//TODO [ ] read official document [ ] udemy course
主讲Anthos的,由于service mesh是其中重要组成,所以讲了很多service mesh的内容, 并且讲得还很好。 Qucik Labs and slides are from PluralSight Anthos special 关于service mesh的实验可以回顾一下是如何在GCloud中操作的。slides也可以下载看看。
Istio
is the implementation of a service mesh
that improves application resilience as you connect, manage, and secure microservices. It provides operational control and performance insights for a network of containerized applications. It can work across environments(think about Google Anthos)!
Important network functions as below, service mesh
decouple them from applications:
- authn
- authz
- latency
- fault tolerance
- circuit breaking
- quota
- rate limiting
- load balancing
- logging
- metrics
- distributed tracing
- topology
So summarize there are 3 parts:
- Traffic control
- Observability (dashboard: prometheus, grafana, jaeger, kiali)
- Security
Istio
uses envoy
and sidecar pattern in the K8s pods.
Istio main components:
Pilot
: control plane manages the distributed proxies across the either environment, push service communication policies, just like a software defined network.- service discovery
- traffic management
- intelligent routing
- resiliency
Mixer
: collect info and send telemetry, logs and traces to your system of choice (prometheus, influxDB, Stackdriver, etc)Citadel
: policies management, service to service auth[n,z], using mutual TLS, credential management.
How does Istio work, for example, life of a request in the mesh:
- service A comes up.
- envoy is deployed with it and fetches service information, routing and configuration policy from Pilot.
- If Citadel is being used, TLS certs are securely distriuted as well.
- service A calls service B.
- client-side envoy intercepts the call.
- envoy consults config to know how/where to route call to service B.
- envoy forwards to appropriate instance of service B, the envoy on server side intercepts the request.
- server-side envoy checks with Mixer to validate the call should be allowed.
- server-side envoy forwards request to service B for response.
- envoy forwards response to the original caller, the response is intercepted by envoy on the caller side.
- envoy reports telemetry to Mixer, which in turn notifies appropriate plugins.
- client-side envoy forwards response to service A
- client-side envoy reports telemetry to Mixer, which in turn notifies appropriate plugins.