Istioldie 1.15 / Announcing Istio's acceptance as a CNCF project
Connect, secure, control, and observe services.| Istio
The Istio Steering Committee consists of 9 proportionally-allocated Contribution Seats, and 4 elected Community Seats. Our third annual election for our Community Seats has concluded, and we are pleased to announce the choice of our members: Craig Box (ARMO) Iris Ding (Intel) Faseela K (Ericsson Software Technology) Christian Posta (Solo.io) We would like to extend our heartfelt thanks to Zack Butcher, Lin Sun and Zhonghu Xu, whose terms have now ended. With Contribution Seat holders from Goo...| Istio Blog
Connect, secure, control, and observe services.| Istio
We recently announced Istio ambient mesh which is a sidecar-less data plane for Istio. As stated in the announcement blog, the top concerns we address with ambient mesh are simplified operations, broader application compatibility, reduced infrastructure costs and improved performance. When designing the ambient data plane, we wanted to carefully balance the concerns around operations, cost, and performance while not sacrificing security or functionality. As the components of ambient run outsi...| Istio Blog
Ambient mesh is a new data plane mode for Istio introduced today. Following this getting started guide, you can experience how ambient mesh can simplify your application onboarding, help with ongoing operations, and reduce service mesh infrastructure resource usage. Install Istio with Ambient Mode Download the preview version of Istio with support for ambient mesh. Check out supported environments. We recommend using a Kubernetes cluster that is version 1.21 or newer that has two nodes or mor...| Istio Blog
Today we want to congratulate the Kubernetes SIG Network community on the beta release of the Gateway API specification. Alongside this milestone, we are pleased to announce that support for using the Gateway API in Istio ingress is being promoted to Beta, and our intention for the Gateway API to become the default API for all Istio traffic management in the future. We are also excited to welcome our friends from the Service Mesh Interface (SMI) community, who are joining us in a new effort t...| Istio Blog
Accelerate TLS handshake using CryptoMB Private Key Provider configuration in Istio gateways and sidecars.| Istio
The Istio project is pleased to announce its intention to join the Cloud Native Computing Foundation (CNCF). With the support of the Istio Steering Committee, Google has submitted an application proposal for Istio to join the CNCF, the home of its companion projects Kubernetes and Envoy. It is almost 5 years since Google, IBM and Lyft launched Istio 0.1 in May 2017. That first version set the standard for what a service mesh should be: traffic management, policy enforcement, and observability...| Istio Blog
Using a proxy server to support istioctl commands in a mesh with an external control plane.| Istio
IstioCon is the annual user-centered event for Istio, the industry’s most popular service mesh. This event will take place April 25-29, it will be 100% virtual, and registrations are now open free of charge. If you are among the first 400 people to register to the conference, you are eligible to receive a conference t-shirt! In 2021, more than 4,000 people from across 84 countries joined the event online, to hear from 27 end-user companies how they are using Istio in production. Participant...| Istio Blog
The secret of Istio’s abilities in traffic management, security, observability and policy is all in the Envoy proxy. Istio uses Envoy as the “sidecar” to intercept service traffic, with the kernel’s netfilter packet filter functionality configured by iptables. There are shortcomings in using iptables to perform this interception. Since netfilter is a highly versatile tool for filtering packets, several routing rules and data filtering processes are applied before reaching the destinat...| Istio Blog
IstioCon 2022, set for April 25-29, will be the second annual conference for Istio, the industry’s most popular service mesh. This year’s conference will again be 100% virtual, connecting community members across the globe with Istio’s ecosystem. Visit the conference website for all the information related to the event. IstioCon provides an opportunity to showcase the lessons learned from running Istio in production, hands-on experiences from the Istio community, and will feature mainta...| Istio Blog
Reducing complexity by simplifying the virtual machine on-boarding experience.| Istio
Introduction to the new Wasm Plugin API and updates to the Wasm-based plugin support in Envoy and Istio.| Istio
Istio dynamically configures its Envoy sidecar proxies using a set of discovery APIs, collectively known as the xDS APIs. These APIs aim to become a universal data-plane API. The gRPC project has significant support for the xDS APIs, which means you can manage gRPC workloads without having to deploy an Envoy sidecar along with them. You can learn more about the integration in a KubeCon EU 2021 talk from Megan Yahya. The latest updates on gRPC’s support can be found in their proposals along ...| Istio Blog
Aeraki provides a framework to allow Istio to support more layer-7 protocols other than HTTP.| Istio
