Istio

Posted on | Edited on | In

//TODO [ ] read official document [ ] udemy course

主讲Anthos的,由于service mesh是其中重要组成,所以讲了很多service mesh的内容, 并且讲得还很好。 Qucik Labs and slides are from PluralSight Anthos special 关于service mesh的实验可以回顾一下是如何在GCloud中操作的。slides也可以下载看看。

Istio is the implementation of a service mesh that improves application resilience as you connect, manage, and secure microservices. It provides operational control and performance insights for a network of containerized applications. It can work across environments(think about Google Anthos)!

Important network functions as below, service mesh decouple them from applications:

  • authn
  • authz
  • latency
  • fault tolerance
  • circuit breaking
  • quota
  • rate limiting
  • load balancing
  • logging
  • metrics
  • distributed tracing
  • topology

So summarize there are 3 parts:

  • Traffic control
  • Observability (dashboard: prometheus, grafana, jaeger, kiali)
  • Security

Istio uses envoy and sidecar pattern in the K8s pods.

Istio main components:

  • Pilot: control plane manages the distributed proxies across the either environment, push service communication policies, just like a software defined network.
    • service discovery
    • traffic management
    • intelligent routing
    • resiliency
  • Mixer: collect info and send telemetry, logs and traces to your system of choice (prometheus, influxDB, Stackdriver, etc)
  • Citadel: policies management, service to service auth[n,z], using mutual TLS, credential management.

How does Istio work, for example, life of a request in the mesh:

  1. service A comes up.
  2. envoy is deployed with it and fetches service information, routing and configuration policy from Pilot.
  3. If Citadel is being used, TLS certs are securely distriuted as well.
  4. service A calls service B.
  5. client-side envoy intercepts the call.
  6. envoy consults config to know how/where to route call to service B.
  7. envoy forwards to appropriate instance of service B, the envoy on server side intercepts the request.
  8. server-side envoy checks with Mixer to validate the call should be allowed.
  9. server-side envoy forwards request to service B for response.
  10. envoy forwards response to the original caller, the response is intercepted by envoy on the caller side.
  11. envoy reports telemetry to Mixer, which in turn notifies appropriate plugins.
  12. client-side envoy forwards response to service A
  13. client-side envoy reports telemetry to Mixer, which in turn notifies appropriate plugins.
0%