5 Things to Know About Istio, the Open Source Service Mesh
Istio, an open platform to connect, manage, monitor and secure microservices, was launched last May by IBM, Google and Lyft. Over the last nine months, numerous new features and improvements have been made to get to the current version, v0.7.1.
Below are the top five reasons why I’m an advocate for Istio:
1. Automatic Sidecar Injection
Istio requires Kubernetes v1.9 or newer because of the Custom Resource and mutating webhooks support. If your cluster has the mutating webhook feature enabled, I recommend you install the Istio automatic sidecar injector, which automatically injects the Envoy sidecar for all microservice deployments you want Istio to manage for you. IBM Cloud Container Service clusters (v1.9 or newer) have the mutating webhooks feature enabled by default, which works nicely with the Istio automatic sidecar injector. As this is still a new feature in the overall scheme of Istio development, I recommend that you use it with caution.
2. Traffic Management Improvement
In Istio v0.1, you could use ingress route rules to specify which kinds of traffic you want coming in through your microservice. Now you can also use egress route rules to specify which kinds of traffic can go out of the service and which external service it can communicate with. For example, you could easily configure your service to talk to an IBM Watson service in IBM Cloud to empower your service with machine learning capabilities. I recently modernized the Kubernetes guestbook example to automatically generate an emoji based on machine learning and learned that traffic management really helped me test and roll out the new version. I highly recommend you explore traffic management in your development and staging environments so you can be confident in your testing.
3. Improved Telemetry
As an Istio user, I don’t have to do anything to enable various metrics or tracing, which gives me valuable time back. I can deploy my microservice application and let Istio manage it without having to change any part of my application or my deployment .yaml file. The Zipkin or Jaeger tracing tools provide detailed tracing information for each of the requests that come into my application and allow me to drill into each request to view how traffic flows end-to-end within the service mesh. If you want your trace spans tied together for each given request, you’ll need to update your code to propagate a few headers. I highly recommend you consider telemetry as the first Istio feature to roll into your production environment.
4. Multi-Environment Support (Consule, Eureka and VM)
One of the initial goals for Istio was to enable multi-environment support because you can’t require all workloads to run in Kubernetes in a microservice architecture. Some of your applications may run in Kubernetes, while some may run in Docker Swarm or VMs. Since last October, Istio has advanced to provide early support for VMs, integration with some of the more popular service discovery systems such as Consul and Eureka, and has expanded to support other runtime environments. The community is also working on multi-cloud and multicluster support. I’m very excited to see Istio expanded to multiple vendor clouds.
5. Mutual TLS (mTLS) and Its Flexible Configuration
This one is my personal favorites! Istio enhances the microservices to communicate securely via mTLS, without the need for any code changes to your microservices. What I find most interesting is that the community made this flexible and easy to use by introducing the per service mTLS enablement or disablement, so you can adjust this configuration on a per-service basis. Further, any user can plug in any existing CA certificate and key or configure role-based access control (RBAC) for each service. As much as I love these security features, I recommend adopting Istio without mTLS enabled first, then gradually enable mTLS. It can be much harder to troubleshoot problems when mTLS is permitted so you want to make sure your microservices can work with Istio without mTLS enabled first.
In closing, I hope these five highlights get you excited about Istio. The community is thriving and we eat our own dog food. The Istio control plane itself runs on Istio so communication is secured and operators can see a nice Grafana dashboard around the control plane. I recommend installing the newest version on IBM Cloud Container Service and giving it a try! Feel free to give us your feedback on the Istio user’s mailing list.
Lin will be speaking about Observing and Troubleshooting your Microservices with Istio at KubeCon and CloudNativeCon EU, May 2-4, 2018 in Copenhagen, Denmark.
This article was contributed by IBM on behalf of KubeCon and CloudNativeCon Europe, to be held May 2-4, 2018, in Copenhagen, Denmark. The Cloud Native Computing Foundation, which manages KubeCon and CloudNativeCon Europe is a sponsor of The New Stack.
Feature image via Pixabay.