02 May 2021

Understanding ISTIO as a service mesh

When your service mesh grows it becomes more complicate to understand, manage, monitor and load balance the flow. ISTIO is what you need that will take care of all your mesh worries. 

It is a control plane for all proxies, in Greek it means "Sail" which uses Envoy as sidecar proxy.

formal defination of istio is - it allows to connect, secure, control & observe microservices.

Istio is a dedicated infrastrucute layer for handling service to service communication, which is responsible for reliable delivery of request thru complex toplogy of services that comprise a morden cloud native application. 

It is a configurable, open source service-mesh layer that connects, monitors, and secures the containers in a kubernetes cluster.

At this writing, Istio works natively with kubernetes only, but its open source nature makes it possible for anyone to write extensions enabling istio to run on any cluster software. Today, we'll focus on using Istio with generic kubernetes-cluster, its most popular use case.

Before we start we should know the core features of ISTIO

Traffic management : Istio’s traffic routing rules let you easily control the flow of traffic and API calls between services

Connect: In context of k8s a service provide a simple OSI layer 4 DNS based load balancing for the pods belonging to the service. Service mesh addresses OSI layer 7 load balancing needs.

Secure: It ensures the communication between two services is safely and securely using encryption and mutual TLS, also inculdes auditing capabilitly of who do what and at what time in result provides authorization and secure communication channel b/w services.

Observeability: with its custom dashboard provides visibility of performance of all of its services & provides visibility in your microservice operations.

Reliablity: It ensures provisions for health checks, timeouts, deadlines, socketbreakers & retrace.

Integration & customization: works with any services registered at GCP, AWS, k8s, or custom console or on-prem.

Lets start setting Istio on a kubernetes-cluster

NOTE: The minimum supported Kubernetes version is 1.16 to work with Istio 1.7.3


# Download Istio
$ curl -L https://istio.io/downloadIstio | sh -

# if fails use monolithic approach
$ wget https://github.com/istio/istio/releases/download/1.7.3/istioctl-1.7.3-linux-amd64.tar.gz \
  --no-check-certificate
$ sudo cp -rp istioctl /usr/bin

# on successful completion you will see

Istio 1.7.3 Download Complete! Istio has been successfully downloaded into the istio-1.7.3 folder on your system. To configure the istioctl client tool for your workstation, add the /software/istio-1.7.3/bin directory to your environment path variable with: $ export PATH="$PATH:/software/istio-1.7.3/bin" # Begin the Istio pre-installation check by running $ istioctl x precheck You will get details about
kubernetes( api, version, setup)
Istio(namespace, sideCar-Injector etc)

# Installing Istio
$ istioctl install --set profile=demo $ kubectl label namespace default istio-injection=enabled $ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
// this will deploy a sample app, and start it

# You might end up getting one of the usual error, while initiallizing istiod pod Warning FailedScheduling 39s (x11 over 13m) default-scheduler 0/2 nodes are available:
1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate,
1 node(s) had taint {node.kubernetes.io/disk-pressure: }, that the pod didn't tolerate.

# Deploying ISTIO operator
$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
 

Istio Architecture


Control Plane Underlying orchestrator such as kubernetes or hashicorp nomad.

Pilot - (service discovery) Responsible for configuring the Envoy and Mixer at runtime.

Citadel / Istio CA - ( certificate generation) Secures service to service communication over TLS. Providing a key management system to automate key and certificate generation, distribution, rotation, and revocation.

Galley - is responsible for interpreting the YAML files in kubernetes and transforming them into a format that Istio understands. Galley makes it possible for Istio to work with other environments than Kubernetes since it translates different configuration data into the common format that Istio understands.

Data Plane

Proxy / Envoy - Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from a service to external services. The Proxy manages connections to services, handling health checking, retry, failover, and flow control. The Proxy can report client-side metrics and logs (Monitoring & Logging)

Mixer - Create a portability layer on top of infrastructure backends. Enforce policies such as ACLs, rate limits, quotas, authentication, request tracing and telemetry collection at an infrastructure level.

Ingress/Egress - Configure path based routing for inbound and outbound external traffic.

keep meshing around!