In keeping with our 2021 theme of improving Day 2 Istio operations, the Istio team has been evaluating extending the support window for our releases to give users more time to upgrade. For starters, we are extending the support window of Istio 1.9 by six weeks, to October 5, 2021. We hope that this additional support window will allow the many users who are currently using Istio 1.9 to upgrade, either to Istio 1.10 or directly to Istio 1.11. By overlapping support between 1.9 and 1.11, we int...| Istio Blog
The Istio service mesh has gained wide production adoption across a wide variety of industries. The success of the project, and its critical usage for enforcing key security policies in infrastructure warranted an open and neutral assessment of the security risks associated with the project. To achieve this goal, the Istio community contracted the NCC Group last year to conduct a third-party security assessment of the project. The goal of the review was “to identify security issues related ...| Istio Blog
With the rapid popularization of cloud native technology in China, Istio has also gained popularity in this corner of the world. Almost all Chinese CSPs have creating and are running service mesh products based on Istio. We welcomed thousands of Istio users and developers to the first IstioCon in February 2021, and the attendees expressed an interest in participating in more meetups and helping to grow the community at the local level. To this end, the Istio community united six partners — ...| Istio Blog
Last year we introduced a new Steering Committee charter, which shares governance responsibilities between Contribution Seats, selected based on contributions to the project, and Community Seats, elected by the project members. We elected four members, with the committee representing seven different companies. It’s now time to kick off our 2021 election for Community Seats. Members have two weeks to submit nominations, and voting will run from 12 to 25 July. You can learn all about the elec...| Istio Blog
Learn how to configure locality load balancing and failover for endpoints that are outside of your mesh.| Istio
Like all security software, your service mesh should be kept up-to-date. The Istio community releases new versions every quarter, with regular patch releases for bug fixes and security vulnerabilities. The operator of a service mesh will need to upgrade the control plane and data plane components many times. You must take care when upgrading, as a mistake could affect your business traffic. Istio has many mechanisms to make it safe to perform upgrades in a controlled manner, and in Istio 1.10...| Istio Blog
Celebrating Istio’s 4th birthday Four years ago today, the Istio project was born to the open source world. To celebrate this anniversary, we are hosting a week-long birthday celebration that focuses on contributions to the Istio project that stem from using Istio in production. Read on to learn how to participate in this celebration and enter a chance to win some Istio swag. Istio's 4th Birthday!A year of important developments for Istio Over the last 12 months, the Istio project has been ...| Istio Blog
As Service Mesh technology moves from cutting edge to stable infrastructure, many users have expressed an interest in upgrading their service mesh less frequently, as qualifying a new minor release can take a lot of time. Upgrading can be especially difficult for users who don’t keep up with new releases, as Istio has not supported upgrades across multiple minor versions. To upgrade from 1.6.x to 1.8.x, users first had to upgrade to 1.7.x and then to 1.8.x. With the release of Istio 1.10, w...| Istio Blog
Learn how to easily deploy StatefulSets with Istio 1.10.| Istio
While most of the work in the Istio Product Security Working Group is done behind the scenes, we are listening to the community in setting expectations for security releases. We understand that it is difficult for mesh administrators, operators and vendors to be aware of security bulletins and security releases. We currently disclose vulnerabilities and security releases via numerous channels: istio.io via our Release Announcements and Security Bulletins Discuss announcements channel on Slack...| Istio Blog
As users move their services to run in the Istio service mesh, they are often surprised that the control plane watches and processes all of the Kubernetes resources, from all namespaces in the cluster, by default. This can be an issue for very large clusters with lots of namespaces and deployments, or even for a moderately sized cluster with rapidly churning resources (for example, Spark jobs). Both in the community as well as for our large-scale customers at Solo.io, we need a way to dynamic...| Istio Blog
Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take.| Istio
An update on Envoy and Istio's WebAssembly-based extensibility effort.| Istio
In versions of Istio prior to 1.4, security policy was configured using v1alpha1 APIs (MeshPolicy, Policy, ClusterRbacConfig, ServiceRole and ServiceRoleBinding). After consulting with our early adopters, we made major improvements to the policy system and released v1beta1 APIs along with Istio 1.4. These refreshed APIs (PeerAuthentication, RequestAuthentication and AuthorizationPolicy) helped standardize how we define policy targets in Istio, helped users understand where policies were appli...| Istio Blog
Understanding the benefits Istio brings, even when no configuration is used.| Istio
