istio mesh with lazyxds installed, the product page in lazy-on namespace has lazyXds enabled, and the other one hasn't. Then we use istio load testing to increasingly create a large number of services, each load test namespace contains 19 services, each service contains 5 pods. The following is the test result for your reference:

performance-test-arch

Memory compare:

performance-test-mem

EDS and CDS compare:

performance-test-xds

Owner
Aeraki Mesh
Manage any layer-7 protocols in a Service Mesh.
Aeraki Mesh
https://github.com/aeraki-mesh/lazyxds
Similar Resources

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Jan 8, 2023

provider-kubernetes is a Crossplane Provider that enables deployment and management of arbitrary Kubernetes objects on clusters

provider-kubernetes provider-kubernetes is a Crossplane Provider that enables deployment and management of arbitrary Kubernetes objects on clusters ty

Dec 14, 2022

Small and easy server for web-hooks to deploy software on push from gitlab/github/hg and so on

Deployment mini-service This mini web-server is made to deploy your code without yaml-files headache. If you just need to update your code somewhere a

Dec 4, 2022

The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Service Enumeration Disclaimer The tool is in beta stage (testing in progress), no destructive API Calls used ( read only actions ). I hope, there

Dec 23, 2022

The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed.

PopCat Echo The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed. Docker Image The docker image is

Dec 15, 2022

A kubernetes plugin which enables dynamically add or remove GPU resources for a running Pod

A kubernetes plugin which enables dynamically add or remove GPU resources for a running Pod

GPU Mounter GPU Mounter is a kubernetes plugin which enables add or remove GPU resources for running Pods. This Introduction(In Chinese) is recommende

Jan 5, 2023

Stackie enables developers to configure their local environment/toolchain with ease.

Stackie enables developers to configure their local environment/toolchain with ease. Made for Pulumi CLI, Google Cloud Platform (gcloud), and Amazon Web Services (aws-cli).

Sep 10, 2021

Enables a FaaS experience for Knative / Cloud Native Runtimes.

Function Buildpacks for Knative Enables a FaaS experience for Knative / Cloud Native Runtimes. Will soon extend func to create deployable functions vi

Nov 2, 2022

A k8s operator to reduce CO2 footprint of your clusters

A k8s operator to reduce CO2 footprint of your clusters

How many of your dev/preview pods stay on during weekends? Or at night? It's a waste of resources! And money! But fear not, kube-green is here to the

Jan 3, 2023
Comments
  • istio-egressgateway authentication failure

    istio-egressgateway authentication failure

    Problem description

    I deployed Lazy xDS to my k8s cluster using the following commands:

    kubectl apply -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-egress.yaml
kubectl apply -f https://raw.githubusercontent.com/aeraki-mesh/aeraki/master/lazyxds/install/lazyxds-controller.yaml

    while after the deployment, istio-egressgateway-lazyxds is not running 5A95C7DC-2A3E-4A7C-991A-D57E3AA0D9D8

    Then I checked the log

    image

    it seams the certificate is not correct. I'm wondering if I missed any configuration?

    Evnironment

    • istio: v1.13.3, installed with default profile
    • k8s: v1.23
  • `istio-token` seems need to be mounted for istio-egressgateway-lazyxds

    `istio-token` seems need to be mounted for istio-egressgateway-lazyxds

    env: k8s 1.21.12 istio 1.13.3

    Hello, I encountered a problem where istio-egressgateway-lazyxds cannot connect to istiod, showing the following logs:

    2022-06-08T07:16:19.699306Z	info	xdsproxy	connected to upstream XDS server: istiod.istio-system.svc:15012
2022-06-08T07:16:19.699947Z	warn	xdsproxy	upstream [15] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2022-06-08T07:16:19.700104Z	error	xdsproxy	upstream [15] send error for type url type.googleapis.com/envoy.config.cluster.v3.Cluster: EOF
2022-06-08T07:16:19.700304Z	warning	envoy config	StreamAggregatedResources gRPC config stream closed: 16, authentication failure

    And I checked istiod logs and found it was complaining about missing authentication header:

    2022-06-08T07:17:58.831364Z	error	ads	Failed to authenticate client from 10.244.0.59:33544: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: target JWT extraction error: no HTTP authorization header exists

    After mounting istio-token like what istio-ingressgateway did (also need to change JWT_POLICY from first-party-jwt to third-party-jwt), problem was gone.

