Background
This document captures my notes on understanding what exactly Istio does and why should I want it in my k8s application architecture.
Walkthrough
What is a service mesh?
- Helps "load balance", enable service to service authentication and monitoring.
Notes | Link | |
---|---|---|
1 | Istio service mesh | https://istio.io/latest/about/service-mesh/ |
2 | Istio observability | https://istio.io/latest/docs/tasks/observability/ |
3 | Istio security | https://istio.io/latest/docs/tasks/security/ |
4 | Istio policy enforcement | https://istio.io/latest/docs/tasks/policy-enforcement/ |
5 | Istio traffic management | https://istio.io/latest/docs/tasks/traffic-management/ |
Istio case studies and docs
Company | Case study | |
---|---|---|
1 | Airbnb | Security for enterprise applications:
Slides: https://events.istio.io/istiocon-2021/slides/f1s-AirbnbIstioJourney.pdf |
Download Istio
# to control the version and target arch # curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.1 TARGET_ARCH=x86_64 sh - curl -L https://istio.io/downloadIstio | sh - # a folder will be downloaded of the latest release version cd istio-1.14.1 # move the istioctl client binary to folder in PATH mv bin/istioctl /usr/local/bin/ # application samples are found in the samples folder ls -m samples
Setup Istio on k8s cluster and deploy a sample app
# configuration profiles can be found here https://istio.io/latest/docs/setup/additional-setup/config-profiles/ istioctl install --set profile=demo -y # add namespace label to allow Istio to inject Envoy sidecar proxies when apps are deployed: kubectl label namespace default istio-injection=enabled
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml kubectl get services kubectl get pods # verify that the app is running kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>" # # open the app to outside k8s cluster traffic kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml # ensure no issues with config istioctl analyze
Understanding the Istio Architecture
The Istio architecture is documented on this page: https://istio.io/latest/docs/ops/deployment/architecture/
Notes | |
---|---|
1 | Istio service mesh is split into two layers, the data plane and the control plane. The data plane consists of Envoy proxies deployed as sidecars.
The control plane manages and configures these proxies to route traffic. |
2 | Then general diagram found from the Istio Architecture document. |
3 | Envoy proxies are the only Istio components that interact with the data plane. These proxies are deployed as sidecars to services and augment the services with Envoy's features. Envoy helps with:
|
4 | The
|
5 | DNS sidecar proxy is needed
|
Appendix
Document | Link | |
---|---|---|
1 | Istio docs | https://istio.io/latest/docs/ |
2 | Istio releases | https://github.com/istio/istio/releases |
3 | DNS sidecar proxy | https://istio.io/latest/blog/2020/dns-proxy/ |