IstioCon 2021 is a week-long, community-led, virtual conference starting on February 22. This event provides an opportunity to hear the lessons learned from companies like Atlassian, Airbnb, FICO, eBay, T-Mobile and Salesforce running Istio in production, hands-on experiences from the Istio community, and will feature maintainers from across the Istio ecosystem. You can now find the full schedule of events which includes a series of English sessions and Chinese sessions. By attending the conf...| Istio Blog
Background Istio’s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including the DENY action, exclusion semantics, X-Forwarded-For header support, nested JWT claim support and more. These features improve the flexibility of the authorization policy, but there are still many use cases that cannot be supported with this ...| Istio Blog
At Deutsche Telekom Pan-Net, we have embraced Istio as the umbrella to cover our services. Unfortunately, there are services which have not yet been migrated to Kubernetes, or cannot be. We can set Istio up as a proxy service for these upstream services. This allows us to benefit from capabilities like authorization/authentication, traceability and observability, even while legacy services stand as they are. At the end of this article there is a hands-on exercise where you can simulate the sc...| Istio Blog
This blog presents my latest experience about how to configure and enable proxy protocol with stack of AWS NLB and Istio Ingress gateway. The Proxy Protocol was designed to chain proxies and reverse-proxies without losing the client information. The proxy protocol prevents the need for infrastructure changes or NATing firewalls, and offers the benefits of being protocol agnostic and providing good scalability. Additionally, we also enable the X-Forwarded-For HTTP header in the deployment to m...| Istio Blog
IstioCon 2021 will be the inaugural conference for Istio, the industry’s most popular service mesh. In its inaugural year, IstioCon will be 100% virtual, connecting community members across the globe with Istio’s ecosystem. This conference will take place at the end of February. All the information related to IstioCon will be published on the conference website. IstioCon provides an opportunity to showcase the lessons learned from running Istio in production, hands-on experiences from the...| Istio Blog
Since November 20th, 2020, Docker Hub has introduced rate limits on image pulls. Because Istio uses Docker Hub as the default registry, usage on a large cluster may lead to pods failing to startup due to exceeding rate limits. This can be especially problematic for Istio, as there is typically the Istio sidecar image alongside most pods in the cluster. Mitigations Istio allows you to specify a custom docker registry which you can use to make container images be fetched from your private regis...| Istio Blog
DNS resolution is a vital component of any application infrastructure on Kubernetes. When your application code attempts to access another service in the Kubernetes cluster or even a service on the internet, it has to first lookup the IP address corresponding to the hostname of the service, before initiating a connection to the service. This name lookup process is often referred to as service discovery. In Kubernetes, the cluster DNS server, be it kube-dns or CoreDNS, resolves the service’s...| Istio Blog
Last month, we announced a revision to our Steering Committee charter, opening up governance roles to more contributors and community members. The Steering Committee now consists of 9 proportionally-allocated Contribution Seats, and 4 elected Community Seats. We have now concluded our inaugural election for the Community Seats, and we’re excited to welcome the following new members to the Committee: Neeraj Poddar (Aspen Mesh) Zack Butcher (Tetrate) Christian Posta (Solo.io) Zhonghu Xu (Huaw...| Istio Blog
Overview Istio has a wide range of security policies which can be easily configured into systems of services. As the number of applied policies increases, it is important to understand the relationship of latency, memory usage, and CPU usage of the system. This blog post goes over common security policies use cases and how the number of security policies or the number of specific rules in a security policy can affect the overall latency of requests. Setup There are a wide range of security po...| Istio Blog
Overview From experience working with various service mesh users and vendors, we believe there are 3 key personas for a typical service mesh: Mesh Operator, who manages the service mesh control plane installation and upgrade. Mesh Admin, often referred as Platform Owner, who owns the service mesh platform and defines the overall strategy and implementation for service owners to adopt service mesh. Mesh User, often referred as Service Owner, who owns one or more services in the mesh. Prior to ...| Istio Blog
Today, the Istio project is pleased to announce a new revision to its steering charter, which opens up governance roles to more contributors and community members. This revision solidifies our commitment to open governance, ensuring that the community around the project will always be able to steer its direction, and that no one company has majority voting control over the project. The Istio Steering Committee oversees the administrative aspects of the project and sets the marketing direction...| Istio Blog
