service mesh - service type clusterIP implementation

[szuecs]

Service Mesh is the current buzzword. One of the biggest challenges in Kubernetes is the increased error rate on abrupt node failure (p.e. kernel panic) in east-west communication. East-west is the wording for service-to-service communication within one DC (or Kubernetes cluster).

Skipper could be deployed inside the application POD and applications could use skipper to connect to cluster internal http service endpoints by cluster internal DNS name. Applications would configure the POD internal skipper as proxy in their settings and would connect to internal and external URLs as before. Annotations should be used to implement Skipper features for service connections (predicates and filters as in ingress).

Example app1 calls app2.default.svc.cluster.local (cluster internal): App1 has configured skipper as proxy. App1 connects to <application-name>.<ns>.svc.cluster.local, through skipper, which would have the Kubernetes endpoints for all Kubernetes services configured. Like this cluster internal communication in Kubernetes can be more safe on abrupt node failures.

Example app1 call foo.example.org (not cluster internal) - Options:

1. Skipper would need to have a default routing entry, that connects to the HTTP endpoint as requested. (simple for the user)
2. User would need to create an eskip file and skipper merges the routes. Like this only defined communication is allowed (if this can be enforced, this could enable egress policy and help PCI environments - requires merge priorities eskip-file > kubernetes to make sure a static route can not be changed)

Implementation

• Skipper reads K8s service type ClusterIP to find endpoints for backends and use <name>.<namespace>.svc.cluster.local as host header routes.
• Skipper can read annotations to find filters and predicates.
• A new flag to differentiate between ingress and this new which should be pod local.
• [ ] default routing has to connect to not configured URLs, I guess here is something missing or it's a feature and implements external (option 1)
• maybe dataclient merge routes priorities: routes-file defined by the user and kubernetes datataclient to get cluster internal services automatically (option 2)

[aryszka]

how about using the standard http proxy setting configured in the environment? Then the clients just need to use the proxy.

[szuecs]

I changed the description to reflect your point. Separated cluster internal and external communication and 2 options for external communication.