Open in app

Sign in

Write

Sign in

Using Istio on Alibaba Cloud Container Service for Kubernetes

Alibaba Cloud
6 min readSep 14, 2018

--

The first Istio version (V1.0) available for production was officially released on July 31, 2018.

Istio is an open platform used to connect, manage, and secure microservices. It provides a simple method for creating a microservice network, and delivers capabilities such as load balancing, service-to-service authentication, and monitoring. In addition, these functions can be implemented without any changes to services themselves.

Istio provides the following functions:

  1. Traffic management: Controls the call traffic and API calls between services to make calls more reliable and the network more robust in severe cases.
  2. Observability: Obtains dependencies between services and traffic directions of service calls to quickly identify problems.
  3. Policy enforcement: Controls the service access policies without modifying services themselves.
  4. Service identity and security: Provide verifiable identities for services in a service mesh and capabilities for protecting service traffic so that traffic can be transferred on networks with different levels of trustworthiness.

This article describes how to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.

Istio Architecture

In terms of architecture, Istio is divided into two parts:

  1. Control plane: the management proxy used for traffic routing and policy enforcement at runtime.
  2. Data plane: consists of a set of intelligent proxies (Envoy by default), which are used for network interaction between the mediation and control services.

Proxy/Envoy

Envoy is deployed as an independent sidecar to the relevant microservice in the same Kubernetes pod, and provides a series of attributes for Mixer. Based on these attributes, Mixer enforces policies and sends these attributes to the monitoring system.

This type of sidecar proxy model does not need to change the logic of any service. In addition, it can add many functions.

Mixer

Mixer enforces access control and usage policies across the service mesh, and collects the telemetry data from the Envoy proxy and other services.The proxy extracts request level attributes, and sends them to Mixer for evaluation.

Mixer includes a flexible plugin model. This model enables Istio to interface with a variety of host environments and infrastructure backends. Thus, Istio abstracts the Envoy proxy and Istio-managed services from these details.The relevant content will be described in subsequent articles.

Pilot

Pilot collects and authenticates the configurations, and propagates them to various Istio components.It extracts environment-specific implementation details from Mixer and Envoy, and provides abstract representation of user services for them, which are independent of the underlying platform.In addition, Pilot can be used to program the traffic management rules at runtime, that is, the universal layer-4 and layer-7 HTTP/gRPC routing rules.

Citadel

Citadel provides inter-service and inter-user authentication and enhances security between services without any changes in service code.Citadel consists of the following three components:

  1. Identity recognition: When Istio runs on Kubernetes, Auth uses the service account provided by Kubernetes to identify the subjects that run the services.
  2. Key management: Auth provides a CA to automatically generate and manage keys and certificates.
  3. Communication security: For service-to-service communication, Envoy provides tunnels on the client and server to ensure security of service calls.

The following describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Prepare the Kubernetes Environment

Alibaba Cloud Container Service for Kubernetes V1.10.4 has been released. You can use the container service console to conveniently and quickly create a Kubernetes cluster.For more information about the process, see create a Kubernetes cluster.

Use the Application Catalog for Simple Deployment

Click App Catalog on the left-side navigation bar, and select ack-istio on the right side, as shown below:

Click Parameters. You can modify parameter settings to customize Istio. The following table lists the common parameters.

ParameterDescriptionDefaultglobal.hubSpecifies the HUB for most images used by Istioregistry.cn-hangzhou.aliyuncs.com/aliacs-app-catalogglobal.tagSpecifies the TAG for most images used by Istio1.0.0global.proxy.imageSpecifies the proxy image nameistio-proxyv2global.imagePullPolicySpecifies the image pull policyIfNotPresentglobal.controlPlaneSecurityEnabledSpecifies whether control plane mTLS is enabledfalseglobal.mtls.enabledSpecifies whether mTLS is enabled by default between servicesfalseglobal.mtls.mtlsExcludedServicesList of FQDNs to exclude from mTLS-"kubernetes.default.svc.cluster.local"global.rbacEnabledSpecifies whether to create Istio RBAC rules or nottrueglobal.refreshIntervalSpecifies the mesh discovery refresh interval10sglobal.arch.amd64Specifies the scheduling policy for amd64 architectures2global.arch.s390xSpecifies the scheduling policy for s390x architectures2global.arch.ppc64leSpecifies the scheduling policy for ppc64le architectures2galley.enabledSpecifies whether Galley should be installed for server-side config validation.Requires k8s >= 1.9false