MOSN (Modular Open Smart Network) is a network proxy server written in Go. It was built at Ant Group as a sidecar/API Gateway/cloud-native Ingress/Layer 4 or Layer 7 load balancer etc. Over time, we’ve added extra features, like a multi-protocol framework, multi-process plug-in mechanism, a DSL, and support for the xDS APIs. Supporting xDS means we are now able to use MOSN as the network proxy for Istio. This configuration is not supported by the Istio project; for help, please see Learn Mo...| Istio Blog
Since day one, the Istio project has believed in the importance of being contributor-run, open, transparent and available to all. In that spirit, Google is pleased to announce that it will be transferring ownership of the project’s trademarks to the new Open Usage Commons. Istio is an open source project, released under the Apache 2.0 license. That means people can copy, modify, distribute, make, use and sell the source code. The only freedom people don’t have under the Apache 2.0 license...| Istio Blog
Starting with Istio 1.6, we are introducing a new method for integration with telemetry addons, such as Grafana, Prometheus, Zipkin, Jaeger, and Kiali. In previous releases, these addons were bundled as part of the Istio installation. This allowed users to quickly get started with Istio without any complicated configurations to install and integrate these addons. However, it came with some issues: The Istio addon installations were not as up to date or feature rich as upstream installation me...| Istio Blog
Introducing Workload Entries: Bridging Kubernetes and VMs Historically, Istio has provided great experience to workloads that run on Kubernetes, but it has been less smooth for other types of workloads, such as Virtual Machines (VMs) and bare metal. The gaps included the inability to declaratively specify the properties of a sidecar on a VM, inability to properly respond to the lifecycle changes of the workload (e.g., booting to not ready to ready, or health checks), and cumbersome DNS workar...| Istio Blog
Canary deployments are a core feature of Istio. Users rely on Istio’s traffic management features to safely control the rollout of new versions of their applications, while making use of Istio’s rich telemetry to compare the performance of canaries. However, when it came to upgrading Istio, there was not an easy way to canary the upgrade, and due to the in-place nature of the upgrade, issues or changes found affect the entire mesh at once. Istio 1.6 will support a new upgrade model to saf...| Istio Blog
In this blog post I show how to configure the Ingress Application Load Balancer (ALB) on IBM Cloud Kubernetes Service (IKS) to direct traffic to the Istio ingress gateway, while securing the traffic between them using mutual TLS authentication. When you use IKS without Istio, you may control your ingress traffic using the provided ALB. This ingress-traffic routing is configured using a Kubernetes Ingress resource with ALB-specific annotations. IKS provides a DNS domain name, a TLS certificate...| Istio Blog
Istio sidecars obtain their certificates using the secret discovery service. A service in the service mesh may not need (or want) an Envoy sidecar to handle its traffic. In this case, the service will need to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services. For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be deployed only to provision the private key and certificates through the CSR flow from the CA ...| Istio Blog
Originally posted on the Solo.io blog As organizations adopt Envoy-based infrastructure like Istio to help solve challenges with microservices communication, they inevitably find themselves needing to customize some part of that infrastructure to fit within their organization’s constraints. WebAssembly (Wasm) has emerged as a safe, secure, and dynamic environment for platform extension. In the recent announcement of Istio 1.5, the Istio project lays the foundation for bringing WebAssembly t...| Istio Blog
Microservices are a great pattern when they map services to disparate teams that deliver them, or when the value of independent rollout and the value of independent scale are greater than the cost of orchestration. We regularly talk to customers and teams running Istio in the real world, and they told us that none of these were the case for the Istio control plane. So, in Istio 1.5, we’ve changed how Istio is packaged, consolidating the control plane functionality into a single binary calle...| Istio Blog
As outlined in the Istio 2020 trade winds blog and more recently announced with Istio 1.5, WebAssembly (Wasm) is now an (alpha) option for extending the functionality of the Istio service proxy (Envoy proxy). With Wasm, users can build support for new protocols, custom metrics, loggers, and other filters. Working closely with Google, we in the community (Solo.io) have focused on the user experience of building, socializing, and deploying Wasm extensions to Istio. We’ve announced WebAssembly...| Istio Blog
The future of Istio extensibility using WASM.| Istio
Istio solves real problems that people encounter running microservices. Even very early pre-release versions helped users debug the latency in their architecture, increase the reliability of services, and transparently secure traffic behind the firewall. Last year, the Istio project experienced major growth. After a 9-month gestation before the 1.1 release in Q1, we set a goal of having a quarterly release cadence. We knew it was important to deliver value consistently and predictably. With t...| Istio Blog
