Mastering Istio: A Guide to Service Mesh
Updated: Nov 5
In this TeraTip we’ll go over a brief introduction to Istio Service Mesh by installing it on our cluster and gaining basic visibility of traffic flow. Learn all about Istio Service Mesh for modern microservices applications with the practical examples listed below. If you’re looking to provide powerful features to your Kubernetes cluster, in this post, you’ll learn:
Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication, and authorization
Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic
Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection
A pluggable policy layer and configuration API supporting access controls, rate limits, and quotas
Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress
Before you continue reading, make sure you’re familiar with the following terms.
Glossary
Service Mesh
It is a dedicated and configurable infrastructure layer that handles the communication between services without having to change the code in a microservice architecture. Some of the Service Mesh responsibilities include traffic management, security, observability, health checks, load balancing, etc.
Sidecar (imagine a motorcycle sidecar):
This is the terminology used to describe the container which is going to run side-by-side with the main container. This sidecar container can perform some tasks to reduce the pressure on the main one. For example, it can perform log shipping, monitoring, file loading, etc. The general use is as a proxy server (TLS, Auth, RETRY)
Control Plane: We understand the control plane as the “manager” of the Data Plane, and the Data plane as the one that centralizes the proxy sidecars through the Istio agent.
Just as a heads up, since we’re focusing on Istio, we’re going to skip the minikube setup. From this point on, we’ll assume you already have your testing cluster to play around with Istio as well as basic tools such as istioctl.
Ok, now that we’ve got those covered, let's get our hands dirty!
What is Istio?
Istio is an open-source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.
Integrate Istio to a cluster
Alrighty, first thing first. Let's get Istio on our cluster. There are three options for us to integrate Istio:
Install it via Istioctl (istioctl install --set profile=demo -y)
Install it via Istio Operator Install
Install it via Helm
The previous step will install the core components (istio ingress gateway, istiod, istio egress gateway). Run istioctl verify-install if you are not sure of what you just installed into your cluster.
You should see something like this:
Now, to follow up with this demo we recommend you make use of the Istio samples directory where you will find demo apps to play around with.
Label your namespace to inject sidecar pods
Time to get our namespace labeled, that's the way Istio knows where to inject the sidecar pods.
Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
Now run istioctl analyze
And, this is the expected output:
Time to deploy some resources.
Execute kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
The previous command will create the following resources. See the screenshot below
Make sure everything is up and running before continuing, execute kubectl get pods -A to verify. And… voila! There we have two containers per pod.
Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are installed before using the Gateway API:
kubectl get crd [gateways.gateway.networking.k8s.io](<http://gateways.gateway.networking.k8s.io/>) &> /dev/null || \\ { kubectl kustomize "[github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1](<http://github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1>)" | kubectl apply -f -; }
If using Minikube, remember to open a tunnel! minikube tunnel
Its gateway time:
kubectl apply -f [samples/bookinfo/networking/bookinfo-gateway.yaml](<https://raw.githubusercontent.com/istio/istio/release-1.17/samples/bookinfo/networking/bookinfo-gateway.yaml>)
Visualize your service mesh with Kiali
Okey-dokey, now it's time for some service mesh visualization, we are going to use Kiali.
Execute the following kubectl apply -f samples/addons
The previous command will create some cool stuff listed below:
kubectl rollout status deployment/kiali -n istio-system
Check it out with kubectl -n istio-system get svc kiali Everything look good? Cool.
Now it's time to navigate through the dashboard, execute istioctl dashboard kiali , and go to your browser.
If you’re testing this on a non-productive (meaning, without traffic) site then its going to look empty and boring since we don't have any traffic flowing.
Check your ip with minikube ip
And execute the following exports:
export INGRESS_HOST=$(minikube ip)
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
Awesome, now we can curl our app and see what happens
curl "http://$INGRESS_HOST:$INGRESS_PORT/productpage”, fair enough, but lets get some more traffic with a while loop as follows:
while sleep 0.01;do curl -sS 'http://'"$INGRESS_HOST"':'"$INGRESS_PORT"'/productpage'\\ &> /dev/null ; done
Alright, now at the screenshot below Kiali provides us with a useful set of visual tools to better understand our workload traffic.
On the second screenshot, we can see the power of Kiali; the white dots on top of the green lines represent the traffic (even though it's a static image, picture those dots moving in different directions and speeds!).
In summary, Istio provides us with a powerful set of tools. On this TeraTip we saw a brief introduction to Istio Service Mesh. We focused our attention on installing it on our cluster and on gaining the visualization of some basic traffic flows. Stay tuned for more!
References
To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.