    It seems istio-token mounts is missing in the lazyxds-egress.

    
        - name: istio-token
          projected:
            sources:
              - serviceAccountToken:
                  audience: istio-ca
                  expirationSeconds: 43200
                  path: istio-token
            defaultMode: 420


            - name: istio-token
              readOnly: true
              mountPath: /var/run/secrets/tokens
  • Lazyxds Not Work

    Lazyxds Not Work

    Describe the bug A clear and concise description of what the bug is. After Deploying Lazyxds,Adding The Service Of productpage Annotation (lazy-xds: "true"),The EDS Of productpage Should Not have Other Service's EDS. Thanks. To Reproduce Steps to reproduce the behavior:

    1 、Deploy The Lazyxds: 2345_image_file_copy_7 2、Pods Running 2345_image_file_copy_6 3.Annotation Productpage Service : 2345_image_file_copy_5 bookinfo namespace: 2345_image_file_copy_4 Productpage Pod‘s EDS: 2345_image_file_copy_3 EDS Has Other EDS Info. Logs lazyxds: lazyxds.log egressgateway-lazyxds: egressgateway.log ENV: 1、k8s Version 2345_image_file_copy_2 2、Istio Version 2345_image_file_copy_1

Related tags
DevOps Tools lazyxds
Git-auto-push - Auto commit and push to github repositories

Auto commit and push to github repositories. How to use git clone https://github

Dec 19, 2022
Huawei-push-authorizator - Huawei Push Kit authorizator in time

huawei-push-authorizator Huawei Push Kit authorizator in time Why? To send push

Jan 3, 2022
Fadvisor(FinOps Advisor) is a collection of exporters which collect cloud resource pricing and billing data guided by FinOps, insight cost allocation for containers and kubernetes resource
 Fadvisor(FinOps Advisor) is a collection of exporters which collect cloud resource pricing and billing data guided by FinOps, insight cost allocation for containers and kubernetes resource

[TOC] Fadvisor: FinOps Advisor fadvisor(finops advisor) is used to solve the FinOps Observalibility, it can be integrated with Crane to help users to

Jan 3, 2023
Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.

Terraform Website: https://www.terraform.io Forums: HashiCorp Discuss Documentation: https://www.terraform.io/docs/ Tutorials: HashiCorp's Learn Platf

Jan 9, 2023
Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)
 Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)

Terraform Provider for Azure (Resource Manager) Version 2.x of the AzureRM Provider requires Terraform 0.12.x and later, but 1.0 is recommended. Terra

Oct 16, 2021
Apachedist-resource - A concourse resource to track updates of an apache distribution, e.g. tomcat

Apache Distribution Resource A concourse resource that can track information abo

Feb 2, 2022
Topology-tester - Application to easily test microservice topologies and distributed tracing including K8s and Istio

Topology Tester The Topology Tester app allows you to quickly build a dynamic mi

Jan 14, 2022
Rqlite-recover - k8 controller to create recover json for rqlite cluster nodes when needed.

Cluster Recover for RQLite running on a k8s cluster The goal is to be able to recover a rqlite cluster when the majority of nodes get re-schedule to d

Sep 8, 2022
Automatically create global & local Rate Limit in Istio, support EnvoyFilter versioning!

istio-ratelimit-operator Istio ratelimit operator provide an easy way to configure Global or Local Ratelimit in Istio mesh. Istio ratelimit operator a

Oct 24, 2022
The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases

The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.

Dec 14, 2022