Skip to content

Istio

  • https://istio.io/latest/docs/concepts/what-is-istio/
  • Enable sidecar injection
    • Add label using kubectl
      • kubectl describe ns default
      • kubectl label ns default istio-injection=enabled
    • Add same label using Yamls(metadata -> label)
  • Kiali - visualization
  • Architecture
    • Proxies (sidecar)
      • Example: isUserLoggedIn micro service security check
      • Envoy is the proxy
        • L7 proxy and communication bus designed for large modern service oriented architectures
        • Self contained process that is designed to run alongside every application server
        • Primarily designed as a service to service communication system
        • A single Envoy deployment can form a mesh between Java, C++, Go, PHP, Python, etc.
        • Envoy can be deployed and upgraded quickly across an entire infrastructure transparently. (where as library update is painful)
        • Envoy is an L3/L4 network proxy. A pluggable filter chain mechanism allows filters to be written to perform different TCP proxy tasks and inserted into the main server. Filters have already been written to support various tasks such as raw TCP proxy, HTTP proxy, TLS client certificate authentication, etc.
        • Envoy supports an additional HTTP L7 filter layer. HTTP filters can be plugged into the HTTP connection management subsystem that perform different tasks such as buffering, rate limiting, routing/forwarding, sniffing Amazon’s DynamoDB, etc.
        • First class HTTP/2 support: supports both HTTP/1.1 and HTTP/2 -** HTTP L7 routing**: When operating in HTTP mode, Envoy supports a routing subsystem that is capable of routing and redirecting requests based on path, authority, content type, runtime values, etc.
        • gRPC support: gRPC is an RPC framework from Google that uses HTTP/2 as the underlying multiplexed transport
        • MongoDB L7 support / DynamoDB L7 support
        • Service discovery and dynamic configuration: Envoy optionally consumes a layered set of dynamic configuration APIs for centralized management.
        • Envoy includes a health checking subsystem which can optionally perform active health checking of upstream service clusters.
        • Envoy includes support for automatic retries, circuit breaking, global rate limiting via an external rate limiting service, request shadowing, and outlier detection.
        • Envoy includes enough features to make it usable as an edge proxy for most modern web application use cases. This includes TLS termination, HTTP/1.1 and HTTP/2 support, as well as HTTP L7 routing.
        • Envoy includes robust statistics support for all subsystems
    • Control Plane
      • Galley: Read k8s yaml and transform it to internal structure that istio understands
      • Pilot: Take istio's internal representation and broadcast that to envoy
      • Citadel: Managing TLS certificates
      • Mixer: Got replaced. Responsible for impl. policy checks and telemetry (Mixer get telemetry from Envoy)
        • Galley provide input to Mixer. Mixer communicate with Envoy.
    • Data Plane
  • Telemetry
    • Sidecar running in each pod to monitor
    • Control must be running (Mixer/Telemetry)
    • Kiali Port 31000
      • High-level
      • Doesn't give view of individual requests
    • OpenTracing - Jaeger / Zipkin
      • Applications must propagate x-request-id and x-b3-* headers
        • Or will end up creating several traces
    • Grafana - for specific problems
  • Traffic Management
    • Canary Releases - Release to live for small % of incoming requests
    • K8s Native way is to use Deployments where version is incremented
    • In istio use Version Grouping
      • In Kiali: Versioned app Graph
      • Label: app: to show Application in Kiali
      • Label: version: to show Version information in Kiali
      • Kiali: Service -> Create Weighted Routing
    • Virtual Service: Enable configuring custom routing rules (custom routing)
      • When applying Virtual Service, Galley read the YAML and then send to Pilot which make config changes to Proxies
      • Envoy is doing the traffic management
      • Istio is facilitating the update of all proxies in one go easily
      • subset defined in Destination Rule
    • Destination Rule: Define which pods (versions) should be part of subset
  • Load Balancing a Virtual Service
    • Hash - Odd Even splitting - consistentHash
      • Hash based on, header, cookie or source IP
      • Doesn't work with weighted subsets. Weighting apply first. LB will have only one instance.
  • Istio Ingress Gateway
    • Edge proxy
      • Create Gateway (kind)
      • Configure gateway of VirtualService to point to new Gateway
      • NodePort ingress gateways, access from browsers only supported with host is * in VirtualService (LoadBalancer is expected)
    • Prefix based routing / Header based routing
      • Match in VirtualService
      • Dark Releases based on headers
  • Fault Injection
    • VirtualService -> fault -> delay
    • Chaoses Engineering
  • Circuit Breaker - Mentioned in "Release It! Second Edition"
  • Mutual TLS
    • Fallacies of distributed computing
      • The network is homogeneous
      • K8s cluster is actually a multi node (mult zone also) deployment https://en.wikipedia.org/wiki/Fallacies_of_distributed_computing
      • Difficult to manually do this: Reveal, synchronization
        • CAs
        • App should be using HTTPS
        • No enforcement
      • Citadel is responsible of configuring proxies with required certificates
      • What to do:
        • Block all non TLS traffic using policy
        • Auto update all proxy to proxy communication to mTLS
      • Kiali -> Display -> Security
      • Types:
  • IstioCTL
  • Non root
  • se-linux