What Is a Kubernetes Service Mesh?
Kubernetes service meshes are a tool for injecting observability, reliability, and security features into applications at the platform level rather than the application level. The rise of Kubernetes and microservices has driven interest in this technology, with many organizations adopting a Kubernetes service mesh solution.
Microservices architecture is highly network-dependent. A service mesh can manage traffic between application services. While there are other approaches to network traffic management, they are not as sustainable as a service mesh—they place more of the operational burden on the DevOps team, requiring manual, error-prone tasks.
You usually implement a Kubernetes service mesh as a group of network proxies deployed with a sidecar of application code in a container. These sidecar proxies act as an entry point for service mesh functionality and manage the communication between containerized microservices. The Kubernetes service mesh has a data plane consisting of proxies controlled by the control plane.
Service mesh architectures and Kubernetes emerged with the boom of cloud native apps. An application may consist of hundreds of containerized services, and each service can have thousands of instances. Each of these instances changes quickly, requiring dynamic scheduling—Kubernetes helps manage this.
What Is Istio?
Istio is a service mesh technology that allows developers to secure, connect, run, control, and monitor distributed microservices architectures regardless of the vendor or platform. It manages interactions between services in container-based and virtual machine-based workloads.
Istio is open source and independent, so it is useful for any platform—however, it offers the most benefits when used with Kubernetes. Combining the two allows you to secure inter-service and inter-pod communication at the network and application levels.
Integrating with Istio extends the capabilities of the container orchestration software. Kubernetes normally handles multi-container workloads such as microservices, but not functions like failure and traffic management. Istio bridges this gap and creates more efficient and reliable systems.
According to the 2022 GigaOm Service Mesh Radar report, “Solo.io Gloo Mesh continues to be the leading Istio-based service mesh, incorporating built-in best practices for extensibility and security and simplified, centralized Istio and Envoy lifecycle management.”
6 Benefits of Using Istio with Kubernetes
Istio enables organizations to deliver decentralized applications at scale. It helps simplify network operations such as inter-service traffic management, encryption, authorization, troubleshooting, and auditing.
Istio offers the following capabilities beyond what plain Kubernetes provides:
- Cloud native application security—you can focus on application-level security with strong identity-driven authorization, authentication, and encryption.
- Efficient traffic management—achieve granular control over traffic and network behavior using rich routing rules, failover, retries, and error injection. In post-production testing, the Chaos Monkey integration allows SREs to inject faults and delays to improve resilience.
- Service mesh monitoring—Itsio provides service-level visibility so you can track, monitor, and troubleshoot issues. Without fine-grained details, bottlenecks take a long time to resolve. A service mesh makes it easy to disable failed services and replicas and maintain API responsiveness.
- Easy deployment with Kubernetes—Istio offers network controls and visibility for modern and traditional workloads, including virtual machines and containers.
- Simplified load balancing—advanced features can automate load balancing, provide client-based routing, and support canary deployments.
- Policy enforcement—a configuration API and policy layer help enforce policies with access control, quotas, and rate limits.
How Istio Works
Here is an outline of the core Istio functions.
You can use the Istio traffic management API to manage service mesh traffic at a granular level. You can use this API to add traffic configurations and define API resources using Kubernetes CRDs (custom resource definitions). The main API resources for controlling traffic routing include destination rules and virtual services.
Destination rules help control traffic to specific destinations, for example, by classifying service instances according to versions. Virtual services allow you to configure the routing of requests to services in an Istio service mesh. They consist of one or several routing rules evaluated in sequence. After evaluating the routing rules for the virtual service, you can apply destination rules.
Istio security requires assigning a robust identity to each service. Envoy proxies run alongside an Istio agent, using istiod to automate the rotation of certificates and keys.
Istio offers two authentication options: request authentication and peer authentication. Request authentication allows end-user authentication, with Istio providing validation via JSON Web Tokens (JWTs) and a custom or OIDC-based authentication provider. Peer authentication allows authentication between services, with Istio providing a full stack solution of mutual TLS.
Istio lets you control access to services by applying authorization policies. Authorization policies enforce access control for inbound traffic via Envoy proxies. They allow you to enforce access control at different levels, such as across the mesh or at the namespace or service level.
Istio provides granular telemetry data for all service mesh communication, including metrics, access logs, and traces. Istio generates detailed proxy-level, service-oriented, and control plane metrics.
Istio also creates distributed traces via the Envoy proxy. It supports several tracing mechanisms such as Zipkin, Lightstep, Datadog, and Jaeger. You can control the sample rate at which traces are generated. Istio also provides service traffic access logs in configurable formats.
Related content: Read our guide to Istio architecture
Quick Tutorial: Install Istio Service Mesh in Your Kubernetes Cluster
Download and Setup Istio
This tutorial downloads Istio onto a local Minikube cluster. Therefore, ensure Minikube is downloaded and installed from their official link.
To start a local Minikube cluster and install Istio on it:
- Go to the bash terminal and use the following command to initiate a Minikube cluster:
minikube start --cpus 6 --memory 8192
- Use this link to download the right Istio release package for your machine and add its command line interface tool Istiocl to the $PATH
- Use the following command to install the main Istio component called Istiod to the K8s cluster:
Deploy Demo Microservices App
This tutorial deploys a demo microservices app from Google to show the capabilities of Istio and how it injects Proxies.
To deploy the demo microservices app on the cluster:
- Clone the demo cloud-native microservices application from Google onto your machine with the following commands:
git clone https://github.com/GoogleCloudPlatform/microservices-demo.git
- Navigate to the microservices-demo folder with the following command:
- Deploy the demo microservices application to the cluster with the following command:
kubectl apply -f kubernetes-manifests.yaml
- Enter the following command to see the pods from the demo microservices application running:
kubectl get pods
Configure Istio To Automatically Inject Envoy Proxy
Istio doesn’t inject proxies into the pods by default. Therefore, it needs explicit configuration for automatic proxy injection into the cluster pods.
To configure Istio for automatic proxy injection in microservice pods:
- Use the following command to enable injection for the demo application’s pods:
kubectl label namespace default istio-injection=enabled
This command enables injection by changing the label of the pods from default to istio-injection=enabled.
- Delete the pods with the following command to initiate restarting them for the change in the previous step to show:
kubectl delete --all pod -n istio-injection=enabled
- Use the command in the 3rd step of Deploy Demo Microservices App to run the pods again and see automatic proxy injection.
Install Monitoring and Visualization Addons for Istio
Istio collects information about the microservices pods that aid in monitoring them. The Istio release package has a library of addons for visualizing this data. The YAML files for these add-ons are in the samples/addons directory.
To install an Istio addon:
- Use the following command to install an addon through the kubectl command on the relevant YAML in the samples/addons directory:
kubectl apply -f istio-1.9.0/samples/addons/zipkin.yaml
This command installs the distributed tracing addon Zipkin, as an example.
Istio for Kubernetes with Solo
For users of any Kubernetes platform – for example, Red Hat OpenShift, VMware Tanzu, SUSE Rancher, AWS EKS, Azure AKS, Google GKE, OSS Kubernetes – the simplest way to add Istio service mesh is Solo.io Gloo Mesh. In the 2022 GigaOm Service Mesh Radar, “Solo.io Gloo Mesh continues to be the leading Istio-based service mesh, incorporating built-in best practices for extensibility and security and simplified, centralized Istio and Envoy lifecycle management.“
Gloo Mesh multi-cluster and multi-cloud management of Istio, as well as adding advanced routing, advanced security and advanced lifecycle management of Istio.