Istio is a service mesh and it is a collection of different tools, frameworks and packages that helps us to manage micro-services in a more sophisticated way. Istio is a widely used service mesh platform that identifies the amount of traffic coming into a particular micro-service and controls the traffic flow between each micro-services.

Istio is not a replacement for kubernetes actually istio is an extra layer of software that is deployed along with kubernetes cluster.

Istio provides visibility and can control the network connection between containers in a micro-service cluster. Every request must go through the istio service mesh control plane, so istio can perform some operation on the request by checking its header information then it will get routed to required micro-service. Istio injects its own component called proxy in each micro-service that will set a communication between micro-service and istio control plane.

Istio provides telemetry features which means gathering metrics from individual network requests to check the health of the cluster. Istio traces each request so that it gets a chain of particular requests and has control over it.

Istio also implements security under traffic management that allows us re-routing requests depending on the requirements we have.

Istio Service Mesh Architecture

  • Envoy proxy is deployed as a sidecar container in each micro-service and it is a platform istio data plane.
  • Pilot is an orchestration tool that instructs what needs to be done with running micro-service and it’s a part of istio control plane.
  • Mixer is a part of istio control plane and  it is used to check access control and telemetry operations. This component manages  scalability, resource usage, reliability and isolation.
  • Auth helps to identify certification, authentication and authorization of processes requesting an  micro-service application and it’s a part of the control plane.
Control Plane

By introducing envoy proxy into micro-services it gives monitoring and refined activity controls we can use kiali web interface for monitoring and tracing.

If you want to use isto you first need to install istio on kubernetes cluster then you will get all above components. Request directly hits to the envoy proxy running on each micro-service through ingress and envoy proxy will communicate with the application container and send response back through Egress.

Istion runs on every platform and eases the deployment process which helps the development and production team.

Where is Istio Service Mesh useful?

Services

As the number of micro-services increases in the cluster it becomes difficult to monitor and control the micro-services. Istio gives you the ability to monitor the running micro-services and you can also check the health status of each micro-service.

It is also easy to detect and replace faulty services using istio.

Micro-services

Reliability

Istio also provides telemetry service which tells you how much time it takes to process requests, how much resources are used, what is the response rate and how often resources are used. This helps to developer to spot and resolve issues.

Authenticating Traffic

Istio provides a security system that can be used to restrict access that can be accomplished by deploying sidecar proxy in each microservices.

Protected communication

Istio provides secure universal service identification system and organization can use a mutually integrated TLS for service–to-service communications. We can use TLS or JSON web token for authentication.

Measures for Drastic Times

Istio service mesh has the function that inject fault tolerance procedures in running  micro-services.

Features

Traffic management

Istio controls the flow of traffic entering into micro-service cluster. Istio also provides canary and rolling deployments. You can also move traffic from one version of micro-service to another version of micro-service or you can also test a new version of service with few amounts of traffic.

Security

Istio frees developers to provide security at the application level. Istio provides the secure communication channel, and manages authentication, authorization, and encryption of service communication at scale. Using Istio, service communications are secured by default without making any changes in the application level.

Istio with kubernetes has more advantage to secure pod-to-pod communications.

Monitoring

You can use prometheus, grafana or kiali web interface to get insights of istio service mesh.Istio has different services for monitoring, tracing and logging. You can check the health status of each micro-services using custom dashboards.

Platform support

Istio mainly supports service deployments on kubernetes.

How to deploy it on Google cloud

1. Create a new project on google cloud and click on cloud shell.

2. Once connected to cloud shell you can see you are already authenticated and check project is set to PROJECT_ID

3. Run following command on cloud shell and you can see your authenticated account details

>> gcloud auth list

4. Check the PROJECT_ID using command:

>> echo $GOOGLE_CLOUD_PROJECT

5. If project is not set run the following command:

>> gcloud config set project <project_id>
>> gcloud config set compute/zone us-central1-f

6. Create kubernetes GKE cluster with istio. Now enable kubernetes engine api:

>> gcloud  services enable container googleapis.com

Select a region for your cluster:

>> gcloud compute regions list

Set your region

>> REGION=us-central1

Run below command:

> gcloud beta container clusters create hello-istio --project=ace-study-276206 \
--addons=Istio --istio-config=auth=MTLS_STRICT \
--cluster-version=1.14.10-gke.27 \
--machine-type=n1-standard-2 \
--num-nodes=2 \
--region=us-central1

After a few minutes it will be visible in the Kubernetes Engine section of the google cloud platform console.

7. Verify installation done successfully. Run the below command:

>> kubectl get svc -n istio-system

You should see istio-pilot, istio gateways and telemetry running.

Next make sure that kubernetes pods are up and running

>> kubectl get pods -n istio-system

8. Deploy an application. To deploy sample book info application, run the below command:

>> curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.0.0 sh -

Enable istio-injection

>> kubectl label namespace default istio-injection=enabled

You can verify that the label was successfully applied.

>> kubectl get namespace -L istio-injection

Next deploy the services to default namespace

>> kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

 Next create a gateway and virtual service to allow ingress traffic to reach the mesh.

>> kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
>> kubectl get services
>> kubectl get pods

9. Accessing the application:

First get the external IP address:

>> kubectl get svc istio-ingressgateway -n istio-system
>> export GATWAY_URL=<gateway ip>

To access the application ht URL: http://<your gateway IP>/productpage

>> kubectl get pods -n istio-system

Check if all service are up and running.

10. Kiali web Interface

Install kiali on google cloud. Kiali is a web interface for monitoring and tracing micro-services. Click on Service & Ingress menu. You can see the Kiali service is running by clicking on it.

Click on kaili

Click on kiali.

Now you will see the service details and its port number.


Click on port forwarding

Next, click on port forwarding and run the command given in console

Ex:

gcloud container clusters get-credentials hello-istio 
-- region us-central1 --project ace-study-276206 \
&& kubectl port-forward --namespace istio-system
$(kubectl get pod --namespace istio-system --selector="app=kiali"
--output jsonpath='{.items[0].metadata.name}') 8080:20001

Next click on web preview,you will get kiali login page.

kiali login page

Enter username and password and click on login.

graph setting and traffic animation

Here you change the graph setting and traffic animation and the refresh time. You can see from above image the traffic is divided into v1 and v3 version of review service. If you want to move all traffic to  v1 version of review service.

Add below code

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: reviews
spec:
 hosts:
 - reviews
 http:
 - route:
   - destination:
       host: reviews
       subset: v1

Run below command:

kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml

Now you can see:

In the same way you can manage your traffic coming towards each service without interrupting the services.

Also you can manage your traffic on the basis of request header information.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: reviews
spec:
 hosts:
 - reviews
 http:
 - match:
   - headers:
       end-user:
         exact: jason
   route:
   - destination:
       host: reviews
       subset: v2
 - route:
   - destination:
       host: reviews
       subset: v3

If in header information we get “jason” then the traffic will be moved towards V2 version else it will go to v3 version.

References:

https://www.redhat.com/en/topics/microservices/what-is-istio

https://dzone.com/articles/metadata-management-in-big-data-systems-a-complete-1

https://codelabs.developers.google.com/codelabs/cloud-hello-istio/index.html?index=..%2F..index#0

https://istio.io/docs/concepts/what-is-istio/

Leave a Reply