Solve difficult service-to-service communication challenges around security, observability, routing, and resilience with an Istio-based service mesh. Istio allows you to define these traffic policies as configuration and enforce them consistently without needing any service-code changes.
In Istio in Action you will learn:
• Why and when to use a service mesh
• Envoy’s role in Istio’s service mesh
• Allowing “North-South” traffic into a mesh
• Fine-grained traffic routing
• Make your services robust to network failures
• Gain observability over your system with telemetry “golden signals”
• How Istio makes your services secure by default
• Integrate cloud-native applications with legacy workloads such as in VMs
Reduce the operational complexity of your microservices with an Istio-powered service mesh! Istio in Action shows you how to implement this powerful new architecture and move your application-networking concerns to a dedicated infrastructure layer. Non-functional concerns stay separate from your application, so your code is easier to understand, maintain, and adapt regardless of programming language. In this practical guide, you’ll go hands-on with the full-featured Istio service mesh to manage microservices communication. Helpful diagrams, example configuration, and examples make it easy to understand how to control routing, secure container applications, and monitor network traffic.
About the technology
Offload complex microservice communication layer challenges to Istio! The industry-standard Istio service mesh radically simplifies security, routing, observability, and other service-to-service communication challenges. With Istio, you use a straightforward declarative configuration style to establish application-level network policies. By separating communication from business logic, your services are easier to write, maintain, and modify.
About the book
Istio in Action teaches you how to implement an Istio-based service mesh that can handle complex routing scenarios, traffic encryption, authorization, and other common network-related tasks. You’ll start by defining a basic service mesh and exploring the data plane with Istio’s service proxy, Envoy. Then, you’ll dive into core topics like traffic routing and visualization and service-to-service authentication, as you expand your service mesh to workloads on multiple clusters and legacy VMs.
What's inside
• Comprehensive coverage of Istio resources
• Practical examples to showcase service mesh capabilities
• Implementation of multi-cluster service meshes
• How to extend Istio with WebAssembly
• Traffic routing and observability
• VM integration into the mesh
About the reader
For developers, architects, and operations engineers.
About the author
Christian Posta is a well-known architect, speaker, and contributor. Rinor Maloku is an engineer at Solo.io working on application networking solutions.
Author(s): Christian E. Posta, Rinor Maloku
Edition: 1
Publisher: Manning Publications
Year: 2022
Language: English
Commentary: Vector PDF
Pages: 480
City: Shelter Island, NY
Tags: Security; Data Visualization; Microservices; Scalability; Troubleshooting; Networking; Kubernetes; Performance Tuning; Software Architecture; Grafana; Resilience; Virtual Environments; Routing; Istio; Jaeger; Observability; Service Mesh; Kiali
