istio
istio
Micro-service mesh management framework
It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.
Benifit
* A/B testing,
* canary releases,
* failure recovery,
* metrics,
Key Capability
* Traffic Management
- load balancing,
- rate limiting,
* Observability
- monitoring
* Policy Enforcement
- access control,
- load balancing,
* Service identity and security
- service-to-service authentication,
- discovery of services,
- end-to-end authentication.
* Platform Support
- Cloud,
- on-premise,
- Kubernetes,
- Mesos
* Integration and Customization : integrate with existing solutions for
- ACLs,
- logging,
- monitoring,
- quotas,
- auditing
- etc.
Istio pre-configured add-ons
* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics
* ServiceGraph : generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system
Architecture
1. Data plane :
set of intelligent proxy (Envoy)
2. Control plane :
manage and configure proxy
- to route traffic
- to enforce policy runtime.
1. Envoy : sidecar proxy in same pod with features :
dynamic service discovery,
load balancing,
TLS termination,
HTTP & gRPC proxying,
circuit breakers,
health checks,
staged roll-outs with percentage-based traffic split,
fault injection,
rich metrics.
rich L7 routing
2. Mixer:
platform independent
flexible plugin model
with a variety of host environments and infrastructure back end
Tasks:
- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
- request tracing
Mixer configuration for
- attribute extraction
- policy evaluation
Adapter
Go Package.
Guide to develop new adapter : https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide
https://istio.io/blog/2017/adapter-model/
3. Pilot
Tasks:
- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API
Benefits
* service discovery
* traffic management
* intelligent routing
- A/B tests,
- canary deployments
* resiliency
- timeouts,
- retries,
- circuit breakers,
- etc.
* multiple environments
- Kubernetes,
- Consul/Nomad
4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity
5. Citadel
A centralized component responsible for certificate issuance and rotation.
6. Node Agent
A per-node component responsible for certificate issuance and rotation.
7. Galley
Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.
In nut-shell istio is all about just configuring Envoy proxy
Micro-service mesh management framework
It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.
Benifit
* A/B testing,
* canary releases,
* failure recovery,
* metrics,
Key Capability
* Traffic Management
- load balancing,
- rate limiting,
* Observability
- monitoring
* Policy Enforcement
- access control,
- load balancing,
* Service identity and security
- service-to-service authentication,
- discovery of services,
- end-to-end authentication.
* Platform Support
- Cloud,
- on-premise,
- Kubernetes,
- Mesos
* Integration and Customization : integrate with existing solutions for
- ACLs,
- logging,
- monitoring,
- quotas,
- auditing
- etc.
Istio pre-configured add-ons
* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics
* ServiceGraph : generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system
Architecture
1. Data plane :
set of intelligent proxy (Envoy)
2. Control plane :
manage and configure proxy
- to route traffic
- to enforce policy runtime.
1. Envoy : sidecar proxy in same pod with features :
dynamic service discovery,
load balancing,
TLS termination,
HTTP & gRPC proxying,
circuit breakers,
health checks,
staged roll-outs with percentage-based traffic split,
fault injection,
rich metrics.
rich L7 routing
2. Mixer:
platform independent
flexible plugin model
with a variety of host environments and infrastructure back end
Tasks:
- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
- request tracing
Mixer configuration for
- attribute extraction
- policy evaluation
Adapter
Go Package.
Guide to develop new adapter : https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide
https://istio.io/blog/2017/adapter-model/
3. Pilot
Tasks:
- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API
Benefits
* service discovery
* traffic management
* intelligent routing
- A/B tests,
- canary deployments
* resiliency
- timeouts,
- retries,
- circuit breakers,
- etc.
* multiple environments
- Kubernetes,
- Consul/Nomad
4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity
5. Citadel
A centralized component responsible for certificate issuance and rotation.
6. Node Agent
A per-node component responsible for certificate issuance and rotation.
7. Galley
Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.
In nut-shell istio is all about just configuring Envoy proxy
4 comments:
https://wikibon.com/istio-an-open-microservice-mesh-for-the-cloud-native-era/
https://istio.io/docs/concepts/policies-and-telemetry/
https://istio.io/help/faq/general/
https://kubernetes.io/blog/2017/05/managing-microservices-with-istio-service-mesh/
https://blog.avinetworks.com/announcing-universal-service-mesh-avi-networks-integration-with-istio
https://github.com/Maistra/istio
https://istio.io/blog/2017/0.1-announcement/
Post a Comment