loading...
Alcide

Istio Service Mesh in 2020: Envoy In, Control Plane Simplified

alonberger3 profile image Alon Berger Updated on ・4 min read

Alt Text

Since 2017, Kubernetes has soared and has played a key role within the cloud-native computing community. With this movement, more and more companies who already embraced microservices realized that a dedicated software layer for managing the service-to-service communication is required.

Enter the Service Mesh, and its leading contender as a preferred control plane manager - Istio, a platform built around an Envoy proxy to manage, control and monitor traffic flow and securing services and the connections between one another. Check out this page and Istio’s blog for more information and additional features to come.

According to the CNCF Survey 2019, Istio is at the top of the chart as the preferred service mesh project:

Alt Text

While Istio clearly made its mark as a powerful service mesh tool, it is still entwined with a relatively complex operation and integration requirements.

Istio’s roadmap for 2020 is all about supporting companies as they adopt microservices architectures for application development. The main focus of Istio’s latest release is simply making it faster and easier to use.

What Should We Expect?

Istio’s offering is a complete solution for enabling orchestration of a deployed services network with ease. It utilizes complex operational requirements like load-balancing, service-to-service authentication, monitoring, rate-limiting and more.

To achieve that, Istio provides its core features as key capabilities across a network of services:

  • Traffic management
  • Security
  • Observability
  • Platform support
  • Integration and customization

With its latest release, along with some most anticipated improvements, those features are getting buffed as well.

During 2019 Istio’s build and test infrastructure improved significantly, resulting in higher quality and easier release cycles. A big focus was around improving user experience, with many additional commands added to allow easier operations and smother troubleshooting experience.

Furthermore, Istio’s team reported exceptional growth in contributors within the product’s community.

Mixer Out, Envoy In

Extensibility with Istio was enabled by the Mixer, an entity responsible for providing policy controls and telemetry collection, which acts as an Intermediation layer that allows fine-grained control over all interactions between the mesh and infrastructure backends.

This entire model is now migrated directly in the proxies, in order to remove additional dependencies, resulting in a substantial reduction in latency and a significant improvement in overall performance. Eventually, the Mixer will be released as a separate add-on, as part of the Istio ecosystem.

The new model replacing Mixer will use Envoy’s extensions, which paves the path to even more capabilities and flexibility. There is already an ongoing implementation of a WebAssembly runtime in Envoy, which will potentially extend platform efficiency, This type of flexibility was a lot more challenging to achieve with Mixer.

Another key takeaway from this new model is the ability to avoid using a unique CRD for every integration with Istio.

Control Plane Simplified

The desire to have fewer moving parts during deployments drove the Istio team towards istiod, a new single binary, which now acts as a single daemon, responsible for the various microservices deployments.

This binary combines features from known key components such as the Pilot, Citadel, Galley and the sidecar.

This approach reduces complexity within domains across the board.

Installation, ongoing maintenance, and troubleshooting efforts will become much more straightforward while supporting all functionalities from previous releases.

Additionally, the node-agent’s functionality used to distribute certificates, moved to the istio-agent, which already runs in each pod, reducing even more dependencies.

Below is a “Before and After” of Istio’s high-level architecture.
Can you spot the differences?

Before:

Alt Text

After:

Alt Text

Securing All Fronts

Another major focus is on buffing up several security fundamentals like reliable workload identity, robust access policies, and comprehensive audit logging. The imperative nature of such requirements is what pushes the team to double down on stabilizing the API for these features.

Inevitably, network traffic will take up several security reinforcements, including implementation of the automated rollout of mutual TLS and leveraging of Secret Discovery Service, which will introduce a safer way of distributing certificates, thus reducing the risk of detection by other workloads running on the machine.

These upgrades will trim down both dependencies and requirements for cluster-wide security policies, leading to a much more robust system.

Here at Alcide, we offer Istio hygiene checks as part of the Alcide Advisor.
Check out our recent webinar on Security For Istio - an Incremental Approach to learn more.

Posted on by:

alonberger3 profile

Alon Berger

@alonberger3

Marketing Tech Lead, R&D Operations, Cyber, DevOps, Kubernets, Network Security, Cloud Network

Alcide

Kubernetes Security from CD to Runtime. End-to-end Kubernetes Security solution for the entire software supply chain: pipeline, runtime, infrastructure.

Discussion

pic
Editor guide