Skip to content

Commit

Permalink
docs: Add new blog (#4500)
Browse files Browse the repository at this point in the history
Signed-off-by: Carson Yang <yangchuansheng33@gmail.com>
  • Loading branch information
yangchuansheng authored Jan 22, 2024
1 parent 09434a6 commit e7b1c54
Show file tree
Hide file tree
Showing 29 changed files with 265 additions and 12 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,17 +46,17 @@ Sealos['siːləs] is a cloud operating system distribution based on the Kubernet
* [Running the Uptime Kuma dial test system on Sealos](https://docs.sealos.io/docs/examples/dial-testing-system/install-uptime-kuma)
* [Running a low-code platform on Sealos](https://docs.sealos.io/docs/category/low-code-platform)

![image](https://github.com/labring/sealos/assets/8912557/0499c8b5-32e1-4da3-887d-cbf57ddf46e6)
![](/docs/4.0/img/sealos-desktop.webp)

🔍 Some Screen Shots of Sealos:

<div align="center">

| Terminal | App Launchpad |
| Templates | App Launchpad |
| :---: | :---: |
| ![](/docs/4.0/img/terminal.webp) | ![](/docs/4.0/img/app-launchpad-1.webp) |
| ![](/docs/4.0/img/templates.jpg) | ![](/docs/4.0/img/app-launchpad-1.jpg) |
| Database | Serverless |
| ![](/docs/4.0/img/database.webp) | ![](/docs/4.0/img/laf.webp) |
| ![](/docs/4.0/img/database.jpg) | ![](/docs/4.0/img/laf.jpg) |

</div>

Expand All @@ -67,7 +67,7 @@ Sealos['siːləs] is a cloud operating system distribution based on the Kubernet

## 💡 Core features

- 🚀 **Application Management**: Easy management and quick release of publicly accessible distributed applications in the app store.
- 🚀 **Application Management**: Easy management and quick release of publicly accessible distributed applications in the templates marketplace.
- 🗄️ **Database Management**: Create high-availability databases in seconds, offering support for MySQL, PostgreSQL, MongoDB, and Redis.
- 🌥️ **Cloud Universality**: Equally effective in both public and private cloud, enabling a seamless transition of traditional applications to the cloud.

Expand Down
10 changes: 5 additions & 5 deletions README_zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,23 +48,23 @@ Sealos 是一款以 Kubernetes 为内核的**云操作系统发行版**。它以
* [在 Sealos 上 运行低代码平台](https://sealos.run/docs/category/low-code-platform)
* [在 Sealos 上 运行搭建聊天应用](https://sealos.run/docs/examples/social-communication/install-tailchat)

![](/docs/4.0/img/app-launchpad-zh.png)
![](/docs/4.0/img/sealos-desktop-zh.webp)

🔍 您可以通过以下的屏幕截图进一步了解 Sealos,关于 Sealos 更为详细的介绍与说明,请参阅 [什么是 Sealos](https://sealos.run/docs/Intro)

<div align="center">

| 终端 | 应用管理 |
| 模板市场 | 应用管理 |
| :---: | :---: |
| ![](/docs/4.0/img/terminal-zh.webp) | ![](/docs/4.0/img/app-launchpad-1-zh.webp) |
| ![](/docs/4.0/img/templates-zh.jpg) | ![](/docs/4.0/img/app-launchpad-1-zh.jpg) |
| 数据库管理 | 函数计算 |
| ![](/docs/4.0/img/database-zh.webp) | ![](/docs/4.0/img/laf-zh.webp) |
| ![](/docs/4.0/img/database-zh.jpg) | ![](/docs/4.0/img/laf-zh.jpg) |

</div>

## 💡 核心功能

- 🚀 **应用管理**在应用商店中轻松管理并快速发布可公网访问的分布式应用
- 🚀 **应用管理**在模板市场中轻松管理并快速发布可公网访问的分布式应用
- 🗄️ **数据库管理**:秒级创建高可用数据库,支持 MySQL、PostgreSQL、MongoDB 和 Redis。
- 🌥️ **公私一致**:即是公有云也是私有云,支持传统应用无缝迁移到云环境。

