Hello Readers, This blog will take you through the inner workings of Service mesh and Istio and its relationship with kubernetes. In addition, we will understand how istio makes many complex processes in kubernetes easier.
What is a Service Mesh?
Today, software applications are typically architected as distributed collections of micro services. Each collection of micro services performing some discrete business function in these architectures should have a dedicated infrastructure layer that allows to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. This can be achieved by a ‘service mesh’.
A service mesh is a configurable, low‑latency infrastructure layer designed to handle a high volume of network‑based inter process communication among application infrastructure services using application programming interfaces (APIs). a service mesh takes away the responsibility of managing all service-to-service communication within a distributed software system.
In a kubernetes based system as size and complexity of deployment of micro services grows it requires some important functionality to manage it like discovery, load balancing, failure recovery, metrics, and monitoring.In this scenario service comes into picture.
For More Details: Click here
Features of service mesh
Features of service mesh divided into three categories as listed below:
- Traffic management: Dynamic service discovery,Routing,Traffic shadowing and traffic splitting.
- Security: Traffic encryption by mutual TLS (MTLS), Authentication through certificate validation, Authorisation through access policies and network segmentation.
- Observability: Distributed tracing, access logs.
When it comes to service mesh adoption, Istio is a well established name for service mesh. Now we will go through Istio in detail and Istio and Kubernetes Relationship.
What is Istio
Istio is an extensible open-source service mesh developed by IBM, Google, and Lyft. It is built on Envoy. Istio can layer transparently onto a distributed application and provide all the benefits of a service mesh like traffic management, security, and observability. Istio is platform-independent and designed to run in a variety of environments:
- Cloud
- On-premises
- Kubernetes
- Mesos
Architecture
Service management is a pattern or paradigm and Istio is its implementation.
Istio architecture is divided into a data plane and a control plane.
- Data plane: Data plane composed of a set of intelligent proxies (Envoy) deployed as sidecars.These proxies are responsible for mediation and control network communication between micro services.
- Control plane: It manages and configures the proxies to route traffic.
Istio’s Core Components
Envoy
An extended version of the Envoy proxy. It’s a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh. Envoy proxies are the only Istio components that interact with data plane traffic. It deployed as sidecars to services, logically augmenting the services with Envoy’s many built-in features such as Dynamic service discovery, Load balancing,TLS termination, HTTP/2 and gRPC proxies, Circuit breakers. Through this sidecar deployment istio apply policy decision and transmit data which can be sent to monitoring systems to provide information about the behaviour of the entire mesh.
Istiod
Istod provides service discovery, configuration and certificate management.It also converts high level routing rules that control traffic behaviour into Envoy-specific configurations, and propagates them to the sidecars at runtime. It can support discovery for multiple environments such as Kubernetes or VMs.
Its Istod which enables strong service-to-service and end-user authentication with built-in identity and credential management.It also acts as a Certificate Authority (CA) and generates certificates to allow secure mTLS communication in the data plane.
To refine the Envoy configuration to exercise more granular control over the traffic in service mesh Istio’s Traffic Management API can be used to instruct Istiod.
Istio also enables sophisticated DevOps techniques such as canary deployments, circuit breakers, fault injection, and more.
Istio working
Now, we will understand how Istio provides these features through the core components in its architecture. We’ll understand it’s working by focusing on the same categories of features that we went through earlier.
- Traffic Management
Istio traffic management API provides us control of the traffic in the service mesh by adding our own traffic configurations to Istio through these api. We can define the API resources using Kubernetes custom resource definitions (CRDs). Key API resources which helps in controlling the traffic routing are virtual services and destination rules. Through these resources we can configure our request route to a service in service mesh. Below picture shows the canary deployment process.
2. Security Management
Istio secures a service mesh by provisioning strong identities to every service. Istio agents running alongside every Envoy proxy work with Istiod to automate key and certificate rotation.
Istio facilitates two types of authentication — peer authentication and request authentication.
- Peer authentication for service-to-service authentication in which mutual TLS acts as a full-stack solution.
- Request authentication for end-user authentication in which JSON Web Token (JWT) validation using a custom authentication provider or an OpenID Connect (OIDC) provider.
3. Observability
Istio generates detailed telemetry like metrics, distributed traces, and access logs for all service communication within the mesh. Istio generates a rich set of proxy-level metrics, service-oriented metrics, and control plane metrics.
Istio generates distributed traces through the Envoy proxies. Istio supports a number of tracing backends like Zipkin, Jaeger, Lightstep, and Datadog.
Configure Istio
Now we came to the stage where we know how to configure all the above discussed Istio features in our micro services in istio. To configure these features we don’t need to disturb our deployment or service kubernetes yaml files, So all the configuration Istio components will be done in Istio itself. Istio configuration is separate from application configuration. Istio is configured with kubernetes YAML files as Istio uses kubernetes custom resource definitions (CRD). By using Istio CRDs we can configure different traffic routing rules between our micro services.
Key building blocks of Istio’s :
- Virtual Service.
- Destination Rule.
We don’t configure proxies, we configure Istiod. Proxies can communicate with each other without connecting to Istiod because they have all the logic and configuration they need.
Setup
Till now we have understood the conceptual part of Istio, now we will see the setup of Istio. We’ll install Istio within a Kubernetes cluster. We will divide Istio setup in four parts:
- Installation of Istio core and Istiod in Kubernetes.
- Istio add-ons for monitoring, Tracing & Visualisation.
- Configure automate Envoy proxy injection.
- A dummy application deployment.
Installation of Istio core and Istiod in Kubernetes.
- Download Istio
curl -L https://istio.io/downloadIstio | sh -- Move to the Istio package directory.
cd istio-1.13.1- Add the istioctl client to the path
export PATH=$PWD/bin:$PATH- Install Istio
istioctl install
Istio addons for monitoring, Tracing & Visualization
- Monitoring
1. Install the Prometheus Addon
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/addons/prometheus.yaml2. Install the Grafana Addon
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/addons/prometheus.yaml
- Visualization
Istio provides a basic sample installation to quickly get Kiali up and running:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/addons/kiali.yamlConfigure automate Envoy proxy injection.
Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when we deploy your application later:
kubectl label namespace <namespace-name> istio-injection=enabledDummy application deployment.
We have demo application manifest file demo-app, we will deploy this app in demo-app namespace
Kubectl create namespace demo-app
Kubectl apply -f <file-name>.yaml -n demo-appkubectl get pods -n demo-app
Here in pod list we can see 2 containers are running in each pod which shows that Istio’s Envoy Proxy is running in each pods
Now check the deployed application through port-forward.
kubectl port-forward svc/frontend-external -n demo-app 8080:80
Setup Dashboard
Istio integrates with several different telemetry applications. To understand the structure of our service mesh, display the topology of the mesh, and analyze the health of our mesh.
Use the following commands to deploy the Kiali dashboard, along with Prometheus, Grafana.
- Now we Install Kiali and the other addons .
kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system
Access the Kiali dashboard.
istioctl dashboard kiali
Now, when we run the above command a kiali dashboard will open in browser
Now If we click on Graph and and select the namespaces which we want to see and select versioned graph we see all the details.
Conclusion
We have seen that how Istio very swiftly manage the micro services in kubernetes as well as other platform and make the work of Developers as well as DevOps Professional easy.
Thank You & Be Curious
Good blog..worth reading !