In my previous blog post, I described briefly what Kubernetes is, why it is gaining such a wide adoption and how it solves a multitude of problems and makes deployments of fault-tolerant, scalable and maintainable systems very easy. Seems like Kubernetes can solve all of the problems right? Almost, but not quite. Kubernetes will deploy thousands of your microservices with multiple replica-sets on your cluster in a breeze. But when you do have all of these microservices in place, running on your cluster, some very important questions come to mind:
- How to do application-wide logging?
- How to collect uniform metrics?
- How to control and secure communication between services?
- How to do request tracing and identify bottlenecks and latencies?
- How to do fine-grain canary deployments?
- How to manage things like retries? Do you manage it in your app code?
As you might have already guessed, Istio can help you answer all of these questions. Istio makes the network layer smart. It sits in the middle of all of the traffic between services which enables Istio to do a lot of things. The main features of Istio are:
- Observability of services
- Policy enforcement
- Security
Istio is built on the sidecar pattern. It uses the Envoy proxy as a basis for all of its features. All of the traffic between services has to pass through these sidecar containers. Hence, Istio has access to and control over all the data flowing in the services mesh. It can enofrce policy and allow/block certain services from talking with each other. This also allows it to extract meaningful metadata. In order to make sense of the data coming in, Istio can not be protocol agnostic. It has protocol disectors that peek inside each request and extract useful metrics. Currently, Istio fully supports HTTP, HTTP2, gRPC and TCP. Websockets and MongoDB are still in beta support.
Istio’s control plane is made up of three components.
- Pilot is responsible for pushing config to all the sidecars and discovering services.
- Mixer has multiple jobs among which are policy enforcement, integration with tracing & telemetry tools, etc.
- Citadel manages security certificates for mTLS.
Istio can be deployed in an existing application without the need of any code update. It injects Envoy sidecars in existing pods to live with the app containers. It creates the control plane components in Kubernetes using CRD (custom resource definition) and grants them access to the API using RBAC (role-based access control). Different third-party monitoring tools can be integrated with Istio for data visualization. It has support for tools like Prometheus and Grafana.
Combination of container orchestration with Istio pushes the boundary of what is possible in cloud-native applications deployment.