The first Istio version (V1.0) available for production was officially released on July 31, 2018.
Istio is an open platform used to connect, manage, and secure microservices. It provides a simple method for creating a microservice network, and delivers capabilities such as load balancing, service-to-service authentication, and monitoring. In addition, these functions can be implemented without any changes to services themselves.
Istio provides the following functions:
- Traffic management: Controls the call traffic and API calls between services to make calls more reliable and the network more robust in severe cases.
- Observability: Obtains dependencies between services and traffic directions of service calls to quickly identify problems.
- Policy enforcement: Controls the service access policies without modifying services themselves.
- Service identity and security: Provide verifiable identities for services in a service mesh and capabilities for protecting service traffic so that traffic can be transferred on networks with different levels of trustworthiness.
This article describes how to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.
In terms of architecture, Istio is divided into two parts:
- Control plane: the management proxy used for traffic routing and policy enforcement at runtime.
- Data plane: consists of a set of intelligent proxies (Envoy by default), which are used for network interaction between the mediation and control services.
Envoy is deployed as an independent sidecar to the relevant microservice in the same Kubernetes pod, and provides a series of attributes for Mixer. Based on these attributes, Mixer enforces policies and sends these attributes to the monitoring system.
This type of sidecar proxy model does not need to change the logic of any service. In addition, it can add many functions.
Mixer enforces access control and usage policies across the service mesh, and collects the telemetry data from the Envoy proxy and other services.The proxy extracts request level attributes, and sends them to Mixer for evaluation.
Mixer includes a flexible plugin model. This model enables Istio to interface with a variety of host environments and infrastructure backends. Thus, Istio abstracts the Envoy proxy and Istio-managed services from these details.The relevant content will be described in subsequent articles.
Pilot collects and authenticates the configurations, and propagates them to various Istio components.It extracts environment-specific implementation details from Mixer and Envoy, and provides abstract representation of user services for them, which are independent of the underlying platform.In addition, Pilot can be used to program the traffic management rules at runtime, that is, the universal layer-4 and layer-7 HTTP/gRPC routing rules.
Citadel provides inter-service and inter-user authentication and enhances security between services without any changes in service code.Citadel consists of the following three components:
- Identity recognition: When Istio runs on Kubernetes, Auth uses the service account provided by Kubernetes to identify the subjects that run the services.
- Key management: Auth provides a CA to automatically generate and manage keys and certificates.
- Communication security: For service-to-service communication, Envoy provides tunnels on the client and server to ensure security of service calls.
The following describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes.
Prepare the Kubernetes Environment
Alibaba Cloud Container Service for Kubernetes V1.10.4 has been released. You can use the container service console to conveniently and quickly create a Kubernetes cluster.For more information about the process, see create a Kubernetes cluster.
Use the Application Catalog for Simple Deployment
App Catalog on the left-side navigation bar, and select
ack-istio on the right side, as shown below:
Parameters. You can modify parameter settings to customize Istio. The following table lists the common parameters.
global.hubSpecifies the HUB for most images used by Istioregistry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog
global.tagSpecifies the TAG for most images used by Istio1.0.0
global.proxy.imageSpecifies the proxy image nameistio-proxyv2
global.imagePullPolicySpecifies the image pull policy
IfNotPresentglobal.controlPlaneSecurityEnabledSpecifies whether control plane mTLS is enabled
falseglobal.mtls.enabledSpecifies whether mTLS is enabled by default between services
falseglobal.mtls.mtlsExcludedServicesList of FQDNs to exclude from mTLS-"kubernetes.default.svc.cluster.local"
global.rbacEnabledSpecifies whether to create Istio RBAC rules or not
trueglobal.refreshIntervalSpecifies the mesh discovery refresh interval
10sglobal.arch.amd64Specifies the scheduling policy for amd64 architectures
2global.arch.s390xSpecifies the scheduling policy for s390x architectures
2global.arch.ppc64leSpecifies the scheduling policy for ppc64le architectures
2galley.enabledSpecifies whether Galley should be installed for server-side config validation.Requires k8s >= 1.9
In addition to the preceding common parameters, you can customize different modules. For example, you can determine whether to enable Grafana, Prometheus, tracing, Weave Scope, and Kiali.
# addons configuration
# global.image: the image that will be used for this release
# global.image.pullPolicy: must be Always, IfNotPresent, or Never
After modification, select the corresponding cluster and namespace on the right, specify the release name, and click Deploy. It is recommended that you create a namespace, such as istio-system.
Several minutes later, an Istio instance, which is an open platform for connecting, managing, and securing microservices, is created.
Experiment with Istio
Container Group on the left-side navigation bar. The container group information related to the created Istio instance is displayed on the right side, as shown below:
Services on the left-side navigation bar. The access addresses of services related to the created Istio instance are displayed on the right side, as shown below:
By default, the following function modules are enabled:
- Intelligent routing
- Fault injection
- Traffic shifting
- OpenTracing/Jaeger used for distributed tracing
- Prometheus used for telemetry metric collection
- Grafana used for telemetry metric visualization
- Service graph and Weave support
- Kiali used for service mesh monitoring
The next article uses an official example to explain how to use Istio to develop, manage, protect, and monitor microservices on the basis of Alibaba Cloud Container Service for Kubernetes.
We can use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.You are welcome to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform and integrate Istio to microservice development in your project.
This article series introduces Istio and its core components, as well as describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes. These articles also use an official example to demonstrate how to deploy an application in the Istio environment; how to configure intelligent routing and distributed tracing; and how to configure Istio functions of collecting, querying, and visualizing the telemetry data.
To review these articles, see:
- Using Istio on Alibaba Cloud Container Service for Kubernetes
- Go through Istio Features with Samples on Alibaba Cloud Container Service for Kubernetes
- Intelligent Routing with Istio on Alibaba Cloud Container Service for Kubernetes
- Distributed Tracking with Istio on Alibaba Cloud Container Service for Kubernetes
- Telemetry Data Collection, Query, and Visualization with Istio on Alibaba Cloud Container Service for Kubernetes
- Fault Diagnosis and Detection using Istio within Alibaba Cloud Container Service for Kubernetes
- Observability Analysis using Istio and Kiali within Alibaba Cloud Container Service for Kubernetes