This is part one of a three-part series where we will dive into the Istio service mesh. Throughout these tutorials, we’ll take a look at the most common use cases for service mesh and how you can implement them using Istio.
Before we dive into Istio, it’s vital to take a step back and understand the background to service mesh, and why it is important.
An introduction to service mesh
In recent years, the adoption of service mesh technology has seen a remarkable surge in the realm of microservices architecture. This innovative approach to managing communication between microservices has gained significant traction for its ability to enhance reliability, observability, and security within complex distributed systems.
According to a survey by the Cloud Native Computing Foundation (CNCF), 70% of respondents are already leveraging the power of a service mesh, while another 16% are in the evaluation stage. The rising adoption of service mesh solutions underscores their growing importance in the world of microservices.
These statistics highlight the widespread recognition of service mesh solutions as indispensable tools in the modern microservices landscape.
At its core, a service mesh serves as a dedicated layer of infrastructure. Think of it as a specialized network that sits between individual services, managing the communication between them. Its primary purpose is to enhance reliability, observability, and security in a distributed system. It also facilitates features such as circuit breaking, retries, and timeouts, which are crucial for maintaining system resilience.
Why do we need service mesh?
The need for a service mesh arises from the inherent complexities of managing microservices at scale. As applications grow in size and complexity, so do the challenges associated with service-to-service communication. A service mesh helps to address these challenges by providing a standardized way to handle tasks like load balancing, service discovery, and fault tolerance, relieving developers from reinventing these wheels for each service.
What are the components of service mesh?
Within a service mesh, there are two major components: the data plane and the control plane. Let’s take a closer look at these components and how they work together:
Data Plane
The data plane is where the communication between services occurs. It consists of a set of lightweight, sidecar proxies (such as Envoy) that are deployed alongside each service.
These proxies intercept and manage traffic, ensuring it adheres to the policies set by the control plane. More recently, Istio has made efforts to remove the sidecar proxy with the goal of reducing the overhead some mesh users face. This has led to the development of the Ambient Mesh, a new mode of operation for Isito that replaces the need for a sidecar proxy.
Control Plane
The control plane component is responsible for configuring and managing the proxies in the data plane. It includes components such as the central controller and the service registry. The central controller is responsible for enforcing policies and making dynamic routing
Source: Istio Architecture
An introduction to Istio
Istio is a widely adopted open-source service mesh platform that provides a comprehensive solution for managing microservices in modern applications. At the time of writing this tutorial, Istio just completed its Cloud Native Computing Foundation graduation. Graduated projects are considered stable and are used successfully in production environments.
Offering a robust set of features, Istio incorporates a data plane, which includes sidecar proxies that intercept and manage traffic between services using Envoy, and a control plane responsible for configuring and orchestrating these proxies. Istio excels in security, implementing features like mutual TLS encryption and fine-grained access control. It also offers powerful observability tools, including distributed tracing and metrics gathering, which are crucial for monitoring and troubleshooting.
Prerequisites
This tutorial assumes some familiarity with Kubernetes; experience with Istio is not required. Additionally, you would need the following installed:
Installing Istio on Kubernetes
For the purpose of this demonstration, we will be installing Istio using Isitio CLI, however, Istio can be installed directly from the Civo marketplace.
Creating a cluster
We’ll begin by creating a Kubernetes cluster.
For simplicity, we will be doing it from the CLI:
civo k3s create --create-firewall --nodes 2 -m --save --switch --wait istio-playground -r=Traefik
Using the -r
flag, I removed the default ingress controller (Traefik) as we will be using the Istio ingress gateway to expose applications, this to ensure that Traefik does not interfere with Istio’s ingress gateway.
Using the -m
flag tells the Civo command line to merge the kubeconfig for the cluster with our existing kube-config
Installing Istio
Installing Istio is straightforward, using istioctl
, within your terminal. Run the following command to get Istio installed:
istioctl install
We can verify the installation by running:
istioctl verify-install
If configured correctly, you should see the following as the final output:
Checked 15 custom resource definitions
Checked 2 Istio Deployments
✔ Istio is installed and verified successfully
Onboarding applications into the Mesh
Now we have Istio up and running, let’s deploy a sample application. In your editor of choice create a file called deployment.yaml
and add the following code:
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
Save the file, and in your terminal, apply the deployment to the cluster:
kubectl apply -f deployment.yaml
Verify the deployment:
kubectl get deploy/whoami
NAME READY UP-TO-DATE AVAILABLE AGE
whoami 1/1 1 1 89s
We should now have one replica of the whoami
deployment.
Integrating the Istio sidecar proxy
The Istio sidecar intercepts and forwards requests to applications. This pattern allows applications to benefit from Istio's advanced features without requiring any code changes within the application itself.
To inject the sidecar, run the following command:
kubectl get deploy/whoami -o yaml | istioctl kube-inject -f - | kubectl apply -f -
In a couple of seconds, the deployment should be updated, and you should have containers within the whoami
pod.
NAME READY STATUS RESTARTS AGE
whoami-66c7668d9-g7vdk 2/2 Running 0 5m36s
Visualizing the Mesh
While we can verify the sidecar has been injected by looking for an increment in the number of containers within the whoami
pod, this isn’t ideal for managing multiple services. As we onboard more applications into the mesh, we’d need a way to view what applications exist and possibly a map that shows service interactions.
Thankfully, Istio ships with a control dashboard called Kiali. This isn’t included in the default installation, so this next section will explore how to install it.
Start by using this command:
kubectl apply -f
<https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/kiali.yaml>
We would also require the Prometheus add-on, which would enable Istio to collect metrics from applications within the mesh. To do this, use:
kubectl apply -f
<https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/prometheus.yaml>
With Kiali installed, run the following command to open the dashboard locally:
istioctl dashboard kiali
This should open up the dashboard in your default browser.
Click on the sidebar and navigate to the “applications” section. You should see something like this:
Troubleshooting Istio Install
Encountering issues? Here are some common problems and their solutions:
- Issue: Error message when running
istioctl install
.- Solution: Verify that
istioctl
is properly installed, and ensure its version matches the Istio version you're trying to install.
- Solution: Verify that
- Issue: Kiali dashboard not displaying services.
- Solution: Confirm that the Prometheus add-on is correctly installed and collecting metrics.
Remember, if your specific issue isn't listed here, it's always a good idea to consult the official documentation or forums.
Cleaning up
In the next part of the series, we will be deploying a fresh set of services, so let’s remove this deployment. To do this, use the command:
kubectl delete deployment/whoami
Summary
In part one of our Istio service mesh series, we explored the essential role of service meshes in modern microservices architectures. From this, we were able to look into how Istio, in particular, bolsters reliability, observability, and security across distributed systems. Shifting from theory to application, we set up Istio on a Kubernetes cluster, integrated an application, and delved into visualization with tools like Kiali.
Check out part 2 of this series to learn more about traffic management using Istio: Traffic Management with Istio.
If you are interested in learning more about security, check out the final part of this series: Istio Security Essentials: Authorization, Headers, and mTLS.
Further resources
To keep learning about the basis of Istio, here are some great resources to check out:
- Istio Documentation
- Istio Forums
- Check our video from KubeCon NA 23 on Getting started with Istio with Marino Wijay from Solo.io: