This document provides an overview of service meshes and Istio. It defines what a service mesh is and describes some of its key capabilities like service discovery, load balancing, and observability. It then discusses Istio and how it works with Kubernetes as a service mesh. Istio's architecture is explained, including its control plane components like Pilot and data plane component Envoy. Lastly, it covers Istio deployment models and provides a case study on mesh federation.
2. Contents
I. Service Mesh Definition
II. Istio & K8s
III. Istio Deployment Model
IV. Case Study - Mesh federation
V. References
3. I. SERVICE MESH DEFINITION
● A service mesh is a configurable, low‑latency infrastructure
layer designed to handle a high volume of network‑based
interprocess communication among application infrastructure
services using application programming interfaces (APIs).
● A service mesh ensures that communication among
containerized and often ephemeral application infrastructure
services is fast, reliable, and secure.
4. I. SERVICE MESH DEFINITION
● The mesh provides critical capabilities including:
○ Service Discovery
○ Load Balancing
○ Encryption
○ Observability
○ Traceability
○ Authentication and Authorization,
○ support for the Circuit Breaker Pattern.
5. I. SERVICE MESH DEFINITION
● Data plane:
- Touches every packet/request.
- Responsible for service discovery, health checking, routing, load
balancing, authentication/authorization, and observability.
- Eg: Linkerd, NGINX, HAProxy, Envoy, Traefik
● Control plane:
- Provides policy and configuration for all of the running data planes in
the mesh.
- Does not touch any packets/requests in the system.
- The control plane turns all of the data planes into a distributed
system.
- Eg: Istio, Nelson, SmartStack
7. II. ISTIO & K8S
● Istio, backed by Google, IBM, and Lyft, is currently the
best‑known service mesh architecture.
● Kubernetes, which was originally designed by Google, is
currently the only container orchestration framework
supported by Istio.
● Istio core concepts
○ Traffic Management
○ Policies and Security
○ Observability
○ Performance and Scalability
8. III. ISTIO & K8S - Istio’s key benefits
A service mesh is not a “mesh of services.” It is a mesh of
Layer 7 proxies that microservices can use to completely
abstract the network away. Service meshes are designed to
solve the many challenges developers face when talking to
remote endpoints:
● Traffic control features including routing rules,
retries, failovers, and fault injection
● Policy enforcement including access controls,
rate limits and quotas
● Built-in metrics, logs, and traces for all traffic
within a cluster
● Secure service-to-service communication
● Layer 7 load balancing
9. III. ISTIO & K8S - Istio Architecture
● GALLEY
- Configuration and Distribution
● PILOT
- Connectivity and Communication
- Service Discovery
- Traffic Management
- Resilience
● CITADEL
- Polit Enforcement
- Telemetry
- Encryption and Authentication
● MIXER
- Authentication
- Security
- Monitoring and Observability
10. III. ISTIO & K8S - Istio Architecture - Envoy
- Originally built at Lyft, Envoy is a C++ distributed proxy, runs
alongside each application, abstracts the network.
- Envoy is a data plane, specially designed for large service
mesh architectures.
- Envoy sidecar proxies deployed as an edge proxy can be
controlled using Istio or another control plane.
- Consistently control and observe what’s going on in your
network.
- The Envoy sidecar proxy will handle most network features–
service discovery, logging, monitoring, tracing, authentication
and authorization.
- Sidecar can be configured via the control plane.
- Developers can focus on the business logic.
- What is Envoy?
- The network should be transparent to applications
- When network and application problems do occur it should
be easy to determine the source of the problem.
11. III. ISTIO & K8S - Istio Architecture - Envoy
● L3 and L4 filters– to HTTP filters if it’s a protocol Envoy can
operate as an L7 layer
● Can modify data at the L4 layer:
○ HTTP headers.
○ Check and guide traffic.
○ Call out to an auth service,
○ Transcode between protocols.
● Envoy’s filters are powerful and configurable
○ Custom filters can be added via the data plane API
○ Envoy has a plug-in architecture for observability
outputs.
● Custom extensions
● Data plane API: https://github.com/envoyproxy/data-plane-api
(Istio control plane and data plane traffic management)
12. III. ISTIO & K8S - Istio Services & Pods
● https://istio.io/docs/setup/install/kubernetes/
● https://istio.io/docs/setup/platform-setup/minikube/
● Verify Istio Service & Pods after installing
○ $kubectl get svc -n istio-system
○ $kubectl get pods -n istio-system
13. III. ISTIO & K8S - Data plane - Inject Sidecar
● Auto inject sidecar by
namespace
$ kubectl label namespace <namespace>
istio-injection=enabled
● Inject sidecar manually
$ istioctl kube-inject -f <your-app-spec>.yaml |
kubectl apply -f -
14. Route Traffic in Istio Service Mesh
● K8s CRD (Customer
Resource Definition)
● Virtual services
● Destination rules
● Gateways
● Service entries
● Sidecars
17. III. ISTIO & K8S - Istio Benchmarks
Performance summary for Istio 1.3.4
● Load tests mesh:
○ 1000 services
○ 2000 sidecars
○ 70,000 mesh-wide RPS.
● Results:
● The Envoy proxy uses 0.6 vCPU, 50 MB memory / 1000 RPS
● The istio-telemetry service uses 0.6 vCPU per 1000 mesh-wide RPS.
● Pilot uses 1 vCPU and 1.5 GB of memory.
● The Envoy proxy adds 8ms to the 90th percentile latency.
18. ISTIO DEPLOYMENT MODEL - Cluster
Single Cluster
Multiple Clusters
Single Network
Multiple Network
19. ISTIO DEPLOYMENT MODEL - Control Plane
Single Control Plane Shared Control Plane Across multiple clusters, zones,
or regions.
20. Case Study - Mesh federation
1. Mesh federation is the act of exposing services between
meshes and enabling communication across mesh
boundaries.
2. Each mesh may expose a subset of its services to enable
one or more other meshes to consume the exposed
services.
3. Use mesh federation to enable communication between
meshes in a multi-mesh deployment.
4. Multiple meshes afford the following capabilities beyond that
of a single mesh:
- Organizational boundaries: lines of business
- Service name or namespace reuse: multiple distinct uses of
the default namespace
- Stronger isolation: isolating test workloads from production
workloads
21. Case Study - Mesh federation
Should we use Istio ?
● What is the relevant Istio deployment model ?
● When we should use?
● What kind of services?
● Should we use Istio in both GCP and Datacenter?
● Use Across multiple clusters, zones, or regions Istio deployment model
○ High Available Control Plane
○ Centering observation monitoring
○ Service Breaker
○ ….