Service Mesh - service-to-service communication
Service Mesh's Control Plane
- Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.
- Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.
- Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.
- Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential/certificate management.
- Galley - is Istio's configuration validation, ingestion, processing and distribution component
- DestinationRule - defines policies that apply to traffic intended for a service after routing has occurred.
- VirtualService - defines a set of traffic routing rules to apply when a host is addressed.
- ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.
- Gateway configures a load balancer for HTTP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.
Traffic Management with Istio
Istio security overview
Istio Security Architecture
Multiple k8s clusters managed by single Istio instance
Istio multicluster service mesh - Gateway
Istio mesh spanning multiple Kubernetes clusters using Istio Gateway to reach remote pods
Istio multicluster service mesh - VPN
Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN
Amazon EKS Cluster
awscli, eksctl, helm, kubectl, siege or docker
2 Worker instances
Generate + Use SSL certificates
Install Bookinfo demo application consist of multiple microservices
Configure Istio Request Routing based on user identity
Configure Istio Injecting an HTTP delay fault
Configure Istio Injecting an HTTP abort fault
Configure Istio - Weight-based routing (Canary Deployments)
Istio in AWS
By Petr Ruzicka