In Istio versions before 1.5, during secret discovery service (SDS) execution, the SDS client and the SDS server communicate through a cross-pod Unix domain socket (UDS), which needs to be protected by Kubernetes pod security policies. With Istio 1.5, Pilot Agent, Envoy, and Citadel Agent will be running in the same container (the architecture is shown in the following diagram). To defend against attackers eavesdropping on the cross-pod UDS between Envoy (SDS client) and Citadel Agent (SDS se...| Istio Blog
At Intuit, we read the blog post Multi-Mesh Deployments for Isolation and Boundary Protection and immediately related to some of the problems mentioned. We realized that even though we wanted to configure a single multi-cluster mesh, instead of a federation of multiple meshes as described in the blog post, the same non-uniform naming issues also applied in our environment. This blog post explains how we solved these problems using Admiral, an open source project under istio-ecosystem in GitHu...| Istio Blog
Istio has two webhooks: Galley and the sidecar injector. Galley validates Kubernetes resources and the sidecar injector injects sidecar containers into Istio. By default, Galley and the sidecar injector manage their own webhook configurations. This can pose a security risk if they are compromised, for example, through buffer overflow attacks. Configuring a webhook is a highly privileged operation as a webhook may monitor and mutate all Kubernetes resources. In the following example, the attac...| Istio Blog
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.| Istio
Kubernetes operators provide a pattern for encoding human operational knowledge in software and are a popular way to simplify the administration of software infrastructure components. Istio is a natural candidate for an automated operator as it is challenging to administer. Up until now, Helm has been the primary tool to install and upgrade Istio. Istio 1.4 introduces a new method of installation using istioctl. This new installation method builds on the strengths of Helm with the addition of...| Istio Blog
Istio 1.4 introduces an experimental new tool to help you analyze and debug your clusters running Istio. istioctl analyze is a diagnostic tool that detects potential issues with your Istio configuration, as well as gives general insights to improve your configuration. It can run against a live cluster or a set of local configuration files. It can also run against a combination of the two, allowing you to catch problems before you apply changes to a cluster. To get started with it in just minu...| Istio Blog
By default, Citadel manages the DNS certificates of the Istio control plane. Citadel is a large component that maintains its own private signing key, and acts as a Certificate Authority (CA). New in Istio 1.4, we introduce a feature to securely provision and manage DNS certificates signed by the Kubernetes CA, which has the following advantages. Lighter weight DNS certificate management with no dependency on Citadel. Unlike Citadel, this feature doesn’t maintain a private signing key, which...| Istio Blog
We are pleased to announce the initial release of the Istio client go repository which enables developers to gain programmatic access to Istio APIs in a Kubernetes environment. The generated Kubernetes informers and client set in this repository makes it easy for developers to create controllers and perform Create, Read, Update and Delete (CRUD) operations for all Istio Custom Resource Definitions (CRDs). This was a highly requested functionality by many Istio users, as is evident from the fe...| Istio Blog
The Control Ingress Traffic and the Ingress Gateway without TLS Termination tasks describe how to configure an ingress gateway to expose services inside the mesh to external traffic. The services can be HTTP or HTTPS. In the case of HTTPS, the gateway passes the traffic through, without terminating TLS. This blog post describes how to use the same ingress gateway mechanism of Istio to enable access to external services and not to applications inside the mesh. This way Istio as a whole can ser...| Istio Blog
Various compliance standards require protection of sensitive data environments. Some of the important standards and the types of sensitive data they protect appear in the following table: StandardSensitive data PCI DSSpayment card data FedRAMPfederal information, data and metadata HIPAApersonal health data GDPRpersonal data PCI DSS, for example, recommends putting cardholder data environment on a network, separate from the rest of the system. It also requires using a DMZ, and setting firewall...| Istio Blog
Understanding, controlling and securing your external service access is one of the key benefits that you get from a service mesh like Istio. From a security and operations point of view, it is critical to monitor what external service traffic is getting blocked as they might surface possible misconfigurations or a security vulnerability if an application is attempting to communicate with a service that it should not be allowed to. Similarly, if you currently have a policy of allowing any exte...| Istio Blog
This post demonstrates how you can use Mixer to push application logic into Istio. It describes a Mixer adapter which implements the Knative scale-from-zero logic with simple code and similar performance to the original implementation. Knative serving Knative Serving builds on Kubernetes to support deploying and serving of serverless applications. A core capability of serverless platforms is scale-to-zero functionality which reduces resource usage and cost of inactive workloads. A new mechani...| Istio Blog
