In 2017 and 2018 enterprises like Lyft, Box, eBay, and others, have been riding on Kubernetes(k8s) as their innovation engine to house not only microservices apps but also AI and backend workloads. During this time, k8s has evolved from cool new toy for startups and PoCs to production-grade container orchestration system for enterprise environments. Many enterprises are already strategizing to migrate/refactor their crown jewel monoliths, which have been running for years, into containers and microservices.
As the footprint of microservices grows in size in an enterprise, with more business units and product lines on-boarded to Kubernetes, the complexity associated with intraservices communication (east-west traffic) will increase proportionately. This includes: service discovery, polyglot support (microservices are written in different languages), encryption between services, security policies, application load balancing (Layer 7), etc. Native services offered by cloud providers — such as security groups, network load balancers, API gateways, etc. — will not always be optimal for managing and understanding load balancing and network security at scale.
Though k8s orchestrators offer functionalities — such as scheduling, self-healing, auto- scaling, rollouts and rollbacks of pods — they do not provide in-depth visibility into intra-services management.
Istio is an open platform for managing the complexity of connecting and securing microservices. It offers an easy way to create a network of deployed services with load balancing, service-to-service authentication, monitoring and more, without requiring any changes in service code. Istio provides behavioral insights and operational control over the service mesh as a whole, delivering a complete solution to satisfy the diverse requirements of microservice applications. It makes some key capabilities available uniformly across a network of services:
- Traffic Management: Controls the flow of traffic and API calls between services, makes calls more reliable and makes the network more robust so it can handle adverse conditions.
- Observability: Gains an understanding of the dependencies among services, and the nature and flow of traffic between them, to identify issues quickly.
- Policy Enforcement: Applies organizational policy to the interactions between services, ensuring access policies are enforced and resources are fairly distributed among consumers. It lets you make policy changes by configuring the mesh instead of changing application code.
- Service Identity and Security: Provides services in the mesh with a verifiable identity, and lets you protect service traffic as it flows over networks with varying degrees of trustability.
How does Istio work?
An Istio service mesh consists of a data plane and a control plane. The data plane has a set of high performance, platform independent, C++ based, Layer 7, intelligent proxies (Envoy). They are deployed as sidecars throughout your environment to mediate and control all network communication between microservices. The control plane manages and configures proxies to route traffic, enforces policies at runtime and handles service discovery. It also provides strong service-to-service and end-user authentication using mutual Transport Layer Security (TLS), with built-in identity and credential management.
Istio on Kubernetes:
On a Kubernetes cluster, Istio configuration is made simple by leveraging standard kubectl applied to the Istio configuration file. Metrics emitted by Istio mixers are collected using Istio add-ons for Prometheus, Grafana, Zipkin and ServiceGraph.
kubectl apply -f istio/istio.yaml
kubectl apply -f istio/addons/prometheus.yaml
kubectl apply -f istio/addons/grafana.yaml
kubectl apply -f istio/addons/servicegraph.yaml
kubectl apply -f istio/addons/zipkin.yaml
Successful deployment launches require pods for Istio Pilot, Mixer, Ingress Controller, and Egress Controller, Istio CA and associated add-ons.
master $ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ca-75fb7dc8d5-9lzqf 1/1 Running 0 9m
istio-ingress-6784647857-k2mxq 1/1 Running 0 9m
istio-mixer-5c94dbdf-27f7q 3/3 Running 0 9m
istio-pilot-75d4cb6bb8-pdbfc 2/2 Running 0 9m
prometheus-6c785bd55d-5xwnt 1/1 Running 0 1m
servicegraph-64567d6467-wmgnn 1/1 Running 0 1m
zipkin-78d44687f9-k4b56 1/1 Running 0 1m
To deploy applications with Istio support, the Kubernetes YAML definitions are extended via kube-inject. This will configure the services proxy sidecar (Envoy), Mixers, Encryption Certificates and Init Containers with no changes to the application code or configurations.
kubectl apply -f <(istioctl kube-inject -f istio/app-A/app-A.yaml)
kubectl apply -f <(istioctl kube-inject -f istio/app-B/app-B.yaml)
Traffic shaping with Istio
Now the operator can configure service level security and routing policies to apply advanced HTTP traffic shaping properties, such as user-based routing, circuit breakers, timeouts, retries. The operator can also set up common continuous deployment tasks, such as canary rollouts, A/B testing, staged rollouts with percent-based traffic splits, etc.
Target a new version of a service to a specific user
Restrict access to specific services
Split traffic to new versions
Service Monitoring with Istio
Istio’s insight into how applications communicate can generate profound insights into performance metrics and how apps are working.
- Grafana dashboard returns the total number of requests currently being processed, along with the number of errors and the response time of each call.
Zipkin provides tracing information for each HTTP request. It shows which calls are made and where the time was spent within each request, to identify issues and potential performance bottlenecks.
- As a system grows, it can be hard to visualize the dependencies between services. The ServiceGraph will draw a dependency tree of how the system connects.
The Future of Istio
Istio 1.0 currently supports service deployment only on Kubernetes, although future versions will support other environments, such as Mesos and Cloud Foundry. Here is a roadmap with support levels for every Istio feature.
With cloud native platforms like Kubernetes attaining rapid adoption and maturity, a product like Istio adds significant value for enterprises. It gives them the ability to efficiently manage traffic, security and deployments and observe microservices at scale.