Expand Down
Binary file added docs/4.0/img/app-launchpad-1-zh.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/app-launchpad-1-zh.webp
Binary file not shown.
Binary file added docs/4.0/img/app-launchpad-1.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/app-launchpad-1.webp
Binary file not shown.
Binary file added docs/4.0/img/database-zh.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/database-zh.webp
Binary file not shown.
Binary file added docs/4.0/img/database.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/database.webp
Binary file not shown.
Binary file added docs/4.0/img/laf-zh.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/laf-zh.webp
Binary file not shown.
Binary file added docs/4.0/img/laf.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/4.0/img/laf.webp
Binary file not shown.
Binary file modified docs/4.0/img/sealos-desktop-zh.webp
Binary file not shown.
Binary file modified docs/4.0/img/sealos-desktop.webp
Binary file not shown.
Binary file added docs/4.0/img/templates-zh.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/4.0/img/templates.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
---
slug: how-sealos-cloud-mastered-multi-tenancy-with-the-right-gateway-choice
title: How Sealos Cloud Mastered Multi-Tenancy with the Right Gateway Choice
description: Explore how Sealos Cloud optimizes its gateway selection amidst handling hundreds of thousands of Ingress rules and strict multi-tenancy requirements. From the limitations of Nginx Ingress to the eventual choice of Higress, this article delves deep into the performance, stability, and security of various gateway options, offering valuable insights for gateway selection in multi-tenant scenarios in public network environments.
authors: [fanux]
tags: [Kubernetes, Sealos, Gateway]
keywords: [Cloud Operating System, Sealos, K8s, Cloud Native, Gateway, Envoy, Ingress]
image: images/feature.jpg
date: 2024-01-20T10:00
---

[Sealos](https://sealos.io) Cloud has stretched the capabilities of nearly all the leading open-source gateways to their limits. This article aims to serve as a practical guide, helping to navigate common challenges and offering advice for choosing the right gateway.

<!--truncate-->

## Complex Challenges in Sealos Cloud

Ever since the launch of [Sealos Cloud](https://cloud.sealos.io), the platform has seen a meteoric rise in user numbers, currently standing at **87,000 registered users**. Each of these users creates applications, and each application demands its individual access point, leading to an extraordinarily large number of routing entries across the entire cluster. **This necessitates support for ingress capabilities on the scale of hundreds of thousands.**

Furthermore, offering shared cluster services on the public internet places stringent demands on multi-tenancy. It's crucial that user routes are completely isolated from one another to ensure optimal route integrity, demanding high-quality isolation and sophisticated traffic control measures.

The exposure to potential cyber threats is extensive in public clouds. Hackers not only target applications running on the cloud but also aim at the platform's outbound network infrastructure, thereby intensifying the security challenges.

The demands on controller performance and stability are substantial. Many controllers, when faced with an increasing number of routing entries, consume extensive resources, which can sometimes lead to Out of Memory (OOM) issues, ultimately causing gateway failures.

## Nginx Ingress

Our initial choice was Nginx Ingress, but we eventually faced several critical issues that proved to be deal-breakers:

* **Reload dilemma**: Every ingress modification results in brief disconnections. In a cluster bustling with users, the high frequency of ingress adjustments leads to consistent network instability.
* **Unreliable long connections**: Due to the dynamic nature of adjustments, long-term connections are prone to frequent disruptions.
* **Suboptimal performance:** The gateway's responsiveness is sluggish, and it's relatively resource-hungry.

These significant concerns have led us to move away from gateways rooted in Nginx architecture. Our empirical testing revealed that Envoy-based gateways significantly outperform others, showing minimal performance overhead in both the control and data planes.

Here's a glimpse of Envoy's performance:

![](images/envoy-resource.png)

In contrast, here's what we observed with Nginx's performance:

![](images/nginx-resource.png)

The disparity is pronounced, leading us to decisively set aside options based on Nginx and fully embrace the robust capabilities of Envoy.

## APISIX

[APISIX](https://github.com/apache/apisix) is a commendable project, particularly in addressing Nginx reload issues. At [Laf](https://github.com/labring/laf), we initially embraced APISIX. However, we encountered instability with its Ingress Controller, leading to frequent major disruptions and controller OOM issues. Despite our preference for APISIX, these persistent issues necessitated a switch to an alternative gateway. The APISIX community is actively working on these challenges, and we look forward to its continued improvement.

In summary, while APISIX demonstrates excellent stability, its controller still requires significant optimization and stability enhancements. The community provides robust support, but **due to our immediate operational challenges, we had to transition to a different gateway solution.**

## Cilium Gateway

Having switched our [CNI](https://sealos.io/docs/self-hosting/lifecycle-management/quick-start/deploy-kubernetes#install-kubernetes-cluster) to Cilium early on, we recognized its potential and contemplated using the Cilium Gateway. However, reality presented its challenges.

[Cilium Gateway](https://cilium.io/use-cases/gateway-api/) exclusively supports LB mode, creating a dependency on cloud provider LBs. Given our need for private deployment scenarios, this dependence was undesirable. In terms of stability, the Ingress activation delay in scenarios with numerous routes was significantly prolonged, taking minutes instead of the preferable 5 seconds. **Therefore, we concluded that it's necessary to wait for further development in this aspect.**

## Envoy Gateway

In the realm of Kubernetes (K8s) standards, there is a noticeable shift from the traditional Ingress to the Gateway standard. Our foundational preference for Envoy leads us to consider the implementation of the [Envoy Gateway](https://github.com/envoyproxy/gateway) as a promising option. Our exploration of the Envoy Gateway revealed that it is still in a preliminary phase, plagued by several instability issues like memory overflows, path policies not being effective, and certain functionalities not working in the merge gateway mode. We are actively engaged in resolving these issues and are contributing to the upstream community with constructive feedback and improvements. Our aim is to nurture the Envoy Gateway to a level where it becomes fully viable for production environments.

