It is a control plane for all proxies, in Greek it means
"Sail" which uses Envoy as sidecar proxy.
formal defination of
istio is - it allows to connect, secure, control & observe microservices.
Istio is a dedicated infrastrucute layer for handling service to service communication, which is responsible for reliable delivery of request thru complex toplogy of services that comprise a morden cloud native application.
It is a configurable, open source service-mesh layer that
connects, monitors, and secures the containers in a kubernetes cluster.
At this writing, Istio works natively with kubernetes only,
but its open source nature makes it possible for anyone to write extensions
enabling istio to run on any cluster software. Today, we'll focus on using
Istio with generic kubernetes-cluster, its most popular use case.
Before we start we should know the core features of ISTIO
Traffic management : Istio’s traffic routing rules let you easily control the flow of traffic and API calls between services
Connect: In context of k8s a
service provide a simple OSI layer 4 DNS based load balancing for the pods
belonging to the service. Service mesh addresses OSI layer 7 load balancing
needs.
Secure: It ensures the
communication between two services is safely and securely using encryption and
mutual TLS, also inculdes auditing capabilitly of who do what and at what time
in result provides authorization and secure communication channel b/w services.
Observeability: with its custom
dashboard provides visibility of performance of all of its services &
provides visibility in your microservice operations.
Reliablity: It ensures
provisions for health checks, timeouts, deadlines, socketbreakers &
retrace.
Integration &
customization: works with any services registered at GCP, AWS, k8s, or
custom console or on-prem.
Lets start setting Istio on a kubernetes-cluster
NOTE: The minimum supported Kubernetes version is 1.16 to work with Istio 1.7.3
# Download Istio$ curl -L https://istio.io/downloadIstio | sh -# if fails use monolithic approach$ wget https://github.com/istio/istio/releases/download/1.7.3/istioctl-1.7.3-linux-amd64.tar.gz \--no-check-certificate$ sudo cp -rp istioctl /usr/bin# on successful completion you will seeIstio 1.7.3 Download Complete! Istio has been successfully downloaded into the istio-1.7.3 folder on your system. To configure the istioctl client tool for your workstation, add the /software/istio-1.7.3/bin directory to your environment path variable with: $ export PATH="$PATH:/software/istio-1.7.3/bin" # Begin the Istio pre-installation check by running $ istioctl x precheck You will get details aboutkubernetes( api, version, setup)Istio(namespace, sideCar-Injector etc)# Installing Istio$ istioctl install --set profile=demo $ kubectl label namespace default istio-injection=enabled $ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml// this will deploy a sample app, and start it# You might end up getting one of the usual error, while initiallizing istiod pod Warning FailedScheduling 39s (x11 over 13m) default-scheduler 0/2 nodes are available:1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate,1 node(s) had taint {node.kubernetes.io/disk-pressure: }, that the pod didn't tolerate.# Deploying ISTIO operator$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
Istio Architecture
Pilot - (service discovery) Responsible for configuring the Envoy and Mixer at runtime.
Citadel / Istio CA - ( certificate generation) Secures service to service communication over TLS. Providing a key management system to automate key and certificate generation, distribution, rotation, and revocation.
Galley - is responsible for interpreting the YAML files in kubernetes and transforming them into a format that Istio understands. Galley makes it possible for Istio to work with other environments than Kubernetes since it translates different configuration data into the common format that Istio understands.
Data Plane
Proxy / Envoy - Sidecar
proxies per microservice to handle ingress/egress traffic between services in
the cluster and from a service to external services. The Proxy manages connections to services, handling health checking, retry, failover, and flow control. The Proxy can report client-side metrics and logs (
Mixer - Create a portability layer on top of infrastructure backends. Enforce policies such as ACLs, rate limits, quotas, authentication, request tracing and telemetry collection at an infrastructure level.
Ingress/Egress - Configure
path based routing for inbound and outbound external traffic.
keep meshing around!