No items found.

The Open Source Application Networking Stack

October 6, 2023
Peter Jausovec

How applications get networked is paramount to their efficiency, reliability, and security. It’s not a secret that tools and platforms play a vital role in ensuring the seamless operation of your applications.

Whether managing containerized workloads, simplifying service-to-service communication, issuing identities to your services, or connecting them, you’ll embrace open source technologies at some point. Open source tools such as Kubernetes, Istio, Envoy, Cilium, SPIFFE/SPIRE, and others offer wide-ranging capabilities that form the backbone of the modern application networking stack.

Let’s dive into some of the foundational elements of this particular stack, explain their individual roles, and see how they fit together.

  1. Container orchestration platform (Kubernetes)
    Kubernetes is a portable, extensible, open source platform for managing containerized workloads and services that facilitates declarative configuration and automation.
  2. Container Networking Interface (CNI) (Cilium, Calico, and others)
    Container Network Interface (CNI) is a specification and a set of libraries for dynamically configuring networking interfaces in Linux containers, and it’s used in Kubernetes to manage the network resources of pods.
  3. Istio service mesh (Istio, Istio Ambient Mesh)
    Istio is an open source service mesh that provides a way to connect, secure, control, and observe service. It’s an infrastructure layer for making service-to-service communication safe, fast, and reliable.
  4. Edge proxy (Envoy)
    Envoy proxy is a high-performance, extensible, open-source network proxy designed for cloud-native applications. Envoy is an L4 and L7 proxy with a pluggable filter chain mechanism. It’s dynamically configurable and provides rich metrics and logging.
  5. SPIFFE / SPIRE
    SPIFFE (Secure Production Identity Framework for Everyone) is a set of open source standards for securely identifying services and provides a standardized way to establish trust between them, while SPIRE (SPIFFE Runtime Environment) is a toolchain of APIs for it.

All projects are open source and members of the CNCF ecosystem, which means they are community-maintained and freely available for anyone to use.

What Are These Projects Used for?

The combination of these projects forms a comprehensive solution designed to connect, manage, secure, and observe communication between your applications and is best suited for running and managing microservices architectures in multi-cloud or hybrid environments with services running inside clusters or VMs.

The beauty of these technologies is that projects can be used individually or in combination with other projects. For example, you can start with Kubernetes and the CNI, then integrate the edge Envoy and Istio service mesh later.

This approach offers flexibility and allows organizations to scale and adapt to their evolving needs.

Why Are These Technologies Important?

Let’s look at the importance of these tools through four pillars: security, control and management, observability, and extensibility.

Security

While primarily an orchestration tool, Kubernetes establishes foundation security measures through role-based access control (RBAC) that enables organizations to ensure that only authorized users and entities can access and interact with specific system parts.

Another layer in Kubernetes’ security strategy is integrating Container Network Interface (CNI) plugins such as Cilium or Calico. The CNI lays the groundwork for network segmentation and isolation and enables network policies that offer granular control over how pods communicate with each other and with other network endpoints.

Istio uses mutual TLS (mTLS) to ensure the communication between services is encrypted while authenticating both the sender and receiver. This minimizes risks like data breaches and eavesdropping. Following the SPIFFE specification, Istio issues short-lived cryptographic documents to workloads and allows detailed access control for service-to-service communication. This combination of authentication, encryption, and detailed access control makes Istio a pivotal pillar in the stack.

To introduce another layer of security, we utilize Envoy proxies to manage ingress and egress traffic. As part of the Istio service mesh, Envoy acts as a gatekeeper that inspects and routes incoming and outgoing data and ensures only legitimate traffic reaches your services. For example, on the ingress side, it enforces TLS, and on the egress side, it directs the outbound traffic through a dedicated egress gateway. Both ensure standardized and monitored entry and exit points and a centralized location for applying security policies and compliance checks.

The combination of these projects facilitates the implementation of the zero trust security model. In this model, every network flow is explicitly authenticated and authorized, regardless of its source or destination. The zero trust approach assumes a “never trust, always verify” posture, which helps reduce the attack surface within your network.