Istio in Action
contents
foreword
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A roadmap
About the code
liveBook discussion forum
about the authors
about the cover illustration
brief contents
Part 1 Understanding Istio
1 Introducing the Istio service mesh
1.1 Challenges of going faster
1.1.1 Our cloud infrastructure is not reliable
1.1.2 Making service interactions resilient
1.1.3 Understanding what’s happening in real time
1.2 Solving these challenges with application libraries
1.2.1 Drawbacks to application-specific libraries
1.3 Pushing these concerns to the infrastructure
1.3.1 The application-aware service proxy
1.3.2 Meet the Envoy proxy
1.4 What’s a service mesh?
1.5 Introducing the Istio service mesh
1.5.1 How a service mesh relates to an enterprise service bus
1.5.2 How a service mesh relates to an API gateway
1.5.3 Can I use Istio for non-microservices deployments?
1.5.4 Where Istio fits in distributed architectures
1.5.5 What are the drawbacks to using a service mesh?
Summary
2 First steps with Istio
2.1 Deploying Istio on Kubernetes
2.1.1 Using Docker Desktop for the examples
2.1.2 Getting the Istio distribution
2.1.3 Installing the Istio components into Kubernetes
2.2 Getting to know the Istio control plane
2.2.1 Istiod
2.2.2 Ingress and egress gateway
2.3 Deploying your first application in the service mesh
2.4 Exploring the power of Istio with resilience, observability, and traffic control
2.4.1 Istio observability
2.4.2 Istio for resiliency
2.4.3 Istio for traffic routing
Summary
3 Istio’s data plane: The Envoy proxy
3.1 What is the Envoy proxy?
3.1.1 Envoy’s core features
3.1.2 Comparing Envoy to other proxies
3.2 Configuring Envoy
3.2.1 Static configuration
3.2.2 Dynamic configuration
3.3 Envoy in action
3.3.1 Envoy’s Admin API
3.3.2 Envoy request retries
3.4 How Envoy fits with Istio
Summary
Part 2 Securing, observing, and controlling your service’s network traffic
4 Istio gateways: Getting traffic into a cluster
4.1 Traffic ingress concepts
4.1.1 Virtual IPs: Simplifying service access
4.1.2 Virtual hosting: Multiple services from a single access point
4.2 Istio ingress gateways
4.2.1 Specifying Gateway resources
4.2.2 Gateway routing with virtual services
4.2.3 Overall view of traffic flow
4.2.4 Istio ingress gateway vs. Kubernetes Ingress
4.2.5 Istio ingress gateway vs. API gateways
4.3 Securing gateway traffic
4.3.1 HTTP traffic with TLS
4.3.2 HTTP redirect to HTTPS
4.3.3 HTTP traffic with mutual TLS
4.3.4 Serving multiple virtual hosts with TLS
4.4 TCP traffic
4.4.1 Exposing TCP ports on an Istio gateway
4.4.2 Traffic routing with SNI passthrough
4.5 Operational tips
4.5.1 Split gateway responsibilities
4.5.2 Gateway injection
4.5.3 Ingress gateway access logs
4.5.4 Reducing gateway configuration
Summary
5 Traffic control: Fine-grained traffic routing
5.1 Reducing the risk of deploying new code
5.1.1 Deployment vs. release
5.2 Routing requests with Istio
5.2.1 Cleaning up our workspace
5.2.2 Deploying v1 of the catalog service
5.2.3 Deploying v2 of the catalog service
5.2.4 Routing all traffic to v1 of the catalog service
5.2.5 Routing specific requests to v2
5.2.6 Routing deep within a call graph
5.3 Traffic shifting
5.3.1 Canary releasing with Flagger
5.4 Reducing risk even further: Traffic mirroring
5.5 Routing to services outside your cluster by using Istio’s service discovery
Summary
6 Resilience: Solving application networking challenges
6.1 Building resilience into the application
6.1.1 Building resilience into application libraries
6.1.2 Using Istio to solve these problems
6.1.3 Decentralized implementation of resilience
6.2 Client-side load balancing
6.2.1 Getting started with client-side load balancing
6.2.2 Setting up our scenario
6.2.3 Testing various client-side load-balancing strategies
6.2.4 Understanding the different load-balancing algorithms
6.3 Locality-aware load balancing
6.3.1 Hands-on with locality load balancing
6.3.2 More control over locality load balancing with weighted distribution
