TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
Cloud Native Users Struggle to Achieve Benefits, Report Says
Nov 28th 2023 5:00am, by Charles Humble
Multicloud Architecture: What I Want to See
Nov 17th 2023 10:19am, by Robert Sonders
Create a Movie Recommendation Engine with Milvus and Python
Nov 17th 2023 9:32am, by Gourav Singh Bais
Managing Ransomware Threats in Kubernetes-Based Applications
Nov 15th 2023 9:02am, by Jason English
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by David Benas
Why Securing Containers Is Like Going to the Dentist
Nov 17th 2023 7:09am, by Neta Krakover
Dell GA's APEX Cloud Platform for Red Hat OpenShift
Nov 2nd 2023 11:00am, by Chris J. Preimesberger
Lynis: Run a Security Audit on Linux for Free
Oct 28th 2023 6:00am, by Jack Wallen
Why Capistrano Got Usurped by Docker and Then Kubernetes
Oct 25th 2023 1:53pm, by David Eastman
Arm Pushes AI into the Smallest IoT Devices with Cortex-M52 Chip
Nov 27th 2023 1:06pm, by Jeffrey Burt
TikTok to Open Source 'Cloud-Neutralizing' Edge Accelerator
Nov 20th 2023 8:30am, by Joab Jackson
Docker at the Edge: How Machine Learning Transformed Fowl Task
Nov 9th 2023 10:28am, by Loraine Lawson
The 2023 State of Kubernetes in Production
Nov 7th 2023 8:10am, by Jennifer Riggins
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by Robert Kimani
AppMap Releases Runtime Code Review as a GitHub Action
Nov 21st 2023 3:00am, by Susan Hall
Why Microservices Aren’t Working for You
Nov 20th 2023 6:34am, by Ned Harris
The Struggle for Microservice Integration Testing
Nov 10th 2023 6:30am, by Nočnica Mellifera
Docker at the Edge: How Machine Learning Transformed Fowl Task
Nov 9th 2023 10:28am, by Loraine Lawson
Why Is IPv6 Adoption Slow?
Nov 13th 2023 9:20am, by Tucker Preston
Effective Traffic Management with Kubernetes Gateway API Policies
Nov 7th 2023 3:00am, by Robert Kimani
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF
Oct 13th 2023 4:00am, by B. Cameron Gain
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
Netlify Launches Composable Web Platform for Enterprise Devs
Oct 19th 2023 9:00am, by Richard MacManus
4 Factors of a WebAssembly Native World
Oct 12th 2023 9:00am, by Liam Crilly
Raising the Serverless Bar: Infrastructure APIs Unleash More Value for Enterprises
Oct 10th 2023 10:00am, by Tyson Trautmann
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
3 Reasons Why Teams Move Away from AWS Lambda
Jul 18th 2023 10:00am, by Jonathan Michaux
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by Cynthia Dunlop
How to Get Data Warehouse Performance on the Data Lakehouse
Nov 20th 2023 9:00am, by Sida Shen
MongoDB vs. ScyllaDB: A Comparison of Database Architectures
Nov 13th 2023 1:06pm, by Daniel Seybold
Doing DynamoDB Better, More Affordably, All at Once
Oct 30th 2023 11:00am, by Tzach Livyatan and Felipe Cardeneti Mendes
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
How to Easily Add AI to Your Applications
Nov 28th 2023 10:44am, by
Docker CTO Explains How Docker Can Support AI Efforts
Nov 28th 2023 10:09am, by
Arm Pushes AI into the Smallest IoT Devices with Cortex-M52 Chip
