Istio OverviewConnect, secure and monitor services on GCP and in hybrid environments
Confidential & Proprietary
Istio: An open services platform to manage service interactions across container and VM-based workloads
The trends of containerization, microservices and hybrid/multi-cloud deployments have created more distributed applications than ever.
Developers, devops and secops need modern tools to secure, manage and monitor distributed applications.
Distributed world
Confidential & Proprietary
Everybody got all fired up about Kubernetes and microservices and then were like ‘Oh, s--t, what’s going on?’ Istio gives us a view of our entire system and lets us find trouble spots.
– An early adopter, who will remain nameless
Confidential & Proprietary
We bring up a new version, flip all traffic to it, and if there’s something wrong we roll the whole thing back.
– Anonymous customer
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.
What is a service mesh?
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.
What is a service mesh?
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.
What is a service mesh?
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions: control, configure, monitor application-level requests,ensure resilience, routing, observability, fault-injection and more.
What is a service mesh?
Separate applications from infrastructure
Change service behavior and
traffic flow without
changing code
Decouple operation from development
Increase agility and let developers add business value
Confidential & Proprietary
●
●
●
●
●
Composable services based on Istio Containers
Confidential & Proprietary
Securing service communications
Uniform service-level observability
Traffic management and operational agility
Istio Value Proposition
Confidential & Proprietary
Securing service communications
Uniform service-level observability
Traffic management and operational agility
Monitor the “golden signals” (traffic, error rates and latency) for all services, and collect logs on all calls. Use distributed tracing for in-depth performance analysis. Service dependency graphs make it easy to debug and to understand latency and hotspots.
Strongly authenticate services (not hosts) across heterogeneous deployment environments. Limit access of sensitive data to authorized services without relying on L3 controls. Understand security posture of production environment through service dependency graphs.
Send inter-cluster and inter- environment without manually provisioning ingress, egress, edge layers or hardware LBs. Change service behavior and traffic flow without redeploying or change of code. Control which services can talk to whom via policy and routing rules.
Istio Value Proposition
Confidential & Proprietary
Securing Service Communications
● Secure by default - new and existing applications.
● Meet compliance obligations by encrypting data in transit.
● mTLS assures a secure, proven service-based identity for every call
● All data encrypted in transit
● With strong identity, authorization can be explicitly required
Confidential & Proprietary
Uniform application level observability
1. Understanding services and their dependencies.
2. Set, monitor and enforce SLOs on services
3. Understanding upstream and downstream impacts of service performance
4. Bird’s eye view of service behavior for issue triage, reduce time to detect, triage
Confidential & Proprietary
Traffic management and operational agility1. Direct traffic away from
starving instances
2. Scale by directing traffic to multiple versions
3. Roll out new versions without worrying about ops challenges
4. Apply access control, rate limiting policies to protect services from bad behavior
The more capability that can be built into a platform, the more secure and stable your applications will be. Strong service identity enables proper authorization. Traffic control ensures safe rollouts.
What we learned running 2B containers a week
Enable customers to secure, monitor and manage services everywhere. Kubernetes first, but not Kubernetes only.
Confidential & Proprietary
istio.iogithub.com/istio
cloud.google.com/[email protected]
Twitter: @IstioMesh
@danciruli
Confidential & Proprietary
Architectural components
● Pilot: Control plane to configure and push service communication policies.
● Envoy: Network proxy to intercept communication and apply policies.
● Mixer: Policy enforcement with a flexible plugin model for providers for a policy.
● Istio Auth: Service-to-service auth[n,z] using mutual TLS, with built-in identity and credential management. Control Plane API
Mixer
Service A Service B
proxy proxy
Pilot Istio Auth
Config data to Envoys
TLS certs to Envoys
Policy checks, telemetry
Pilot: Configuring the data plane
● Observe service topology○ Kubernetes pods, services & ingress rules○ Aware of VM based services in mesh via Consul integration
● Routing rules○ Merge with routing rules from config○ Roll out routing policies with no downtime/redeployment
● Push configuration to sidecars● Can act as look-aside LB● Can integrate/read state from registries like Consul, Eureka
Envoy: High performance proxy
● API driven config updates → no reloads● Zone-aware load balancing w/ failover● Traffic routing and splitting● Health checks, circuit breakers,
timeouts, retry budgets, fault injection, …
● HTTP/2 & gRPC● Transparent proxying● Designed for observability
● A C++ based L4/L7 proxy● Low memory footprint● Battle-tested @ Lyft
○ 100+ services ○ 10,000+ VMs ○ 2M req/s
Mixer: Operator control plane
● Called by Envoy to gate traffic & report telemetry○ Response caching in Envoy for performance
● Pluggable component for integrating monitoring & logging systems, policy and more○ Metrics and logs can be sent to a variety of
backend collection systems with a well known API
○ Policy
Mixer
frontend pictures
proxy proxy
API: /picturesLatency: 10msStatus Code: 503src: 10.0.0.1dst: 10.0.0.2
Influ
xDB
Prom
ethe
us
Cust
om
Istio Auth: certs & more
● Certificate management● Service-level
Authorization● Understand access
patterns: Security analytics, ACL recommendations, path analysis, production lockdown
Service A
proxy
Container / VM / Bare-metal Container / VM / Bare-metal
Secure data transmission
Client
Control flow
Data flow
AuthZ++ flow
mTLS
Service Discovery Service
Mixer
Service B
proxy
Secure naming info
Authz plugin
Server