istio


istio

Micro-service mesh management framework


It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.


Benifit


* A/B testing, 
* canary releases, 
* failure recovery, 
* metrics,

Key Capability


* Traffic Management 

- load balancing, 
- rate limiting, 
* Observability
- monitoring
* Policy Enforcement 
- access control,
- load balancing, 
* Service identity and security
- service-to-service authentication, 
- discovery of services, 
- end-to-end authentication.
* Platform Support
- Cloud, 
- on-premise, 
- Kubernetes, 
- Mesos
* Integration and Customization : integrate with existing solutions for 
- ACLs, 
- logging, 
- monitoring, 
- quotas, 
- auditing 
- etc.

Istio pre-configured add-ons


* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics 
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system

Architecture


1. Data plane : 
set of intelligent proxy (Envoy)

2. Control plane :

manage and configure proxy 
- to route traffic
- to enforce policy runtime. 

1. Envoy : sidecar proxy in same pod with features : 
dynamic service discovery, 
load balancing, 
TLS termination, 
HTTP & gRPC proxying, 
circuit breakers, 
health checks, 
staged roll-outs with percentage-based traffic split, 
fault injection, 
rich metrics.
 rich L7 routing

2. Mixer: 


platform independent

flexible plugin model 
with a variety of host environments and infrastructure back end

Tasks: 

- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
  - request tracing

Mixer configuration for
- attribute extraction
- policy evaluation

 Adapter

  Go Package. 
  Guide to develop new adapter : https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide  
  https://istio.io/blog/2017/adapter-model/

3. Pilot

Tasks: 
- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API

Benefits

* service discovery
* traffic management
* intelligent routing
- A/B tests, 
- canary deployments
* resiliency 
- timeouts, 
- retries, 
- circuit breakers, 
- etc.
* multiple environments 
- Kubernetes, 
- Consul/Nomad

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity

5. Citadel

A centralized component responsible for certificate issuance and rotation.

6. Node Agent

A per-node component responsible for certificate issuance and rotation.

7. Galley

Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.

In nut-shell istio is all about just configuring Envoy proxy 

4 comments:

Manish Panchmatia said...

https://wikibon.com/istio-an-open-microservice-mesh-for-the-cloud-native-era/

https://istio.io/docs/concepts/policies-and-telemetry/

https://istio.io/help/faq/general/

https://kubernetes.io/blog/2017/05/managing-microservices-with-istio-service-mesh/

Manish Panchmatia said...

https://blog.avinetworks.com/announcing-universal-service-mesh-avi-networks-integration-with-istio

Manish Panchmatia said...

https://github.com/Maistra/istio

Manish Panchmatia said...

https://istio.io/blog/2017/0.1-announcement/

Post a Comment