This document provides an overview of service meshes and Istio. It defines what a service mesh is and describes some of its key capabilities like service discovery, load balancing, and observability. It then discusses Istio and how it works with Kubernetes as a service mesh. Istio's architecture is explained, including its control plane components like Pilot and data plane component Envoy. Lastly, it covers Istio deployment models and provides a case study on mesh federation.

1. SERVICE MESH FOR
BEGINNER
ISTIO & K8S
~ Mien Dinh ~

2. Contents
I. Service Mesh Definition
II. Istio & K8s
III. Istio Deployment Model
IV. Case Study - Mesh federation
V. References

3. I. SERVICE MESH DEFINITION
● A service mesh is a configurable, low‑latency infrastructure
layer designed to handle a high volume of network‑based
interprocess communication among application infrastructure
services using application programming interfaces (APIs).
● A service mesh ensures that communication among
containerized and often ephemeral application infrastructure
services is fast, reliable, and secure.

4. I. SERVICE MESH DEFINITION
● The mesh provides critical capabilities including:
○ Service Discovery
○ Load Balancing
○ Encryption
○ Observability
○ Traceability
○ Authentication and Authorization,
○ support for the Circuit Breaker Pattern.

5. I. SERVICE MESH DEFINITION
● Data plane:
- Touches every packet/request.
- Responsible for service discovery, health checking, routing, load
balancing, authentication/authorization, and observability.
- Eg: Linkerd, NGINX, HAProxy, Envoy, Traefik
● Control plane:
- Provides policy and configuration for all of the running data planes in
the mesh.
- Does not touch any packets/requests in the system.
- The control plane turns all of the data planes into a distributed
system.
- Eg: Istio, Nelson, SmartStack

6. II. ISTIO & K8S
● Remind K8S

7. II. ISTIO & K8S
● Istio, backed by Google, IBM, and Lyft, is currently the
best‑known service mesh architecture.
● Kubernetes, which was originally designed by Google, is
currently the only container orchestration framework
supported by Istio.
● Istio core concepts
○ Traffic Management
○ Policies and Security
○ Observability
○ Performance and Scalability

8. III. ISTIO & K8S - Istio’s key benefits
A service mesh is not a “mesh of services.” It is a mesh of
Layer 7 proxies that microservices can use to completely
abstract the network away. Service meshes are designed to
solve the many challenges developers face when talking to
remote endpoints:
● Traffic control features including routing rules,
retries, failovers, and fault injection
● Policy enforcement including access controls,
rate limits and quotas
● Built-in metrics, logs, and traces for all traffic
within a cluster
● Secure service-to-service communication
● Layer 7 load balancing

9. III. ISTIO & K8S - Istio Architecture
● GALLEY
- Configuration and Distribution
● PILOT
- Connectivity and Communication
- Service Discovery
- Traffic Management
- Resilience
● CITADEL
- Polit Enforcement
- Telemetry
- Encryption and Authentication
● MIXER
- Authentication
- Security
- Monitoring and Observability

10. III. ISTIO & K8S - Istio Architecture - Envoy
- Originally built at Lyft, Envoy is a C++ distributed proxy, runs
alongside each application, abstracts the network.
- Envoy is a data plane, specially designed for large service
mesh architectures.
- Envoy sidecar proxies deployed as an edge proxy can be
controlled using Istio or another control plane.
- Consistently control and observe what’s going on in your
network.
- The Envoy sidecar proxy will handle most network features–
service discovery, logging, monitoring, tracing, authentication
and authorization.
- Sidecar can be configured via the control plane.
- Developers can focus on the business logic.
- What is Envoy?
- The network should be transparent to applications
- When network and application problems do occur it should
be easy to determine the source of the problem.

11. III. ISTIO & K8S - Istio Architecture - Envoy
● L3 and L4 filters– to HTTP filters if it’s a protocol Envoy can
operate as an L7 layer
● Can modify data at the L4 layer:
○ HTTP headers.
○ Check and guide traffic.
○ Call out to an auth service,
○ Transcode between protocols.
● Envoy’s filters are powerful and configurable
○ Custom filters can be added via the data plane API
○ Envoy has a plug-in architecture for observability
outputs.
● Custom extensions
● Data plane API: https://github.com/envoyproxy/data-plane-api
(Istio control plane and data plane traffic management)

