To fully understand Istio we need to take a detour and learn about Service mesh. Let us do a through recap of what a service mesh is?
When infrastructures shifted from monolithic to microservices, containers could bring in consistency and granularity in managing resources. Microservices allowed us to treat one computer as many computers. This enabled applications to scale up and scale down computers depending on demand and reduced wastage of resources. To manage these microservices, the concept of service mesh was implemented. Service mesh is a theory or a model for improving the effectiveness and security of Kubernetes. Istio is an implementation of this service mesh paradigm..
Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring–with few or no service code changes. Its powerful control plane brings vital features, including features like Dynamic service discovery, Load balancing, TLS termination, HTTP/2 and proxies, Circuit breakers, Health checks, Staged rollouts with%-based traffic split, Fault injection and Rich metrics.
In Istio architecture, the sidecar proxy is called the envoy proxy, which is an independent open source project. Control Plane centrally manages these proxy services using a single daemon istiod. With Istio, operators can inject configurations into the pods as on when necessary.
What is Istiod?
Istiod consolidates the Istio control plane components into a single binary.
Istiod acts as the control plane, distributing the configuration to all sidecar proxies and gateways. It enables intelligent application-aware load balancing from the application layer to other mesh enabled services in the cluster and bypasses the rudimentary kube-proxy load balancing.
Configuring all the features of a service mesh into a microservices architecture does not involve using each component separately on v1.5 and above. There is no need to adjust deployment and service Kubernetes yaml files to configure Istio. Istiod will centrally manage everything.
The benefits of putting everything into a daemon i.e. Istiod
- Easy Installation: Fewer configurations enable developers to kick-start istio control plane with all features, even for a single pod.
- Easy Configuration: in the 1.5 version, we needed multiple configurations to orchestrate a control plane which is now redundant.
- Easy Maintenance: Installing, upgrading, and removing Istio no longer requires a complicated process of version dependencies and startup orders. For example: To upgrade, you only need to start a new istiod version alongside your existing control plane, canary it, and then move all traffic over to it.
- Faster Troubleshooting: Fewer components allow for fast environmental debugging.
- Quick Startup time: Components no longer need to wait for each other to start in a defined order.
- Reduced Resource usage and improved responsiveness: Communication between components becomes guaranteed. Caches can be shared safely, which decreases the resource footprint.
Istiod unifies functionality that Pilot, Galley, Citadel and the sidecar injector previously performed, into a single binary. The unified architecture applies for Istio v 1.5 and above. Before the version 1.5 was released, the architecture comprised multiple components like Pilot, Galley, Citadel and Mixer.
These components are not needed if you are using a version 1.5 or above. We have explained these components in short for your knowledge.
Mixer : Mixer is a platform independent component that enforces access control and policies across the service mesh and collects metrics and logs to be used by other analysis tools like Splunk and DataDog. Read more on how integrating Autopilot with Splunk and Datadog can unlock multiple benefits for your pipeline.
Pilot : Pilot provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing (e.g., A/B tests, canary rollouts, etc.), and resiliency (timeouts, retries, circuit breakers, etc.).
Citadel : Citadel enables strong service-to-service and end-user authentication with built-in identity and credential management.
Galley : Galley is Istio’s configuration validation, ingestion, processing and distribution component. It is responsible for insulating the rest of the Istio components from the details of obtaining user configuration from the underlying platform (e.g. Kubernetes).
Benefits of using Istio with Kubernetes
- Secure cloud-native apps : Focus on security at the application level with strong identity-based authentication, authorization, and encryption.
- Manage traffic effectively: Get fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection. In post production testing chaos monkey integration allows SRE’s to inject delays, faults to improve the robustness .
- Monitor service mesh : Itsio provides a service level visibility that allows for tracing and monitoring. This improves troubleshooting. A bottleneck issue without granular level details will take a lot of time to fish out. With service mesh, you can easily break the circuit to failed services to disable non-functioning replicas and keep the API responsive.
- Easily deploy with Kubernetes and virtual machines : Istio provides visibility and network controls for both traditional and modern workloads including containers and virtual machines.
- Simplify load balancing with advanced features : Use automated load balancing for all of your traffic, along with advanced features like client-based routing and canary rollouts.
- Enforce policies : Enforce policies with a pluggable policy layer and configuration API that supports access controls, rate limits, and quotas.
In a kubernetes environment service mesh is like a dashboard for troubleshooting issues, enforcing traffic policies , assigning limits and test codes. It allows a central node for monitoring , tracing and controlling interactions between all services.