Nov 27th 2023 1:06pm, by
Beyond Prompt Engineering: Governing Prompts and AI Models
Nov 27th 2023 11:48am, by
Improving ChatGPT's Ability to Understand Ambiguous Prompts
Nov 27th 2023 9:00am, by
Dev News: Vite Rust-ifies, Roc Language, JS Framework SDKs
Nov 24th 2023 7:30am, by
React Panel: Frontend Should Embrace React Server Components
Nov 23rd 2023 9:30am, by
How Qwik’s Astro Integration Beats Both React and Vanilla JS
Nov 23rd 2023 8:47am, by
Pivot! AI Devs Move to Switch LLMs, Reduce OpenAI Dependency
Nov 22nd 2023 7:14am, by
Combining AI with React for a Smarter Frontend
Nov 21st 2023 12:30pm, by
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by
How to Easily Add AI to Your Applications
Nov 28th 2023 10:44am, by
Docker CTO Explains How Docker Can Support AI Efforts
Nov 28th 2023 10:09am, by
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by
How Discord Scales up to Millions of Users on a Single Guild (Server)
Nov 28th 2023 6:00am, by
How to Get Advantages of TypeScript in JavaScript
Oct 27th 2023 10:51am, by
Dev News: Udemy's New Docker Program, Plus TypeScript Beta
Oct 7th 2023 5:01am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
Dev News: Vite Rust-ifies, Roc Language, JS Framework SDKs
Nov 24th 2023 7:30am, by
WebAssembly's Status in Computing
Nov 14th 2023 11:14am, by
Who's Leading WebAssembly Adoption? So Far, Vendors
Nov 6th 2023 6:00am, by
Can Kubernetes Solve WebAssembly's Component Challenges?
Nov 2nd 2023 7:13am, by
What Will Be Hot at KubeCon? Platform Engineering, of Course
Oct 31st 2023 8:30am, by
VMware Unveils a Pile of New Data Services for Its Cloud
Nov 22nd 2023 8:44am, by
A Guide to Migrating to the AWS Identity Center
Nov 20th 2023 12:00pm, by
How to Manage Cloud Services with Terraform
Nov 20th 2023 9:34am, by
The Fastest Cloud Development Happens Locally
Nov 15th 2023 10:52am, by
Microsoft Fabric Goes GA, Adds Multiple Integrations
Nov 15th 2023 8:00am, by
Docker CTO Explains How Docker Can Support AI Efforts
Nov 28th 2023 10:09am, by
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by
How Discord Scales up to Millions of Users on a Single Guild (Server)
Nov 28th 2023 6:00am, by
Puzzling over the Postgres Query Planner with LLMs
Nov 27th 2023 9:27am, by
AI Will Drive Streaming Data Use — But Not Yet, Report Says
Nov 27th 2023 7:25am, by
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by
Pentest Your Web Apps with Burp Suite on Kali Linux
Nov 25th 2023 6:00am, by
Why Your API Keys Are Leaving You Vulnerable to Attack
Nov 21st 2023 8:43am, by
A Guide to Migrating to the AWS Identity Center
Nov 20th 2023 12:00pm, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Cloud Native Users Struggle to Achieve Benefits, Report Says
Nov 28th 2023 5:00am, by Charles Humble
A Shortcut to Building an Enterprise-Grade Developer Platform
Nov 27th 2023 10:02am, by Luca Galante
How to Be an Effective Platform Engineering Team
Nov 22nd 2023 6:53am, by Nočnica Mellifera
Platform Engineering Reduces Cognitive Load and Raises Developer Productivity
Nov 16th 2023 10:00am, by Michel Murabito
Developer Empowerment Via Platform Engineering, Self-Service Tooling
