Using Istio on Alibaba Cloud Container Service for Kubernetes

The first Istio version (V1.0) available for production was officially released on July 31, 2018.

Istio is an open platform used to connect, manage, and secure microservices. It provides a simple method for creating a microservice network, and delivers capabilities such as load balancing, service-to-service authentication, and monitoring. In addition, these functions can be implemented without any changes to services themselves.

Istio provides the following functions:

  1. Traffic management: Controls the call traffic and API calls between services to make calls more reliable and the network more robust in severe cases.
  2. Observability: Obtains dependencies between services and traffic directions of service calls to quickly identify problems.
  3. Policy enforcement: Controls the service access policies without modifying services themselves.
  4. Service identity and security: Provide verifiable identities for services in a service mesh and capabilities for protecting service traffic so that traffic can be transferred on networks with different levels of trustworthiness.

This article describes how to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.

Istio Architecture

  1. Control plane: the management proxy used for traffic routing and policy enforcement at runtime.
  2. Data plane: consists of a set of intelligent proxies (Envoy by default), which are used for network interaction between the mediation and control services.

Proxy/Envoy

This type of sidecar proxy model does not need to change the logic of any service. In addition, it can add many functions.

Mixer

Mixer includes a flexible plugin model. This model enables Istio to interface with a variety of host environments and infrastructure backends. Thus, Istio abstracts the Envoy proxy and Istio-managed services from these details.The relevant content will be described in subsequent articles.

Pilot

Citadel

  1. Identity recognition: When Istio runs on Kubernetes, Auth uses the service account provided by Kubernetes to identify the subjects that run the services.
  2. Key management: Auth provides a CA to automatically generate and manage keys and certificates.
  3. Communication security: For service-to-service communication, Envoy provides tunnels on the client and server to ensure security of service calls.

The following describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Prepare the Kubernetes Environment

Use the Application Catalog for Simple Deployment

Click Parameters. You can modify parameter settings to customize Istio. The following table lists the common parameters.

ParameterDescriptionDefaultglobal.hubSpecifies the HUB for most images used by Istioregistry.cn-hangzhou.aliyuncs.com/aliacs-app-catalogglobal.tagSpecifies the TAG for most images used by Istio1.0.0global.proxy.imageSpecifies the proxy image nameistio-proxyv2global.imagePullPolicySpecifies the image pull policyIfNotPresentglobal.controlPlaneSecurityEnabledSpecifies whether control plane mTLS is enabledfalseglobal.mtls.enabledSpecifies whether mTLS is enabled by default between servicesfalseglobal.mtls.mtlsExcludedServicesList of FQDNs to exclude from mTLS-"kubernetes.default.svc.cluster.local"global.rbacEnabledSpecifies whether to create Istio RBAC rules or nottrueglobal.refreshIntervalSpecifies the mesh discovery refresh interval10sglobal.arch.amd64Specifies the scheduling policy for amd64 architectures2global.arch.s390xSpecifies the scheduling policy for s390x architectures2global.arch.ppc64leSpecifies the scheduling policy for ppc64le architectures2galley.enabledSpecifies whether Galley should be installed for server-side config validation.Requires k8s >= 1.9false

In addition to the preceding common parameters, you can customize different modules. For example, you can determine whether to enable Grafana, Prometheus, tracing, Weave Scope, and Kiali.

#
# addons configuration
#
grafana:
enabled: true
replicaCount: 1
image: istio-grafana
service:
name: http
type: ClusterIP
externalPort: 3000
internalPort: 3000
....
prometheus:
enabled: true
replicaCount: 1
image:
repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-prometheus
tag: latest
....
tracing:
enabled: true
jaeger:
enabled: true
....
weave-scope:
enabled: true
global:
# global.image: the image that will be used for this release
image:
repository: weaveworks/scope
tag: "1.9.0"
# global.image.pullPolicy: must be Always, IfNotPresent, or Never
pullPolicy: "IfNotPresent"
....
kiali:
enabled: true
replicaCount: 1
image:
repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-kiali
tag: dev

After modification, select the corresponding cluster and namespace on the right, specify the release name, and click Deploy. It is recommended that you create a namespace, such as istio-system.

Several minutes later, an Istio instance, which is an open platform for connecting, managing, and securing microservices, is created.

Experiment with Istio

Click Services on the left-side navigation bar. The access addresses of services related to the created Istio instance are displayed on the right side, as shown below:

By default, the following function modules are enabled:

  1. Intelligent routing
  2. Fault injection
  3. Traffic shifting
  4. OpenTracing/Jaeger used for distributed tracing
  5. Prometheus used for telemetry metric collection
  6. Grafana used for telemetry metric visualization
  7. Service graph and Weave support
  8. Kiali used for service mesh monitoring

The next article uses an official example to explain how to use Istio to develop, manage, protect, and monitor microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Summary

This article series introduces Istio and its core components, as well as describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes. These articles also use an official example to demonstrate how to deploy an application in the Istio environment; how to configure intelligent routing and distributed tracing; and how to configure Istio functions of collecting, querying, and visualizing the telemetry data.

To review these articles, see:

  1. Using Istio on Alibaba Cloud Container Service for Kubernetes
  2. Go through Istio Features with Samples on Alibaba Cloud Container Service for Kubernetes
  3. Intelligent Routing with Istio on Alibaba Cloud Container Service for Kubernetes
  4. Distributed Tracking with Istio on Alibaba Cloud Container Service for Kubernetes
  5. Telemetry Data Collection, Query, and Visualization with Istio on Alibaba Cloud Container Service for Kubernetes
  6. Fault Diagnosis and Detection using Istio within Alibaba Cloud Container Service for Kubernetes
  7. Observability Analysis using Istio and Kiali within Alibaba Cloud Container Service for Kubernetes

Reference:

https://www.alibabacloud.com/blog/using-istio-on-alibaba-cloud-container-service-for-kubernetes_593917?spm=a2c4.12014528.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store