The Istio service mesh is not a low-maintenance or easy-to-learn technology, but its latest release includes several upgrades that improve usability and performance while decreasing the maintenance workload for users. Istio has become an increasingly critical tool in the DevOps toolbox, particularly for Kubernetes deployments. In response to growing user needs, an ecosystem of supporting applications and technologies have emerged to make Istio as functional as possible while providing a solution to address some of the gaps in Kubernetes.
The Istio working group released the latest version of Istio, v1.4.0, ahead of KubeCon + CloudNativeCon North America in late 2019. The newest updates lay the foundation for a number of improvements in management, performance, and security that will be a boon to production users. The following features can help you operationalize Istio as easily as possible:
Alpha support for Mixer-less telemetry: Mixer-less telemetry makes it easier to use fewer CPU and memory resources in the proxy sidecar without degrading network service or metrics. Previously, if a user wanted to collect connection telemetry data from the Envoy proxy, the istio-proxy sidecar must have made its own connection to Istio’s Mixer telemetry service for every connection it handled. With the new mixer-less telemetry enabled, the connection metrics are processed in the Envoy proxy, then made available for scraping by Prometheus. By making metrics collection passive from the point of view of the proxy, the bookkeeping load on the proxy drops.
The Istio authorization policy API: The replacement for Istio’s RBAC policy implementation, the Istio authorization policy API graduated to beta in Istio 1.4.0. Addressing confusion over how Istio RBAC policies apply to workloads rather than services, the new control system adds support for more use cases and simplifies Istio’s UX.
Centralized tooling for service mesh management: The istioctl command adds support for installing and managing the control plane configuration in v1.4.0, centralizing tooling for the management of Istio service meshes. Users can now use the experimental istioctl analyze command to troubleshoot clusters, which examines live clusters or YAML manifests to install and configure Istio. Applying this command helps prevent installation issues on live Kubernetes clusters.
The Envoy proxy: The Envoy proxy now supports additional metrics and enables mirroring a user-specified percentage of traffic rather than presenting an all-or-nothing choice. These updates make the data plane powered by the Envoy proxy run more smoothly.
Automatic mTLS: Automatic mTLS has simplified the migration from permissive mTLS mode to mTLS enforcement, making the gradual adoption of Istio and its security features easier. Previously, when users were gradually adding the istio-proxy sidecar to deployments, they had to create DestinationRule resources. It was also necessary to update them to reflect which upstream targets had the proxy sidecar that could support mTLS connections. With automatic mTLS, the Istio control plane tracks which deployments have the sidecar and updates the mesh’s sidecar proxies to connect to those workloads with or without mTLS as needed.
These latest Istio upgrades help organizations identify the optimal use cases for their Istio deployments. Istio’s value proposition is becoming increasingly clear as its functionality expands and performance and usability improve. In addition, maturing security controls, such as the new authorization policy, will fundamentally enhance how Isitio can be applied to security use cases, such as Ingress/Egress and gateway support, without added complexity. These new features should be considered a critical steppingstone in codifying the requirements for how Istio will be put to use in more deployments industry-wide and cementing its place as one of the leading emergent service mesh technologies.
Kubecon + CloudNativeCon is a sponsor of The New Stack.