6.4 Transparent timeouts and retries
6.4.1 Timeouts
6.4.2 Retries
6.4.3 Advanced retries
6.5 Circuit breaking with Istio
6.5.1 Guarding against slow services with connection-pool control
6.5.2 Guarding against unhealthy services with outlier detection
Summary
7 Observability: Understanding the behavior of your services
7.1 What is observability?
7.1.1 Observability vs. monitoring
7.1.2 How Istio helps with observability
7.2 Exploring Istio metrics
7.2.1 Metrics in the data plane
7.2.2 Metrics in the control plane
7.3 Scraping Istio metrics with Prometheus
7.3.1 Setting up Prometheus and Grafana
7.3.2 Configuring the Prometheus Operator to scrape the Istio control plane and workloads
7.4 Customizing Istio’s standard metrics
7.4.1 Configuring existing metrics
7.4.2 Creating new metrics
7.4.3 Grouping calls with new attributes
Summary
8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali
8.1 Using Grafana to visualize Istio service and control- plane metrics
8.1.1 Setting up Istio’s Grafana dashboards
8.1.2 Viewing control-plane metrics
8.1.3 Viewing data-plane metrics
8.2 Distributed tracing
8.2.1 How does distributed tracing work?
8.2.2 Installing a distributed tracing system
8.2.3 Configuring Istio to perform distributed tracing
8.2.4 Viewing distributed tracing data
8.2.5 Trace sampling, force traces, and custom tags
8.3 Visualization with Kiali
8.3.1 Installing Kiali
8.3.2 Conclusion
Summary
9 Securing microservice communication
9.1 The need for application-networking security
9.1.1 Service-to-service authentication
9.1.2 End-user authentication
9.1.3 Authorization
9.1.4 Comparison of security in monoliths and microservices
9.1.5 How Istio implements SPIFFE
9.1.6 Istio security in a nutshell
9.2 Auto mTLS
9.2.1 Setting up the environment
9.2.2 Understanding Istio’s PeerAuthentication resource
9.3 Authorizing service-to-service traffic
9.3.1 Understanding authorization in Istio
9.3.2 Setting up the workspace
9.3.3 Behavior changes when a policy is applied to a workload
9.3.4 Denying all requests by default with a catch-all policy
9.3.5 Allowing requests originating from a single namespace
9.3.6 Allowing requests from non-authenticated legacy workloads
9.3.7 Allowing requests from a single service account
9.3.8 Conditional matching of policies
9.3.9 Understanding value-match expressions
9.3.10 Understanding the order in which authorization policies are evaluated
9.4 End-user authentication and authorization
9.4.1 What is a JSON web token?
9.4.2 End-user authentication and authorization at the ingress gateway
9.4.3 Validating JWTs with RequestAuthentication
9.5 Integrating with custom external authorization services
9.5.1 Hands-on with external authorization
9.5.2 Configuring Istio for ExtAuthz
9.5.3 Using a custom AuthorizationPolicy resource
Summary
Part 3 Istio day-2 operations
10 Troubleshooting the data plane
10.1 The most common mistake: A misconfigured data plane
10.2 Identifying data-plane issues
10.2.1 How to verify that the data plane is up to date
10.2.2 Discovering misconfigurations with Kiali
10.2.3 Discovering misconfigurations with istioctl
10.3 Discovering misconfigurations manually from the Envoy config
10.3.1 Envoy administration interface
10.3.2 Querying proxy configurations using istioctl
10.3.3 Troubleshooting application issues
10.3.4 Inspect network traffic with ksniff
10.4 Understanding your application using Envoy telemetry
10.4.1 Finding the rate of failing requests in Grafana
10.4.2 Querying the affected Pods using Prometheus
Summary
11 Performance-tuning the control plane
11.1 The control plane’s primary goal
11.1.1 Understanding the steps of data-plane synchronization
11.1.2 Factors that determine performance
11.2 Monitoring the control plane
11.2.1 The four golden signals of the control plane
11.3 Tuning performance
11.3.1 Setting up the workspace
11.3.2 Measuring performance before optimizations
11.3.3 Ignoring events: Reducing the scope of discovery using discovery selectors