Nov 15th 2023 4:00am, by Jennifer Riggins
Does Kubernetes Really Perform Better on Bare Metal vs. VMs?
Nov 24th 2023 6:30am, by Oleg Zinovyev
Two Easy Ways to Improve Your Website Homepage
Nov 21st 2023 11:00am, by Andy Corrigan
5 Ways to Supercharge Incident Remediation with Automation
Nov 21st 2023 9:30am, by Greg Chase
A Portal as a Product Approach for Internal Developer Portals
Nov 17th 2023 6:35am, by Zohar Einy
3 Smart Ways to Use Gen AI for IT Operations Health
Nov 15th 2023 6:26am, by Debora Cambe
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
How to Use Databases Inside GitHub Actions
Nov 9th 2023 9:40am, by Gerald Venzl
Securing CI/CD Pipelines: A Comprehensive Approach Is Vital
Oct 25th 2023 6:06am, by Noah Simon
Continuous Release: Move Faster without Breaking Things
Oct 19th 2023 10:55am, by Karishma Irani
No Workflow Is an Island
Oct 13th 2023 7:09am, by Mark Fussell
Meet ‘Anna Boyko’: How a Fake Speaker Blew up DevTernity
Nov 28th 2023 11:24am, by Richard Gall
Cloud Native Users Struggle to Achieve Benefits, Report Says
Nov 28th 2023 5:00am, by Charles Humble
How to Conduct an Interview for a Senior Developer Role
Nov 24th 2023 5:30am, by David Eastman
How Managers Can Use Trust as a Tool
Nov 16th 2023 8:00am, by Kevin Clark
The Leadership Impact Curve
Nov 10th 2023 5:30am, by Kevin Clark
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
A Shortcut to Building an Enterprise-Grade Developer Platform
Nov 27th 2023 10:02am, by Luca Galante
How to Be an Effective Platform Engineering Team
Nov 22nd 2023 6:53am, by Nočnica Mellifera
Google Says You Might Be Doing DORA Metrics Wrong
Nov 21st 2023 9:00am, by Jennifer Riggins
AppMap Releases Runtime Code Review as a GitHub Action
Nov 21st 2023 3:00am, by Susan Hall
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by Robert Kimani
Does Kubernetes Really Perform Better on Bare Metal vs. VMs?
Nov 24th 2023 6:30am, by Oleg Zinovyev
Debugging Containers in Kubernetes — It's Complicated
Nov 21st 2023 7:44am, by Alex Williams
Multicloud Architecture: What I Want to See
Nov 17th 2023 10:19am, by Robert Sonders
Cycle.io: Meet the Team on a Mission to Replace Kubernetes
Nov 16th 2023 12:30pm, by Charles Humble
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
5 Ways to Supercharge Incident Remediation with Automation
Nov 21st 2023 9:30am, by Greg Chase
What Grafana’s Purchase of Asserts.ai Means for the User
Nov 16th 2023 1:00pm, by B. Cameron Gain
4 Unexpected Costs of Unreliable Observability
Nov 16th 2023 9:00am, by Amanda Mitchell
Holiday On-Call Duty: A Present or Punishment?
Nov 9th 2023 6:38am, by Paige Cruz
Using JWTs to Authenticate Services Unravels API Gateways
Nov 8th 2023 6:53am, by Christian Posta and Peter Jausovec
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Linkerd Enterprise Creators: Keep the Sidecar Mesh
Oct 31st 2023 7:05am, by B. Cameron Gain
Scaling Environments with OpenTelemetry and Service Mesh
Oct 17th 2023 11:13am, by Anirudh Ramanathan
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
Cloud Native Ecosystem / Microservices / Service Mesh

