ServiceMesh Network Governance

ServiceMesh Network Governance Plugin

After version 5.1.5, Kato provides comprehensive network management plugins (handling both inbound and outbound networks at the same time) and outbound network management plugins by default. The network management plug-in works in the same network space as the business container. It can monitor an assigned port, intercept the inbound business traffic for current limiting and disconnection, and then load the traffic on the actual listening port of the business service. At the same time, it can also work in the outbound direction. When business services need to access upstream services, they can access the ports monitored by the local outbound governance plug-in to perform traffic routing, disconnection, security verification and other processing, and then load the traffic to the hosts that still have services. on.

For plug-in developers, there are two points to pay attention to:

  • The inbound governance plug-in needs to forward traffic according to the port forwarding rules assigned by the system. For example, the UI service itself monitors port 8080, which cannot be changed, but we can change the access port when accessing the UI service from the edge gateway, so Kato When the application is running, it dynamically generates a listening port pair for the inbound network management plug-in, such as the following configuration:
"base_ports":[
      {
          "service_alias":"gre484d9",
          "service_id":"9703228e9b42cde3e3a72f4826e484d9",
          "port":8080,
          "listen_port":65301,
          "protocol":"http",
          "options":{
              "LIMIT_DOMAIN":"limit.common",
              "OPEN_LIMIT":"NO"
          }
      }
  ]

The DISCOVER_URL variable will be automatically injected when the plug-in is running. The above configuration information can be dynamically obtained through the address of the variable value. The inbound network management plug-in must monitor port 65301 through the above configuration and load the traffic to port 127.0.0.1:8080.

  • The outbound management plug-in does not have the problem of port mapping. The outbound management plug-in generates the local monitoring load to the remote address according to the dynamic configuration information of the subordinates.
"base_services":[
        {
            "service_alias":"gre484d9",
            "service_id":"9703228e9b42cde3e3a72f4826e484d9",
            "depend_service_alias":"grcff92d",
            "depend_service_id":"c81923991ff2428082a5d9d478cff92d",
            "port":5000,
            "protocol":"http",
            "options":{
                "BaseEjectionTimeMS":"30000",
                "ConsecutiveErrors":"5",
                "Domains":"todos",
                "Headers":"",
                "IntervalMS":"10",
                "MaxActiveRetries":"5",
                "MaxConnections":"10",
                "MaxEjectionPercent":"20",
                "MaxPendingRequests":"1024",
                "MaxRequests":"1024",
                "MaxRequestsPerConnection":"",
                "PROXY":"YES",
                "Prefix":"/",
                "Weight":"80"
            }
        }
] 

Using the above-mentioned native configuration discovery and service discovery to make custom plug-ins work, more data adaptation work needs to be done at the plug-in level. Kato also provides a dynamic configuration discovery service based on the envoy XDS (grpc) specification. In the plug-in, the XDS_HOST_IP XDS_HOST_PORT two variables are used to obtain the address of the XDS service.

For users, the network governance of the plug-in layer is completely transparent to the business layer, and all distributed services with dependencies are similar to running the same host.

Plug-in Practice

Integrated Network Governance Plugin

The integrated network management plug-in provided by default is implemented based on envoy 1.9.0. The integrated network plug-in realizes both inbound direction management and outbound direction management, and the following configuration parameters are provided:

Inbound Direction

Global current limit:

  • OPEN_LIMIT Turn on the global current limiting function. The global current limiting function relies on a third-party current limiting service, such as ratelimit, the current service needs to rely on the ratelimit service, and set the RATE_LIMIT_SERVER_HOST and RATE_LIMIT_SERVER_PORT environment variable.
  • LIMIT_DOMAIN The domain key of the current-limiting link corresponds to the configuration of the global current-limiting service

Open circuit:

  • MaxConnections Maximum number of connections, only applicable to http1.1 for Http protocol, and set the maximum number of TCP connections for TCP protocol.
  • MaxRequests Number of concurrent requests, applicable to HTTP protocol
  • MaxPendingRequests Maximum number of waiting requests, applicable to HTTP protocol
  • MaxActiveRetries Maximum number of retries, applicable to HTTP protocol
  • MaxRequestsPerConnection Maximum number of requests for a single connection, applicable to HTTP protocol, supporting http1.1 and http2
Outbound Direction

Dynamic routing (HTTP protocol):

  • Domains Request a domain name. For upstream services of the http protocol, it supports domain-based routing and reuses port 80.

  • Prefix Request the prefix of the Path, and route different upstream services based on the prefix.

  • Headers Request header, which routes different upstream services based on the request header.

  • Weight Weight, based on different weights to distribute traffic to different upstream services.

Open circuit (connection-oriented):

  • MaxConnections Maximum number of connections, only applicable to http1.1 for Http protocol, and set the maximum number of TCP connections for TCP protocol.
  • MaxRequests Number of concurrent requests, applicable to HTTP protocol
  • MaxPendingRequests Maximum number of waiting requests, applicable to HTTP protocol
  • MaxActiveRetries Maximum number of retries, applicable to HTTP protocol
  • MaxRequestsPerConnection Maximum number of requests for a single connection, applicable to HTTP protocol, supporting http1.1 and http2

Open circuit (facing upstream host):

  • ConsecutiveErrors The number of times the upstream service host was evicted due to 500 errors.
  • BaseEjectionTimeMS The base time when the host was ejected and the time when it was ejected for the first time. If it is ejected n times, the time is n*BaseEjectionTimeMS
  • MaxEjectionPercent The maximum ratio of the host to be evicted. If set to 100, full eviction is allowed.
  • IntervalMS Analyze the time interval for whether the host should be evicted
  • HealthyPanicThreshold The proportion of entering panic mode, the default is 50

Outbound Network Governance Plugin

When the service does not need to use the management function of the inbound direction, only the outbound management plug-in can be used, and the configuration parameters are consistent with the outbound direction of the comprehensive management plug-in.