If you are running your containerized applications on Kubernetes, you can benefit from using the App Identity and Access Adapter for an abstracted level of security with zero code changes or redeploys. Whether your computing environment is based on a single cloud provider, a combination of multiple cloud providers, or following a hybrid cloud approach, having a centralized identity management can help you to preserve existing infrastructure and avoid vendor lock-in. With the App Identity and ...| Istio Blog
In Istio 1.3, we are taking advantage of improvements in Kubernetes to issue certificates for workload instances more securely. When a Citadel Agent sends a certificate signing request to Citadel to get a certificate for a workload instance, it includes the JWT that the Kubernetes API server issued representing the service account of the workload instance. If Citadel can authenticate the JWT, it extracts the service account name needed to issue the certificate for the workload instance. Befor...| Istio Blog
One of Istio’s main goals has always been, and continues to be, enabling teams to develop abstractions that work best for their specific organization and workloads. Istio provides robust and powerful building blocks for service-to-service networking. Since Istio 0.1, the Istio team has been learning from production users about how they map their own architectures, workloads, and constraints to Istio’s capabilities, and we’ve been evolving Istio’s APIs to make them work better for you....| Istio Blog
Welcome to part 3 in our series about secure control of egress traffic in Istio. In the first part in the series, I presented the attacks involving egress traffic and the requirements we collected for a secure control system for egress traffic. In the second part in the series, I presented the Istio way of securing egress traffic and showed how you can prevent the attacks using Istio. In this installment, I compare secure control of egress traffic in Istio with alternative solutions such as u...| Istio Blog
Welcome to part 2 in our new series about secure control of egress traffic in Istio. In the first part in the series, I presented the attacks involving egress traffic and the requirements we collected for a secure control system for egress traffic. In this installment, I describe the Istio way to securely control the egress traffic, and show how Istio can help you prevent the attacks. Secure control of egress traffic in Istio To implement secure control of egress traffic in Istio, you must di...| Istio Blog
Service meshes add a lot of functionality to application deployments, including traffic policies, observability, and secure communication. But adding a service mesh to your environment comes at a cost, whether that’s time (added latency) or resources (CPU cycles). To make an informed decision on whether a service mesh is right for your use case, it’s important to evaluate how your application performs when deployed with a service mesh. Earlier this year, we published a blog post on Istio...| Istio Blog
Istio self-signed certificates have historically had a 1 year default lifetime. If you are using Istio self-signed certificates, you need to schedule regular root transitions before they expire. An expiration of a root certificate may lead to an unexpected cluster-wide outage. The issue affects new clusters created with versions up to 1.0.7 and 1.1.7. See Extending Self-Signed Certificate Lifetime for information on how to gauge the age of your certificates and how to perform rotation.| Istio Blog
This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish. In this installment, I explain why you should apply egress traffic control to your cluster, the attacks involving egress traffic you want to prevent, and the requirements for a system for egress traffic control to do so. Once you agree that you should control the egress traffic coming from your cluster, the following questions arise: What is required from a system for secure control of e...| Istio Blog
Hyper-scale, microservice-based cloud environments have been exciting to build but challenging to manage. Along came Kubernetes (container orchestration) in 2014, followed by Istio (container service management) in 2017. Both open-source projects enable developers to scale container-based applications without spending too much time on administration tasks. Now, new enhancements in Istio 1.1 deliver scale-up with improved application performance and service management efficiency. Simulations u...| Istio Blog
If you’ve spent any time looking at Istio, you’ve probably noticed that it includes a lot of features that can be demonstrated with simple tasks and examples running on a single Kubernetes cluster. Because most, if not all, real-world cloud and microservices-based applications are not that simple and will need to have the services distributed and running in more than one location, you may be wondering if all these things will be just as simple in your real production environment. Fortunat...| Istio Blog
Welcome to the Istio blog! To make it easier to publish your content on our website, we updated the content types guide. The goal of the updated guide is to make sharing and finding content easier. We want to make sharing timely information on Istio easy and the Istio blog is a good place to start. We welcome your posts to the blog if you think your content falls in one of the following four categories: Your post details your experience using and configuring Istio. Ideally, your post shares a...| Istio Blog