Chart a Course for a Service Mesh Future: Lifting Off with Istio

A primer for how a service mesh works and why you'd need one in a microservices environment.
Sep 24th, 2019 10:00am by
Featued image for: Chart a Course for a Service Mesh Future: Lifting Off with Istio

Karen Bruner
Karen Bruner is a Principal DevOps Engineer for StackRox, where she drives automation and advocates for operationalizing the product. Previously, Karen has held DevOps and site reliability engineering roles at Clari, Ooyala, LinkedIn, and Yahoo. She started her career working in Hollywood in the digital effects industry and has a film credit in “Babe” for Internet Bandit. She spends her spare time rendering puns in yarn, learning obscure fiber crafts, and tripping over cats.

The maturation of cloud native architectures and technologies, such as containers and Kubernetes, is driving the emergence and adoption of service mesh architectures. While cloud native environments promise a wealth of benefits for organizations that deploy them, complexity has emerged as a significant challenge for those responsible for architecting, developing, operating and securing such systems, including DevOps practitioners, infrastructure engineers, software developers, and network operators as well as CIOs, CTOs, and other organizational technology leaders.

The ability to consolidate on a consistent service and network management experience for applications across cloud native environments and how that aligns with and speeds DevOps practices together propel the development of service mesh frameworks. As cloud native adoption continues to accelerate, it’s critical for the engineering teams that own cloud native applications to familiarize themselves with service mesh capabilities now to determine if that technology will provide value to their organization in the future.

What Is a Service Mesh?

A service mesh allows you to connect, secure, control, and observe services in an orchestrator platform. The term “service mesh” itself applies either to the set of overlapping network connections between services in a distributed application or to a set of tools used to manage that group of connected services. If you have two microservices which interact via network connections, you have a service mesh. Here’s the simplest example, a mesh with two services:

More likely, as the number of microservices in your environment grows, your service mesh will start to look something like the following:

As cloud environments expand into hybrid and multicloud deployments, developers use microservices to speed development and to ensure portability among the many containers and distributed cloud resources used by an organization — a vast and complex network of data and applications. As the complexity of a microservices ecosystem grows, so does the need to manage it effectively and intelligently, to get insights into how the microservices interact, and to secure communications between the microservices.

What Is Istio?

If you’ve heard about service meshes, you’ve almost certainly heard about Istio in conjunction. Istio is an open source service mesh that can be deployed alongside existing cloud-native applications. It also has platform-like features that allows it to be integrated into logging platforms, or telemetry or policy systems. The policy integration allows Istio to act as a security tool creating a uniform method to secure, connect, and monitor microservices within a given environment. When referenced, “the Istio service mesh” usually refers to the Istio toolset, whereas “an Istio service mesh” usually denotes a specific application cluster managed by an Istio installation. Istio’s many Custom Resource Definitions (CRDs) enable programmatic configuration (using the Kubernetes API) of the behavior of the application network layer, where the application is the set of interdependent microservices. Istio, more or less, is the Kleenex of service meshes in today’s cloud native stack — it’s the most feature-rich and standardized.

Do I Need a Service Mesh?

Although service mesh adoption is likely to continue to spread quickly, especially as the feature sets and manageability of tools like Istio improve, not every cloud native environment needs it. So how do you know if a service is right for your organization and environment? You should consider deploying a service mesh if you need a solution to one or more of the requirements or problems outlined below:

  • You have performance issues in a distributed microservice-based application
  • You need to gather and deliver consistent request and connection metrics for all microservices
  • You want to make over-the-wire encryption the default without having to manage TLS certificates directly
  • You require service-to-service control at a finer-grained resolution than vanilla Kubernetes can provide with Network Policies
  • You want to enable release automation with canary rollouts and application API multi-version support
  • You desire to add user authentication and authorization without modifying the application

On the other hand, using a service mesh comes with some trade-offs if it’s not needed in your stack. Deploying a service mesh (Istio included) will require a significant level of migration effort and operational overhead given how complex these environments can be. If you don’t expect the number of microservices deployed to grow, if other solutions meet your internal HTTP request routing needs, or if you already have manageable effective solutions to any of the key requirements listed above, then a service mesh probably isn’t the best solution for your environment at this time.

But as service mesh adoption continues to surge, the ecosystem of features developed to support it will inevitably continue to expand. This increase will improve manageability and functionality so that in the future, as organizational maturity demands it, DevOps teams will have easier access to a more robust set of service mesh tools without the anxiety associated with deploying a fresh layer of infrastructure into the cloud native stack.