## The High-Prestige but Less Practical Gateway Standard

The Gateway standard finds itself in a tricky situation. It appears the designers may not have thoroughly explored multi-tenant environments in practice. When a cluster is shared among multiple tenants, it is crucial to clearly define and separate the rights and responsibilities of administrators and users. Gateway's initial design overlooked this aspect. For instance:

```yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: eg
spec:
gatewayClassName: eg
listeners:
- name: http
port: 80
protocol: HTTP
# hostname: "*.example.com"
- name: https
port: 443
protocol: HTTPS
# hostname: "*.example.com"
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: example-com
```
Settings like listening ports should ideally be managed by cluster administrators rather than ordinary users. On the other hand, configuring TLS certificates should be more user-centric, although administrators might still need some control. However, in this setup, the delineation of permissions is unclear. Consequently, users are also given the ability to configure the Gateway, leading to the necessity for intricate permission control in the controller, such as managing port whitelists and detecting conflicts.
A more sophisticated design approach might involve relocating tenant-level fields to HTTPRoute or establishing a separate CRD, thereby clarifying the distinction between regular users and super administrators. The current approach is functional, but it tends to be somewhat muddled and less efficient.
## Higress: The Clear Winner
Beyond the key projects we focused on, numerous others were evaluated but are not listed here. Ultimately, Sealos chose [Higress](https://github.com/alibaba/higress) for its gateway needs.
Our criteria for gateway selection were straightforward: we sought a solution that was not only functionally adequate but also highly stable. Higress emerged as our choice, essentially by process of elimination.
**Stability was our primary concern. Among the contenders, Higress was the only one meeting our production standards**, although some challenges arose. Thankfully, the proactive Higress community swiftly resolved these issues. Notable challenges included:
1. **Ingress Activation Speed** – Initially, it took over two minutes for new routes to activate when dealing with many entries. This was optimized by the community to about 3 seconds, a remarkable improvement that eliminated the need for further optimization, as it now outpaces the container Ready time. Higress's use of an incremental configuration loading approach ensures exceptional performance, even with a high volume of routing entries.
2. **Controller OOM** – Previously, the controller faced memory issues due to high resource consumption without dynamic loading. These issues have been effectively addressed.
3. **Timeout Issues** – In one of our primary clusters, we encountered sporadic request timeouts related to the onDemandRDS configuration. We've temporarily disabled this feature and are investigating further. This problem was not present in our other clusters.
From a security standpoint, many issues we faced were linked to performance bottlenecks, such as traffic surges overwhelming the gateway. This underscores the vital importance of gateway performance. In our tests, Envoy demonstrated remarkable robustness, and the design of the controller proved to be a critical factor in operational success. Higress has shown exceptional performance in this regard:
![](images/higress-controller.png)
![](images/higress-gateway.png)
Given our extensive routing and high-volume traffic, Higress stands out for its remarkably low resource demand.
Higress also boasts compatibility with Nginx Ingress syntax, mainly in annotations. Our prior reliance on Ingress meant there was almost no need for code migration, allowing for a swift upgrade process within minutes.
To further encourage community development, we also have recommendations for Higress:
* Enhanced support for the Gateway standard is needed. Although it already supports the v1 version, it lacks full compatibility with the features available on Ingress.
* We suggest the introduction of more sophisticated functionalities, especially in areas like security and circuit breaking. We are open to paying for these features, but as our platform evolves, stronger functionalities become necessary.
* We advise developing additional peripheral features through a plugin mechanism, aiming to make the core features more cohesive, simpler, and more reliable.
## Summary
Gateways are a fundamental component for cloud services and applications. As our scale grows, we face an array of new challenges. Our aim is to build strong collaborations with the broader community, enhancing the development of open-source gateways and benefiting a larger pool of developers.
The gateways mentioned are all of high quality. Sealos not utilizing them is not a commentary on their effectiveness but a reflection of our unique and stringent scenarios. Gateways that support multi-tenancy in public internet environments are few. Therefore, it's crucial for decision-makers to consider their specific scenarios. Our choices should serve as a guideline, and Sealos is dedicated to maintaining an open approach in monitoring the evolution of various gateways.
We are immensely grateful to the Higress open-source community for their substantial support and to the Alibaba Cloud Native Team for contributing such a valuable project to the community.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit e7b1c54

Please sign in to comment.