If you're working with K8s and you don't know what Istio is, this post is for you!
Istio is a service mesh based on Envoy. (https://www.envoyproxy.io/)
A service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices, often using a sidecar proxy. (https://en.wikipedia.org/wiki/Service_mesh)
It has 4 objectives :
It will help you to connect services, load balance the traffic between them, set-up fault injection to test your infra, set-up circuit breaker...
For example, you can define weight to destinations to have a percentage of the traffic going in a specific feature, and the rest in another one. Really powerful for testing a new feature.
By default, Istio does its best to secure traffic and setup TLS between your services or with external services. It also works with databases and other services that are not exposing services on HTTP or HTTPS ports.
Also, you can set-up multiple things for Authentication and Authorization, like mutual TLS, checking JWT tokens...
With its Ingress-Egress Gateway and all the traffic management, you easily have full control of the traffic.
The best example is the Gateway. You can block all the traffic and only open what you need or what you want to expose, only with Kubernetes elements. (No need to set-up a firewall or specific similar tools)
Istio is natively set-up to have good observability of all the traffic and services. It embeds Prometheus, and if you want it can install for you some other tools like:
- Kiali (to see services graphs and set-up Istio elements with its UI - https://kiali.io/)
- Grafana (to do dashboards from all the metrics it collects - https://grafana.com/)
- Jaeger (for tracing requests - https://www.jaegertracing.io/)
- Zipkin (also for tracing requests - https://zipkin.io/)
I won't speak about these tools because they need their post.
As we saw, Istio will simplify your life on a Kubernetes cluster. Just by installing Istio, you can have a cluster with basic security and all the tools to observe your services. Then just with little bricks, you can add more security.
And the most important part, all Istio's elements are Kubernetes elements! So you don't need to know how to set-up firewalls or some other networking tools...
First, install Istio on your cluster following the documentation (https://istio.io/latest/docs/setup/install/) where you have multiples processes to do it. (with Helm, Istioctl...)
Then add the label "istio-injection: enabled" to the namespaces where you want Istio to act.
kubectl label ns my-namespace istio-injection=enabled
Finally, restart all your pods in these namespaces and the Istio agent will be automatically injected into your service.
By my side, I crushed on this tool at the moment I understand what I was able to do with it.
I hope it will help you!