  • Network policy enforcement: CNI offers a Kubernetes network policy implementation that controls network communication between the pods at the IP level.
  • Secure service communication: While SPIFFE provides secure identities to workloads, Istio service mesh uses it to offer service-to-service authentication and encryption using mTLS, securing the traffic.
  • Defense in depth: Envoy and Istio allow enforcing security policies at the L7 application layer, including rate limiting and CORS policies. This adds an additional layer of security on top of existing network layer policies.

Lastly, each project in the stack is a widely used open-source project with active community support. This ensures the full stack is up-to-date with security updates, features, and help and learning resources.

Control and Management

In terms of control and management, Kubernetes is good at optimizing resource allocation and scheduling containers based on resource needs and availability. This ensures optimal performance and brings efficiency in deploying, managing, and scaling applications.

The CNI and eBPF allow operators to define and enforce network policies that ensure secure and efficient inter-service communication at L4, while Istio service mesh and Envoy bring the efficiency at the L7 level with their advanced traffic management capabilities such as weighted traffic routing (canary), routing on request parameters, retries, circuit breaking and outlier detection (preventing cascading failures), request modification (e.g., modifying headers, for example), rate limiting, and more.

Kubernetes’ optimized resource utilization, Istio’s traffic management capabilities, Envoy’s operation efficiency to reduce potential downtime with traffic management and failover mechanisms, and CNI’s ability to judiciously use bandwidth and other network resources by precisely defining and enforcing network policies can drive substantial cost savings for organizations.

Additionally, since all projects are open-source, there are no costs associated with the vendor lock-in.

Observability

Observability is a critical aspect of any system. A fully-instrumented environment allows us to pinpoint issues and their root causes.

Each project provides telemetry capabilities that enable the system’s observability:

  • CNI: offers visibility into the network and telemetry related to network connectivity and load balancing.
  • Istio service mesh: shares detailed telemetry out-of-the-box. Metrics such as request countries, error rates, latency, and so on for all traffic between workloads in the mesh are automatically collected. Distributed tracing helps with diagnosing hot paths and performance issues.
  • Kubernetes: offers telemetry data related to the performance of clusters and nodes and gives insights into the state of objects in your Kubernetes clusters.
  • Envoy: runs at the edges of the network and, as an L7 proxy in the mesh, generates detailed logs and metrics about the traffic it handles and allows following the path of requests through the system of microservices

Extensibility

The extensibility features allow us to fine tune and extend the functionality to match your requirements.

One of Envoy’s biggest features is its extensibility. Envoy is built around a pluggable filter chain mechanism, which allows users to insert custom filters that process data flowing through the proxy. The filters can operate at the network and application layers and can perform tasks such as custom routing, request/response modification, logging, and others.

With Envoy’s support of WebAssembly, you’re no longer required to write Envoy filters in C++. You can write custom filters in languages like Rust, AssemblyScript, or Golang.

The fact that Envoy is featured as part of the CNI (Cilium) and Istio service mesh, as well as a standalone ingress and egress edge proxy, makes the stack fully customizable and extensible.

Kubernetes also offers multiple extensibility features. From creating custom resources and controllers (the operator pattern) that allow packaging applications and automating management tasks to admission controllers, webhooks, and API aggregation. The CNI layer of the stack utilizes Kubernetes’ support for a pluggable networking interface. In addition to the CNI, Kubernetes supports CSI (Container Storage Interface) plugins and extensions on the kubectl CLI side.

Integrating the Tools

It’s safe to say that the efficiency of application networking will remain central to the success of any organization. Open source solutions such as Kubernetes, Isito, Envoy, Cilium, SPIFFE, and others have proven invaluable in building a resilient and optimized networking stack.

However, the breadth of features this stack offers can introduce complexities that hinder an organization’s ability to scale and secure its applications effectively. Solo.io’s Gloo Platform seamlessly integrates these tools and transforms them into a unified application networking solution that streamlines their features and maximizes their potential. Join our Slack or contact our technical teams to learn more about it.

Cloud connectivity done right