12. III. ISTIO & K8S - Istio Services & Pods
● https://istio.io/docs/setup/install/kubernetes/
● https://istio.io/docs/setup/platform-setup/minikube/
● Verify Istio Service & Pods after installing
○ $kubectl get svc -n istio-system
○ $kubectl get pods -n istio-system

13. III. ISTIO & K8S - Data plane - Inject Sidecar
● Auto inject sidecar by
namespace
$ kubectl label namespace <namespace>
istio-injection=enabled
● Inject sidecar manually
$ istioctl kube-inject -f <your-app-spec>.yaml |
kubectl apply -f -

14. Route Traffic in Istio Service Mesh
● K8s CRD (Customer
Resource Definition)
● Virtual services
● Destination rules
● Gateways
● Service entries
● Sidecars

15. III. ISTIO & K8S - ISTIO PROXY
vid@vid:~$ kubectl exec -it $(kubectl get pod | grep productpage | awk '{print $1}') -c
istio-proxy -- ps -ef
UID PID PPID C STIME TTY TIME CMD
istio-p+ 1 0 0 Nov05 ? 00:05:39 /usr/local/bin/pilot-agent proxy
istio-p+ 19 1 0 Nov05 ? 00:13:31 /usr/local/bin/envoy -c /etc/ist
istio-p+ 131 0 0 07:33 pts/0 00:00:00 ps -ef
vid@vid:~$

16. III. ISTIO & K8S - Observability
● Grafana
● Prothemeus
● Kiali
● …..

17. III. ISTIO & K8S - Istio Benchmarks
Performance summary for Istio 1.3.4
● Load tests mesh:
○ 1000 services
○ 2000 sidecars
○ 70,000 mesh-wide RPS.
● Results:
● The Envoy proxy uses 0.6 vCPU, 50 MB memory / 1000 RPS
● The istio-telemetry service uses 0.6 vCPU per 1000 mesh-wide RPS.
● Pilot uses 1 vCPU and 1.5 GB of memory.
● The Envoy proxy adds 8ms to the 90th percentile latency.

18. ISTIO DEPLOYMENT MODEL - Cluster
Single Cluster
Multiple Clusters
Single Network
Multiple Network

19. ISTIO DEPLOYMENT MODEL - Control Plane
Single Control Plane Shared Control Plane Across multiple clusters, zones,
or regions.

20. Case Study - Mesh federation
1. Mesh federation is the act of exposing services between
meshes and enabling communication across mesh
boundaries.
2. Each mesh may expose a subset of its services to enable
one or more other meshes to consume the exposed
services.
3. Use mesh federation to enable communication between
meshes in a multi-mesh deployment.
4. Multiple meshes afford the following capabilities beyond that
of a single mesh:
- Organizational boundaries: lines of business
- Service name or namespace reuse: multiple distinct uses of
the default namespace
- Stronger isolation: isolating test workloads from production
workloads

21. Case Study - Mesh federation
Should we use Istio ?
● What is the relevant Istio deployment model ?
● When we should use?
● What kind of services?
● Should we use Istio in both GCP and Datacenter?
● Use Across multiple clusters, zones, or regions Istio deployment model
○ High Available Control Plane
○ Centering observation monitoring
○ Service Breaker
○ ….

22. References
1. https://sysadmincasts.com/episodes/63-istio
2. https://www.nginx.com/blog/what-is-a-service-mesh/
3. https://blog.envoyproxy.io/the-universal-data-plane-api-d15cec7a
4. https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/arch_overview
5. https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc
6. https://dzone.com/articles/istio-service-mesh-data-plane
7. https://learning.oreilly.com/library/view/introducing-istio-service/9781492052630/
8. https://learning.oreilly.com/library/view/istio-up-and/9781492043775/ch01.html
9. https://istio.io/docs/tasks/telemetry/distributed-tracing/jaeger/
10. https://learning.oreilly.com/library/view/introducing-istio-service/9781492052630/ch03.html
11. https://dzone.com/articles/istio-service-mesh-data-plane
12. https://learning.oreilly.com/library/view/introducing-istio-service/9781492052630/ch03.html
13. https://kubernetes.io/docs/reference/kubectl/cheatsheet/
14. https://www.nginx.com/blog/what-is-a-service-mesh/
15. https://github.com/robinagandhi/CYBR4360-8366/blob/master/Firewalls-iptables.md
16. https://www.tetrate.io/blog/envoybasicsandextensibility/
17. https://medium.com/faun/understanding-how-envoy-sidecar-intercept-and-route-traffic-in-istio-service-m
esh-20fea2a78833

23. THANK YOU