top of page

What is Istio Service Mesh? Gain Observability over your infrastructure

In this TeraTip we’ll go over a brief introduction to Istio Service Mesh by installing it on our cluster and gaining basic visibility of traffic flow. Learn all about Istio Service Mesh for modern microservices applications with the practical examples listed below. If you’re looking to provide powerful features to your Kubernetes cluster, in this post, you’ll learn:

  • Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication, and authorization

  • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic

  • Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection

  • A pluggable policy layer and configuration API supporting access controls, rate limits, and quotas

  • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress

Before you continue reading, make sure you’re familiar with the following terms.


Glossary

Service Mesh

It is a dedicated and configurable infrastructure layer that handles the communication between services without having to change the code in a microservice architecture.

Some of the Service Mesh responsibilities include, traffic management, security, observability, health checks, load balancing, etc.

Sidecar (imagine a motorcycle sidecar):

This is the terminology used to describe the container which is going to run side-by-side with the main container. This sidecar container can perform some tasks to reduce the pressure on the main one. For example, it can perform log shipping, monitoring, file loading, etc.

The general use is as a proxy server (TLS, Auth, RETRY)

Control Plane: We understand the control plane as the “manager” of the Data Plane, and the Data plane as the one that centralizes the proxy sidecars through the Istio agent.

Just as a heads up, since we’re focusing on Istio, we’re going to skip the minikube set up. From this point on, we’ll assume you already have your testing cluster to play around with Istio as well as basic tools such as istioctl.

Ok, now that we’ve got those covered, let's get our hands dirty!


What is Istio?

Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.


Integrate Istio to a cluster

Alrighty, first thing first. Let's get Istio on our cluster. There are three options for us to integrate Istio:

  1. Install it via Istioctl (istioctl install --set profile=demo -y)

  2. Install it via Istio Operator Install

  3. Install it via Helm

The previous step will install the core components (istio ingress gateway, istiod, istio egress gateway). Run istioctl verify-install if you are not sure of what you just installed into your cluster.

You should see something like this:


preview-of-the-core-components-installed

Now, to follow up with this demo we recommend you make use of the Istio samples directory where you will find demo apps to play around with.


Label your namespace to inject sidecar pods

Time to get our namespace labeled, that's the way Istio knows where to inject the sidecar pods.

Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.

Now run istioctl analyze

And, this is the expected output:

ran-kubernetes-istio-show-no-validation-issues

Time to deploy some resources.

Execute kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

The previous command will create the following resources. See the screenshot below

resources-created-such-as-product-page-and-book-info

Make sure everything is up and running before continuing, execute kubectl get pods -A to verify. And… voila! There we have two containers per pod.

the-containers-running

Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are installed before using the Gateway API:

kubectl get crd [gateways.gateway.networking.k8s.io](<http://gateways.gateway.networking.k8s.io/>) &> /dev/null || \\ { kubectl kustomize "[github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1](<http://github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1>)" | kubectl apply -f -; }

If using Minikube, remember to open a tunnel! minikube tunnel

Its gateway time:

kubectl apply -f [samples/bookinfo/networking/bookinfo-gateway.yaml](<https://raw.githubusercontent.com/istio/istio/release-1.17/samples/bookinfo/networking/bookinfo-gateway.yaml>)


Visualize your service mesh with Kiali

Okey-dokey, now it's time for some service mesh visualization, we are going to use Kiali.

Execute the following kubectl apply -f samples/addons

The previous command will create some cool stuff listed below:

stuff-created-such-as-service-account-configmap-deployment-apps-tracing

kubectl rollout status deployment/kiali -n istio-system

Check it out with kubectl -n istio-system get svc kiali Everything look good? Cool.

cluster-created

Now it's time to navigate through the dashboard, execute istioctl dashboard kiali , and go to your browser.

If you’re testing this on a non-productive (meaning, without traffic) site then its going to look empty and boring since we don't have any traffic flowing.

Check your ip with minikube ip

And execute the following exports:

export INGRESS_HOST=$(minikube ip)

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')

export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')

Awesome, now we can curl our app and see what happens

curl "http://$INGRESS_HOST:$INGRESS_PORT/productpage”, fair enough, but lets get some more traffic with a while loop as follows:

while sleep 0.01;do curl -sS 'http://'"$INGRESS_HOST"':'"$INGRESS_PORT"'/productpage'\\ &> /dev/null ; done

Alright, now‌ at the screenshot below Kiali provides us with a useful set of visual tools to better understand our workload traffic.

traffic-of-the-workload

traffic-of-the-workload-2

On the second screenshot we can see the power of Kiali; the white dots on top of the green lines represent the traffic (even though it's a static image, picture those dots moving in different directions and speeds!).

In summary, Istio provides us with a powerful set of tools. On this TeraTip we saw a brief introduction to Istio Service Mesh. We focused our attention on installing it on our cluster and on gaining the visualization of some basic traffic flows. Stay tuned for more!


References






Tomás Torales

Cloud Engineer

Teracloud







If you want to know more about Kubernetes, we suggest going check Enhance your Kubernetes security by leveraging KubeSec

 

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇 


Comments


Entradas recientes
Buscar por tags
Síguenos
  • Twitter Basic Square
bottom of page