Kubernetes Service Mesh with Istio

Ahmad Raza

Cloud Infrastructure Architect

DevOps Engineer

Deploy the Bookinfo sample application, which is a microservices-based application composed of four separate services.

📑 Deploy Bookinfo Application:

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

📄 Enable Istio Injection:

Enable automatic sidecar injection for the default namespace.

kubectl label namespace default istio-injection=enabled

📑 Redeploy Bookinfo Application:

Redeploy the Bookinfo application to include Istio sidecars:

kubectl delete -f samples/bookinfo/platform/kube/bookinfo.yamlkubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

🛠️ Steps to Set Up and Use Istio:

Install Istio:

Download and install Istio using the provided script.

Verify the installation:

istioctl version kubectl get pods -n istio-system

Deploy a Sample Application:

Deploy the Bookinfo application using the provided command.

Verify the deployment:

kubectl get pods

Enable Istio Injection:

Enable Istio sidecar injection for the default namespace.

Redeploy the Bookinfo application to include Istio sidecars.

🔍 Detailed Example Explanation:

Istio Components:

Pilot: Manages traffic routing and service discovery.

Mixer: Enforces access control and usage policies.

Citadel: Manages certificates and identities for securing communication.

Galley: Manages configuration validation.

Envoy Proxy:

Each service has an Envoy proxy deployed as a sidecar, handling all inbound and outbound traffic. The proxies enforce policies and collect telemetry data.

💡 Benefits for Enterprise Applications:

Traffic Management: Control the flow of traffic and API calls between services.

Security: Secure service-to-service communication with mutual TLS.

Observability: Collect metrics, logs, and traces to monitor service performance.

Resilience: Implement retries, timeouts, and circuit breakers to increase fault tolerance.

📚 Additional Concepts and Examples:

📑 Traffic Shifting:

Gradually shift traffic between different versions of a service.

Example:

piVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: reviewsspec:  hosts:  - reviews  http:  - route:    - destination:        host: reviews        subset: v1      weight: 75    - destination:        host: reviews        subset: v2      weight: 25

📑 Mutual TLS:

Enable mutual TLS for secure communication between services.

Example:

apiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata:  name: default  namespace: defaultspec:  mtls:    mode: STRICT

🧪 Hands-on Activity:

Install Istio:

Use the provided commands to download and install Istio.

Deploy the Bookinfo Application:

Deploy the Bookinfo sample application and verify the deployment.

Enable Istio Injection:

Enable Istio sidecar injection and redeploy the Bookinfo application.

Implement Traffic Shifting:

Define and apply a VirtualService to shift traffic between different versions of a service.

Enable Mutual TLS:

Define and apply a PeerAuthentication policy to secure communication with mutual TLS.

Verify and Inspect:

Use kubectl get pods, istioctl proxy-status, and kubectl describe <resource> to verify and inspect the Istio setup and configurations.

Like this project

Understanding Istio and service mesh concepts is crucial for managing, securing, and observing microservices communication in Kubernetes.

Likes

Views