K
Q

ISTIO: enable circuit breaking on egress

2/23/2018

I am unable to get circuit breaking configuration to work on my elb through egress config.

ELB elb has success rate of 25% (75% 500 error & 25% with status 200), the elb has 4 instances, only 1 returns a successful response, other instances are configured to returns 500 error for testing purpose.

Setup

  • k8s: v1.7.4

  • istio: 0.5.0

  • env: k8s on aws

Egress rule

apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
  name: elb-egress-rule
spec:
  destination:
    service: xxxx.us-east-1.elb.amazonaws.com
  ports:
    - port: 80
      protocol: http

Destination Policy

kind: DestinationPolicy
metadata:
  name: elb-circuit-breaker
spec:
  destination:
    service: xxxx.us-east-1.elb.amazonaws.com
  loadBalancing:
    name: RANDOM
  circuitBreaker:
    simpleCb:
      maxConnections: 100
      httpMaxPendingRequests: 100
      sleepWindow: 3m
      httpDetectionInterval: 1s
      httpMaxEjectionPercent: 100
      httpConsecutiveErrors: 3
      httpMaxRequestsPerConnection: 10

Route rules: not set

Testing

apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: tutum/curl
        command: ["/bin/sleep","infinity"]
        imagePullPolicy: IfNotPresent

.

export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
    kubectl exec -it $SOURCE_POD -c sleep bash

Sending requests in parallel from the pod

#!/bin/sh
set -m # Enable Job Control
for i in `seq 100`; do # start 100 jobs in parallel
  curl xxxx.us-east-1.elb.amazonaws.com &
done

Response enter image description here

-- zillani
istio
kubernetes

Similar Questions

Kubernetes MaxVolumeCount is less than max pods per node
Simplest approach to expose a HAProxy (port 80) Docker in IBM Cloud Kubernetes
Use data from local system in my kubernetes Pod
Does Kubernetes always use a single image for deployments?

1 Answer

2/24/2018

Currently, Istio considers an Egress Rule to designate a single host. This single host will not be ejected due to the load balancer's panic threshold of Envoy (the sidecar proxy implementation of Istio). The default panic threshold of Envoy is 50%. This means that at least two hosts are required for one host to be ejected, so the single host of an Egress Rule will not be ejected.

This practically means that httpConsecutiveErrors does not effect the external services. This lack of functionality should be partially resolved with External Services of Istio that will replace the Egress Rules.

See documentation of the Istio External Services backed by multiple endpoints -https://github.com/istio/api/blob/master/routing/v1alpha2/external_service.proto#L113

-- Vadim Eisenberg
Source: StackOverflow