Author: Rufeng
Introduction to K8s Ingress
The network inside the K8s cluster is isolated from the outside, that is, the services inside the K8s cluster cannot be directly accessed outside the K8s cluster. How to provide the services inside the K8s cluster to external users? The K8s community has three solutions: NodePort, LoadBalancer, and Ingress. The following figure is a comparison of these three solutions:
By comparison, it can be seen that Ingress is a more suitable way for business use, and it can do more complex secondary routing distribution based on it, which is also the mainstream choice of users at present.
Status of K8s Ingress
To use a catchphrase: ideals are plump and reality is skinny. This sentence is also applicable to K8s Ingress. K8s hopes to use Ingress to standardize the rule definition of cluster ingress traffic, but the functional points required when the actual business is implemented must be It is far more than what Ingress provides. In order to meet business demands, each Ingress Provider also has its own tricks. In general, the solutions are divided into two categories: using annotations to extend and using new CRDs. The following diagrams are used to illustrate:
Development Trend of K8s Ingress Provider
There are a hundred flowers blooming in Ingress Provider. From the user's point of view, there are advantages and disadvantages. The advantage is that there are many options for users, and the disadvantage is that there are too many choices. How do we choose an Ingress Provider that suits our business? Let’s take a look at the statistics of the authoritative CNCF:
Intuitively, it can be seen that Nginx, which occupies the first place in the Ingress Provider, is within expectations. Although Nginx Ingress still occupies the first place, its growth is a bit weak, and even has a downward trend; on the other hand, Envoy has grown from the No. 1 in 2019. The third climbed to the second place in 2020, and its usage rate also climbed from less than 20% in 2019 to 37% in 2020, an almost exponential increase.
The so-called look at the essence through the phenomenon, why is Envoy growing so fast? To sum up the following points:
1. Envoy was born in the context of distributed microservices. Its configuration hot update, HTTP3, Wasm and other features are very suitable for the current usage scenarios. At the same time, the community governance is also very healthy, and many Internet companies are also deeply involved.
2. Envoy can be used as an Ingress Provider, and it is also the de facto leader of sidecar in ServiceMesh. Using the same technology to solve both north-south and east-west traffic scheduling is also a major reason for users to choose Envoy.
3. Envoy is production-level and has been verified on a large scale by Lyft.
New Choice for K8s Ingress Provider - Cloud Native Gateway
Under the microservice architecture in the virtualization period, the business usually adopts a two-tier architecture of traffic gateway + microservice gateway. The traffic gateway is responsible for north-south traffic scheduling and security protection, and the microservice gateway is responsible for east-west traffic scheduling and service governance. In the cloud-native era dominated by K8s, Ingress has become the gateway standard of the K8s ecosystem, giving the gateway a new mission and making it possible to combine the traffic gateway + microservice gateway into one.
The cloud native gateway released by MSE can not only save 50% of the resource cost, but also reduce the operation and maintenance and usage costs by turning the two-tier gateway into one without compromising the capability.
Advantages of Cloud Native Gateways
more powerful performance
A question before starting the introduction: Is the performance of Nginx Ingress equivalent to Nginx? With this question in mind, let's look directly at the pressure measurement data comparison:
Did you feel surprised? To be honest, we were a little surprised after the stress test. The conclusions of the stress test are as follows:
We also reviewed the implementation of Nginx Ingress and community feedback. Due to its heavy use of Lua scripts, it has a great impact on performance. The K8s Nginx Ingress community also has specific issues:
https://github.com/kubernetes/ingress-nginx/issues/5658
The screenshot of the performance impact of community stress test Lua on Nginx Ingress is as follows:
more feature-rich
As a combination of traffic gateway and microservice gateway, cloud native gateway provides rich security authentication and service governance capabilities at the same time, and also performs kernel tuning and hardware acceleration functions to be released in the future. Alibaba's two-year internal promotion experience has been further expanded in high-availability construction. The overall function diagram is as follows:
Stable and more reliable
After years of verification, Alibaba has accumulated a set of high-availability guarantee solutions to control risks and improve stability from R&D, runtime, and changes, and each stage has its own means to verify its high-availability goals. described as follows:
Cloud-native gateway's upcoming blockbuster features
TLS hardware acceleration
At present, HTTPS has become the main way to use public network requests. After all HTTPS is used, because it has to do TLS handshake, there will be a lot of performance loss compared to HTTP. At present, with the great improvement of CPU performance, the SIMD mechanism of CPU can It is very good to accelerate the performance of TLS, so we launched the TLS hardware acceleration function based on Intel Ice Lake processor, and the QPS can be greatly improved after enabling TLS acceleration through stress test verification, as shown in the following figure:
Built-in Waf
As a north-south public network gateway, it is a common requirement to use Waf to protect abnormal traffic, and as the Internet environment becomes more and more complex, users' demands for protection continue to increase. The conventional method is to connect traffic first. The Waf security gateway, after filtering, forwards the traffic to the traffic gateway, and finally reaches the microservice gateway; the cloud native gateway hopes that the built-in Waf module can directly connect to Alibaba Cloud's Waf cloud products, so that the user's request link can be completed at the same time only through the cloud native gateway Waf protection, traffic distribution, and microservice governance can improve link RT and reduce the complexity of gateway operation and maintenance. The diagram is as follows:
Wasm Plugin Marketplace
As one of the hottest technologies at present, Wasm is the most sought after because it can support multi-language writing of Wasm programs, and Wasm provides a good sandbox environment to control the execution environment of programs. Istiod and Envoy communities have also It provides basic support for the Wasm plug-in. Cloud native gateway hopes to launch its own plug-in market on the basis of the community, improve the scalability of the gateway, and facilitate users to customize the gateway plug-in. We have also compared and tested the performance of the existing wasm runtime, and these test data will also serve as our development basis, as shown below:
write at the end
MSE - Cloud Native Gateway, aims to provide users with more reliable, lower cost and more efficient enterprise-level gateway products that conform to the K8s Ingress standard. For more release details, move to the live broadcast room to watch:
https://yqh.aliyun.com/live/detail/27794
MSE - Cloud native gateway provides two payment modes: post-paid and annual and monthly subscription, and supports 10 regions including Hangzhou, Shanghai, Beijing, Shenzhen, Zhangjiakou, Hong Kong, Singapore, the United States (Virginia), the United States (Silicon Valley), and Germany (Frankfurt). Other regions will be gradually opened. For the cloud native gateway purchase link, please click here .
You can also search the group number 34754806 on DingTalk to join the user group to communicate and answer questions.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。