Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

What is a service mesh?

  • Helps "load balance", enable service to service authentication and monitoring.

Istio case studies and docs


CompanyCase study
1

Airbnb

Security for enterprise applications:

Widget Connector
urlhttp://youtube.com/watch?v=6kDiDQW5YXQ

Slides:  https://events.istio.io/istiocon-2021/slides/f1s-AirbnbIstioJourney.pdf

Download Istio

Code Block
languagebash
titleDownload Istio
linenumberstrue
# to control the version and target arch
# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.1 TARGET_ARCH=x86_64 sh -

curl -L https://istio.io/downloadIstio | sh -

# a folder will be downloaded of the latest release version
cd istio-1.14.1

# move the istioctl client binary to folder in PATH
mv bin/istioctl /usr/local/bin/

# application samples are found in the samples folder
ls -m samples

...

The Istio architecture is documented on this page:  https://istio.io/latest/docs/ops/deployment/architecture/


Notes
1

Istio service mesh is split into two layers, the data plane and the control plane.

The data plane consists of Envoy proxies deployed as sidecars.  

  • The proxies mediate and control all network communication between microservices.
  • They collect and report telemetry on all mesh traffic.

The control plane manages and configures these proxies to route traffic.

2

The overall architecture of an Istio-based application.Image Modified

Then general diagram found from the Istio Architecture document.

https://istio.io/latest/docs/ops/deployment/architecture/

3

Envoy proxies are the only Istio components that interact with the data plane.

These proxies are deployed as sidecars to services and augment the services with Envoy's features.

Envoy helps with:

  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • HTTP/2 and gRPC proxies
  • Circuit breakers
  • Health checks
  • Staged rollouts with %-based traffic split
  • Fault injection
  • Rich metrics
4

The istiod  process provides service discovery, configuration and certificate management.

  • Converts high level routing rules that control traffic behavior into Envoy specific configuration.
  • Propagates Envoy configuration to the sidecars at runtime.
  • A Certificate Authority and can generate certificates that allow secure mTLS communication in the data plane.
5

DNS sidecar proxy is needed

DNS sidecar proxy support is available for preview in Istio 1.8.

This provides DNS interception for all workloads with a sidecar, allowing Istio to perform DNS lookup on behalf of the application.

Appendix