In addition to the preceding common parameters, you can customize different modules. For example, you can determine whether to enable Grafana, Prometheus, tracing, Weave Scope, and Kiali.

#
# addons configuration
#
grafana:
  enabled: true
  replicaCount: 1
  image: istio-grafana
  service:
    name: http
    type: ClusterIP
    externalPort: 3000
    internalPort: 3000
....
prometheus:
  enabled: true
  replicaCount: 1
  image:
    repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-prometheus
    tag: latest
....
tracing:
  enabled: true
  jaeger:
    enabled: true
....
weave-scope:
  enabled: true
  global:
    # global.image: the image that will be used for this release
    image:
      repository: weaveworks/scope
      tag: "1.9.0"
      # global.image.pullPolicy: must be Always, IfNotPresent, or Never
      pullPolicy: "IfNotPresent"
....
kiali:
  enabled: true
  replicaCount: 1
  image:
    repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-kiali
    tag: dev

After modification, select the corresponding cluster and namespace on the right, specify the release name, and click Deploy. It is recommended that you create a namespace, such as istio-system.

Several minutes later, an Istio instance, which is an open platform for connecting, managing, and securing microservices, is created.

Experiment with Istio

Click Container Group on the left-side navigation bar. The container group information related to the created Istio instance is displayed on the right side, as shown below:

Click Services on the left-side navigation bar. The access addresses of services related to the created Istio instance are displayed on the right side, as shown below:

By default, the following function modules are enabled:

  1. Intelligent routing
  2. Fault injection
  3. Traffic shifting
  4. OpenTracing/Jaeger used for distributed tracing
  5. Prometheus used for telemetry metric collection
  6. Grafana used for telemetry metric visualization
  7. Service graph and Weave support
  8. Kiali used for service mesh monitoring

The next article uses an official example to explain how to use Istio to develop, manage, protect, and monitor microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Summary

We can use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.You are welcome to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform and integrate Istio to microservice development in your project.

This article series introduces Istio and its core components, as well as describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes. These articles also use an official example to demonstrate how to deploy an application in the Istio environment; how to configure intelligent routing and distributed tracing; and how to configure Istio functions of collecting, querying, and visualizing the telemetry data.

To review these articles, see:

  1. Using Istio on Alibaba Cloud Container Service for Kubernetes
  2. Go through Istio Features with Samples on Alibaba Cloud Container Service for Kubernetes
  3. Intelligent Routing with Istio on Alibaba Cloud Container Service for Kubernetes
  4. Distributed Tracking with Istio on Alibaba Cloud Container Service for Kubernetes
  5. Telemetry Data Collection, Query, and Visualization with Istio on Alibaba Cloud Container Service for Kubernetes
  6. Fault Diagnosis and Detection using Istio within Alibaba Cloud Container Service for Kubernetes
  7. Observability Analysis using Istio and Kiali within Alibaba Cloud Container Service for Kubernetes

Reference:

https://www.alibabacloud.com/blog/using-istio-on-alibaba-cloud-container-service-for-kubernetes_593917?spm=a2c4.12014528.0.0

Alibabacloud
Container Service
Ecs
Kubernetes
Istio

--

--

Alibaba Cloud
Alibaba Cloud

Written by Alibaba Cloud

5.8K Followers
25 Following

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams