Istio for Kubernetes; as more and more real-world IT projects embrace cluster-based microservice architecture, the Kubernetes framework alone was not adequate to manage containerized workloads and services. As a result, the service mesh architecture embarked.
What is Service Mesh?
A service mesh is an extra layer of networked software that you deploy alongside your cluster or your orchestration framework (eg.: Kubernetes).
Even though Kubernetes is a pro among container orchestration systems to handle and manage the containers or the connectivity between pods, it lacks transparency to provide us visibility to interconnections (networking) between microservices (pods). Therefore, in a cluster with complex arrays of microservices, Kubernetes alone would be unsuccessful to maintain the resilience of the cluster.
It is the service discovery mechanism in Kubernetes that provides network connectivity and load balancing among pods working uniformly across clusters. As a service mesh is introduced to the microservice architecture, all network traffic running through the clusters will now be routed through the service mesh. This adds telemetry (metrics about overall network requests), tracing capability of network calls, traffic management, retry policies, and control over network calls through the ‘mesh logics’ on the service mesh.
For better clarification of concepts, I have illustrated an abstract model to understand the interconnection of a service mesh with a cluster.
What is Istio?
In simple terms, Istio is a service mesh and it is the oldest, but most stable service mesh tool still in the market. Istio implements the above service mesh concept, but slightly differently, injecting ‘proxies’ to each pod. These proxies carry the mesh logic. Proxies are collectively referred to as the ‘Data Plane’ and every other pod deployed into the cluster by Istio that isn’t proxies are referred to as ‘Control Plane’ in Istio documentation.
An abstract illustration of Istio’s implementation alongside a microservice architecture (e.g.: Kubernetes deployment) is given below for your easy understanding.
As similar to a general service mesh architecture, the data plane handles the network traffic between the microservices or pods. In Istio terms, a proxy is referred to as an Envoy, since the Istio proxies have been developed by an open-source project called Envoy. The Mixer in Istio terms is similar to the mesh logic. The Mixer component enforces access control and usage policies across the cluster and collects telemetry data and statistics from the Envoy and other services (e.g.: Kubernetes Services). The control plane configures the data plane providing the user with a programmatic layer.
GSA SIN 54151HACS Principal Security Architect$153.15 / Per Hour
GSA SIN 518210C Cloud Senior DevSecOps Consultant$143.62 / Per Hour
GSA SIN 518210C Cloud Senior Microservices Consultant$129.41 / Per Hour
Istio features benefiting Kubernetes
Istio is a value-added layer for a Kubernetes deployment. There are four core features of Istio that leverage Kubernetes’ service discovery capability and it’s clarity.
1. Traffic Management
Traffic routing rules of Istio simplify the configuration of service mesh properties such as service discovery, load balancing, metrics monitoring, and failure recovery. At a stretch, those functional properties of the Istio scale to operational properties such as A/B testing, canary release, rate limiting, access control, and end-to-end encryption.
Envoy proxy is the Istio component that manages network traffic over the Kubernetes pods. The Istio Envoy is built-in with the features: load balancing, TLS termination, dynamic service discovery, HTTP/2, HTTP/1.x, TCP, and gPRC proxies, health checks, fault injection, rich metrics, circuit breakers, and staged rollouts with percentage-based traffic split, giving Istio the power to implement aforementioned traffic routing rules seamlessly.
Also, the sidecar architecture used for envoy injection into Kubernetes pods allows you to add Istio capabilities to Kubernetes deployment without needing to re-architect or rewrite code.
Networks and infrastructure can always be infiltrated by malicious and misconfigured code either knowingly or unknowingly. Istio carries security capabilities to manage authentication, authorization, and encryption making sure the network isn’t exploited. Therefore, Istio encrypts all the communication paths between the services using TLS and authenticates using mutual TLS. Istio authorization provides service-to-service level role-based access control, to prevent unauthorized access and communication.
Additionally, Istio establishes a secure naming and service identity using X.509 certificates. Istio network policies are enforced at the pod level, thereby enabling to enforce security policies at the protocol level.
Use of monitoring tools like Prometheus is a best practice in Kubernetes deployments to gather metrics about overall health of the cluster. However, a Kubernetes deployment along an Istio service mesh can provide metrics about overall network requests.
The Istio custom dashboards provide visibility into the performance of all your services and let you see how the service performance is affecting your other processes. Access logs of Istio have the capability to generate start-to-end records of each request. Thereby, providing insights to troubleshoot, maintain and optimize applications, auditing down to the individual workload instance level.
4. Platform Support
Istio is designed to run on a range of environments including services running on individual virtual machines, services registered with Consul, and service deployments on Kubernetes. But, most importantly, Istio is platform-independent.
Why Istio for Kubernetes, over Consul Connect and Linkered?
However, Istio is not the only service mesh option for Kubernetes. Linkered and Consul Connect are two other popular, leading, open-source service mesh architectures that support Kubernetes.
However, few strong features top up the Istio-Kubernetes combination.
- Istio has circuit breaking and rate-limiting features for traffic management whereas Linkered does not.
- Istio traffic management features can enforce delays or failures to some of the requests for improving the resilience of the system and for hardening the operations. Whereas, both Linkered and Consul Connect could not.
- Multi-cluster support is a feature that is limited only to Istio and Consul Connect.
- Distributed tracing has not been widely adopted into Linkered as a feature. Whereas, Istio and Consul Connect have.
- Istio has the maximum flexibility of configuration over Linkered and Consul Connect.
Final Thoughts on Istio for Kubernetes
Service meshes including Istio for Kubernetes, offer infrastructure standardization to manage application-level challenges such as traffic management, security, and observability. Anyway, Istio has the most features and flexibility over all the service meshes discussed in this article. But, On the other hand, flexibility means complexity. Therefore, your implementation team needs to be ready and should have enough knowledge on optimization of Istio-Kubernetes deployment to suit your service deployment environment for reaping the maximum benefits out of it.