11.3.4 Event-batching and push-throttling properties
11.4 Performance tuning guidelines
Summary
Part 4 Istio in your organization
12 Scaling Istio in your organization
12.1 The benefits of a multi-cluster service mesh
12.2 Overview of multi-cluster service meshes
12.2.1 Istio multi-cluster deployment models
12.2.2 How workloads are discovered in multi-cluster deployments
12.2.3 Cross-cluster workload connectivity
12.2.4 Common trust between clusters
12.3 Overview of a multi-cluster, multi-network, multi- control-plane service mesh
12.3.1 Choosing the multi-cluster deployment model
12.3.2 Setting up the cloud infrastructure
12.3.3 Configuring plug-in CA certificates
12.3.4 Installing the control planes in each cluster
12.3.5 Enabling cross-cluster workload discovery
12.3.6 Setting up cross-cluster connectivity
12.3.7 Load-balancing across clusters
Summary
13 Incorporating virtual machine workloads into the mesh
13.1 Istio’s VM support
13.1.1 Simplifying sidecar proxy installation and configuration in a VM
13.1.2 Virtual machine high availability
13.1.3 DNS resolution of in-mesh services
13.2 Setting up the infrastructure
13.2.1 Setting up the service mesh
13.2.2 Provisioning the VM
13.3 Mesh expansion to VMs
13.3.1 Exposing istiod and cluster services to the VM
13.3.2 Representing a group of workloads with a WorkloadGroup
13.3.3 Installing and configuring the istio-agent in the VM
13.3.4 Routing traffic to cluster services
13.3.5 Routing traffic to the WorkloadEntry
13.3.6 VMs are configured by the control plane: Enforcing mutual authentication
13.4 Demystifying the DNS proxy
13.4.1 How the DNS proxy resolves cluster hostnames
13.4.2 Which hostnames is the DNS proxy aware of?
13.5 Customizing the agent’s behavior
13.6 Removing a WorkloadEntry from the mesh
Summary
14 Extending Istio on the request path
14.1 Envoy’s extension capabilities
14.1.1 Understanding Envoy’s filter chaining
14.1.2 Filters intended for extension
14.1.3 Customizing Istio’s data plane
14.2 Configuring an Envoy filter with the EnvoyFilter resource
14.3 Rate-limiting requests with external call-out
14.3.1 Understanding Envoy rate limiting
14.4 Extending Istio’s data plane with Lua
14.5 Extending Istio’s data plane with WebAssembly
14.5.1 Introducing WebAssembly
14.5.2 Why WebAssembly for Envoy?
14.5.3 Building a new Envoy filter with WebAssembly
14.5.4 Building a new Envoy filter with the meshctl tool
14.5.5 Deploying a new WebAssembly Envoy filter
Summary
appendix A Customizing the Istio installation
A.1 The IstioOperator API
A.2 The Istio installation profiles
A.3 Installing and customizing Istio using istioctl
A.4 Installing and customizing Istio with the istio-operator
A.4.1 Installing the istio-operator
A.4.2 Updating the installation of a mesh
appendix B Istio’s sidecar and its injection options
B.1 Sidecar injection
B.1.1 Manual sidecar injection
B.1.2 Automatic sidecar injection
B.2 Security issues with istio-init
appendix C Istio security: SPIFFE
C.1 Authentication using PKI (public key infrastructure)
C.1.1 Traffic encryption via TLS and end-user authentication
C.2 SPIFFE: Secure Production Identity Framework for Everyone
C.2.1 SPIFFE ID: Workload identity
C.2.2 Workload API
C.2.3 Workload endpoints
C.2.4 SPIFFE Verifiable Identity Documents
C.2.5 How Istio implements SPIFFE
C.2.6 Step-by-step bootstrapping of workload identity
C.3 Understanding request identity
C.3.1 Metadata collected by the RequestAuthentication resource
C.3.2 Overview of the flow of one request
appendix D Troubleshooting Istio components
D.1 Information exposed by the Istio agent
D.1.1 Endpoints to introspect and troubleshoot the Istio agent
D.1.2 Querying Istio Pilot debug endpoints through the Istio agent
D.2 Information exposed by the Istio Pilot
D.2.1 The Istio Pilot debug endpoints
D.2.2 The ControlZ interface
appendix E How the virtual machine is configured to join the mesh
index
Numerics
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Z
Istio in Action - back