The main objective of this investigation was to determine the impact on performance and resource utilization when an egress gateway is added in the service mesh to access an external service (MongoDB, in this case). The steps to configure an egress gateway for an external MongoDB are described in the blog Consuming External MongoDB Services. The application used for this investigation was the Java version of Acmeair, which simulates an airline reservation system. This application is used in t...| Istio Blog
A simple overview of an Istio service-mesh architecture always starts with describing the control-plane and data-plane. From Istio’s documentation: Istio ArchitectureIt is important to understand that the sidecar injection into the application pods happens automatically, though manual injection is also possible. Traffic is directed from the application services to and from these sidecars without developers needing to worry about it. Once the applications are connected to the Istio service m...| Istio Blog
We are going through an interesting cycle of application decomposition and recomposition. While the microservice paradigm is driving monolithic applications to be broken into separate individual services, the service mesh approach is helping them to be connected back together into well-structured applications. As such, microservices are logically separate but not independent. They are usually closely interdependent and taking them apart introduces many new concerns such as need for mutual aut...| Istio Blog
This post provides instructions to manually create a custom ingress gateway with automatic provisioning of certificates based on cert-manager. The creation of custom ingress gateway could be used in order to have different loadbalancer in order to isolate traffic. Before you begin Set up Istio by following the instructions in the Installation guide. Set up cert-manager with helm chart We will use demo.mydemo.com for our example, it must be resolved with your DNS Configuring the custom ingress...| Istio Blog
We in the Istio community have been working to find the right medium for users to engage with other members of the community – to ask questions, to get help from other users, and to engage with developers working on the project. We’ve tried several different avenues, but each has had some downsides. RocketChat was our most recent endeavor, but the lack of certain features (for example, threading) meant it wasn’t ideal for any longer discussions around a single issue. It also led to a di...| Istio Blog
Traffic management is one of the critical benefits provided by Istio. At the heart of Istio’s traffic management is the ability to decouple traffic flow and infrastructure scaling. This lets you control your traffic in ways that aren’t possible without a service mesh like Istio. For example, let’s say you want to execute a canary deployment. With Istio, you can specify that v1 of a service receives 90% of incoming traffic, while v2 of that service only receives 10%. With standard Kubern...| Istio Blog
In the Consuming External TCP Services blog post, I described how external services can be consumed by in-mesh Istio applications via TCP. In this post, I demonstrate consuming external MongoDB services. You use the Istio Bookinfo sample application, the version in which the book ratings data is persisted in a MongoDB database. You deploy this database outside the cluster and configure the ratings microservice to use it. You will learn multiple options of controlling traffic to external Mongo...| Istio Blog
To celebrate the 1.0 release and to promote the software to a wider audience, the Istio community is hosting an all day live stream on Twitch on August 17th. What is Twitch? Twitch is a popular video gaming live streaming platform and recently has seen a lot of coding content showing up. The IBM Advocates have been doing live coding and presentations there and it’s been fun. While mostly used for gaming content, there is a growing community sharing and watching programming content on the si...| Istio Blog
The FitStation team at HP strongly believes in the future of Kubernetes, BPF and service-mesh as the next standards in cloud infrastructure. We are also very happy to see Istio coming to its official Istio 1.0 release – thanks to the joint collaboration that started at Google, IBM and Lyft beginning in May 2017. Throughout the development of FitStation’s large scale and progressive cloud platform, Istio, Cilium and Kubernetes technologies have delivered a multitude of opportunities to mak...| Istio Blog
The sidecar proxy approach enables a lot of awesomeness. Squarely in the datapath between microservices, the sidecar can precisely tell what the application is trying to do. It can monitor and instrument protocol traffic, not in the bowels of the networking layers but at the application level, to enable deep visibility, access controls and traffic management. If we look closely however, there are many intermediate layers that the data has to pass through before the high-value analysis of appl...| Istio Blog
Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to isolate workloads from one another and secure them individually. Istio’s authorization feature, also known as Istio Role Based Access Control, provides micro-segmentation for services in an Istio mesh. It features: Authorization at different levels of granularity, including namespace level, service level, and method level. Service-to-service and end-user-to-service authoriza...| Istio Blog
This post shows how to direct Istio logs to Stackdriver and export those logs to various configured sinks such as such as BigQuery, Google Cloud Storage or Cloud Pub/Sub. At the end of this post you can perform analytics on Istio data from your favorite places such as BigQuery, GCS or Cloud Pub/Sub. The Bookinfo sample application is used as the example application throughout this task. Before you begin Install Istio in your cluster and deploy an application. Configuring Istio to export logs ...| Istio Blog
While Istio’s main focus is management of traffic between microservices inside a service mesh, Istio can also manage ingress (from outside into the mesh) and egress (from the mesh outwards) traffic. Istio can uniformly enforce access policies and aggregate telemetry data for mesh-internal, ingress and egress traffic. In this blog post, we show how to apply monitoring and access policies to HTTP egress traffic with Istio. Use case Consider an organization that runs applications that process ...| Istio Blog
Up until now, Istio has provided a simple API for traffic management using four configuration resources: RouteRule, DestinationPolicy, EgressRule, and (Kubernetes) Ingress. With this API, users have been able to easily manage the flow of traffic in an Istio service mesh. The API has allowed users to route requests to specific versions of services, inject delays and failures for resilience testing, add timeouts and circuit breakers, and more, all without changing the application code itself. W...| Istio Blog
This post provides instructions to use and configure ingress Istio with AWS Network Load Balancer. Network load balancer (NLB) could be used instead of classical load balancer. You can see the comparison between different AWS loadbalancer for more explanation. Prerequisites The following instructions require a Kubernetes 1.9.0 or newer cluster. IAM policy You need to apply policy on the master role in order to be able to provision network load balancer. In AWS iam console click on policies an...| Istio Blog
Multi-tenancy is commonly used in many environments across many different applications, but the implementation details and functionality provided on a per tenant basis does not follow one model in all environments. The Kubernetes multi-tenancy working group is working to define the multi-tenant use cases and functionality that should be available within Kubernetes. However, from their work so far it is clear that only “soft multi-tenancy” is possible due to the inability to fully protect ...| Istio Blog
Trying to enumerate all the possible combinations of test cases for testing services in non-production/test environments can be daunting. In some cases, you’ll find that all of the effort that goes into cataloging these use cases doesn’t match up to real production use cases. Ideally, we could use live production use cases and traffic to help illuminate all of the feature areas of the service under test that we might miss in more contrived testing environments. Istio can help here. With t...| Istio Blog
In my previous blog post, Consuming External Web Services, I described how external services can be consumed by in-mesh Istio applications via HTTPS. In this post, I demonstrate consuming external services over TCP. You will use the Istio Bookinfo sample application, the version in which the book ratings data is persisted in a MySQL database. You deploy this database outside the cluster and configure the ratings microservice to use it. You define a Service Entry to allow the in-mesh applicati...| Istio Blog
In many cases, not all the parts of a microservices-based application reside in a service mesh. Sometimes, the microservices-based applications use functionality provided by legacy systems that reside outside the mesh. You may want to migrate these systems to the service mesh gradually. Until these systems are migrated, they must be accessed by the applications inside the mesh. In other cases, the applications use web services provided by third parties. In this blog post, I modify the Istio B...| Istio Blog
As Mixer is in the request path, it is natural to question how it impacts overall system availability and latency. A common refrain we hear when people first glance at Istio architecture diagrams is “Isn’t this just introducing a single point of failure?” In this post, we’ll dig deeper and cover the design principles that underpin Mixer and the surprising fact Mixer actually increases overall mesh availability and reduces average request latency. Istio’s use of Mixer has two main be...| Istio Blog
Istio 0.2 introduced a new Mixer adapter model which is intended to increase Mixer’s flexibility to address a varied set of infrastructure backends. This post intends to put the adapter model in context and explain how it works. Why adapters? Infrastructure backends provide support functionality used to build services. They include such things as access control systems, telemetry capturing systems, quota enforcement systems, billing systems, and so forth. Services traditionally directly int...| Istio Blog
How Kubernetes Network Policy relates to Istio policy.| Istio
Using Istio to create autoscaled canary deployments.| Istio