How Istio Works

Istio components can be broken down into two groups — the control plane and the data plane. The control plane refers to the services that manage configurations and monitor the data plane. The data plane consists of intelligent proxies deployed as sidecars in application pods, the smallest deployable object in the Kubernetes object model. These Istio proxies facilitate controlling and monitoring the network connections between microservices. Routing and policy rules are received from the control plane. The data plane then reports back connection handling telemetry.

Istio service meshes are configured through the creation of Kubernetes resources. There are many Kubernetes Custom Resource Definitions that map to various elements of Istio’s functionality created by the folks behind it. We discuss more about the control and data planes below, but first we wanted to raise a few points about Istio’s potential (as well as potential pitfalls).

The Potential and Pitfalls

Istio offers a range of features to handle and control network connections through its mesh of dynamically-configurable proxies. But this functionality comes with a steep learning curve and a heavy load of configurations. There are also sometimes many common issues that come along with migrating existing applications into Istio architectures, even if they are already Kubernetes-native microservices.

Ironically, Istio lacks visibility into how it translates user-supplied configurations to Envoy routes. Envoy is the high-performance proxy developed as an intermediary for inbound and outbound traffic for the services in a service mesh created by developers from the ride-share service Lyft to transition from a monolithic architecture to a service mesh architecture. Other adoption issues can include the learning curve required to understand requirements for deployment and service resource configuration, addressing Kubernetes readiness and liveness probes that break when mTLS is turned on, and working with headless services (Kubernetes services with no ClusterIP) or services that otherwise bypass the normal Kubernetes service discovery flow.

The upside is that Istio is rapidly evolving with frequent releases and engaged working groups that actively solicit user feedback. Many limitations come from the Envoy proxy, which is also being actively developed and improved as Istio continues to drive its usefulness.

Configuring the Control Plane

A typical Istio deployment in a Kubernetes cluster should have the following services:

  • The Pilot service, which aggregates traffic management specifications configured in Istio networking custom resources and delivers it to the istio-proxy sidecars.
  • The Mixer service, which handles telemetry for request metrics generated by proxy sidecars to send them to configured backends and acts as an authorization policy enforcer. If policy checks are turned on (Istio 1.1 turns them off by default), the proxy sidecars will connect to the Mixer to confirm that the connection is allowed. This approach, unfortunately, comes at the slight cost of additional network latency.
  • The Citadel service, which is Istio’s Public Key Infrastructure (PKI) service, generates, rotates, and revokes the client TLS certificates generated for each service in a mesh and used for peer-to-peer authentication.
  • The Galley service, which is the Kubernetes controller for most of the Istio Custom Resource Definitions enabling users to make changes to custom resources and distribute the contents to the other Istio services.

The Data Plane

The data plane is powered by the Envoy service proxy, built with extensions for Istio. The proxy intercepts incoming traffic to the pod’s service ports and, by default, all outgoing TCP traffic from the pod’s other containers. In most cases, the proxy sidecar can run in a pod without requiring any changes to the application code and with only minor changes to the application’s Kubernetes Deployment and Service resource specifications. The configuration of the proxy sidecars is managed dynamically by the services in the Istio control plane.

Ultimately, a time may come when you will need to deploy a service mesh to ensure your cloud native environment is fully functioning and amply secured. Familiarizing yourself with the fundamentals today will give you a leg up when it comes time for recognizing when it’s time to deploy and being prepared. With visibility into the design and functionality of Istio, and how it reduces the inherent complexity of containerized microservices and cloud-native environments, engineers trying to plan for scaling on Kubernetes and other container platforms can feel relief knowing that a highly functional and rapidly improving solution exists and is actively evolving to enhance scalability, security and ease of management.

As organizations continue on their journey towards the adoption of cloud native and distributed architectures, Istio’s service mesh capabilities, along with lower-level infrastructure network controls and general Kubernetes security best practices, will unburden DevOps organizations from the pressures associated with scaling and managing application infrastructure.

Feature image via Pixabay.

TRENDING STORIES
Group Created with Sketch.
SHARE THIS STORY
TRENDING STORIES
TRENDING STORIES
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.