Istio in Action

Istio in Action

by Rinor Maloku, Christian E. Posta
Released March 2022
Publisher(s): Manning Publications
ISBN: 9781617295829

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Solve difficult service-to-service communication challenges around security, observability, routing, and resilience with an Istio-based service mesh. Istio allows you to define these traffic policies as configuration and enforce them consistently without needing any service-code changes.

In Istio in Action you will learn:

  • Why and when to use a service mesh
  • Envoy’s role in Istio’s service mesh
  • Allowing “North-South” traffic into a mesh
  • Fine-grained traffic routing
  • Make your services robust to network failures
  • Gain observability over your system with telemetry “golden signals”
  • How Istio makes your services secure by default
  • Integrate cloud-native applications with legacy workloads such as in VMs

Reduce the operational complexity of your microservices with an Istio-powered service mesh! Istio in Action shows you how to implement this powerful new architecture and move your application-networking concerns to a dedicated infrastructure layer. Non-functional concerns stay separate from your application, so your code is easier to understand, maintain, and adapt regardless of programming language. In this practical guide, you’ll go hands-on with the full-featured Istio service mesh to manage microservices communication. Helpful diagrams, example configuration, and examples make it easy to understand how to control routing, secure container applications, and monitor network traffic.

About the Technology
Offload complex microservice communication layer challenges to Istio! The industry-standard Istio service mesh radically simplifies security, routing, observability, and other service-to-service communication challenges. With Istio, you use a straightforward declarative configuration style to establish application-level network policies. By separating communication from business logic, your services are easier to write, maintain, and modify.

About the Book
Istio in Action teaches you how to implement an Istio-based service mesh that can handle complex routing scenarios, traffic encryption, authorization, and other common network-related tasks. You’ll start by defining a basic service mesh and exploring the data plane with Istio’s service proxy, Envoy. Then, you’ll dive into core topics like traffic routing and visualization and service-to-service authentication, as you expand your service mesh to workloads on multiple clusters and legacy VMs.

What's Inside
  • Comprehensive coverage of Istio resources
  • Practical examples to showcase service mesh capabilities
  • Implementation of multi-cluster service meshes
  • How to extend Istio with WebAssembly
  • Traffic routing and observability
  • VM integration into the mesh


About the Reader
For developers, architects, and operations engineers.

About the Authors
Christian Posta is a well-known architect, speaker, and contributor. Rinor Maloku is an engineer at Solo.io working on application networking solutions.

Quotes
Presents a clear-headed vision of how to achieve the goal of decoupling applications from infrastructure. I hope you’ll enjoy this book as much as I have.
- From the Foreword by Eric Brewer, VP Infrastructure and Google Fellow

I really enjoyed the gentle introduction to Istio. I can easily recommend this book to everyone starting development with Kubernetes.
- Christoph Schubert, SAP SE

A comprehensive guide for building an in-depth understanding of the Istio service mesh.
- Fotis Stamatelopoulos, Upwork

It felt like I was shadowing a highly skilled subject matter expert.
- Paolo Antinori, Red Hat

Table of contents

  1. Istio in Action
  2. Copyright
  3. dedication
  4. contents
  5. front matter
    1. foreword
    2. preface
    3. acknowledgments
    4. about this book
      1. Who should read this book
      2. How this book is organized: A roadmap
      3. About the code
      4. liveBook discussion forum
    5. about the authors
    6. about the cover illustration
  6. Part 1 Understanding Istio
  7. 1 Introducing the Istio service mesh
    1. 1.1 Challenges of going faster
      1. 1.1.1 Our cloud infrastructure is not reliable
      2. 1.1.2 Making service interactions resilient
      3. 1.1.3 Understanding what’s happening in real time
    2. 1.2 Solving these challenges with application libraries
      1. 1.2.1 Drawbacks to application-specific libraries
    3. 1.3 Pushing these concerns to the infrastructure
      1. 1.3.1 The application-aware service proxy
      2. 1.3.2 Meet the Envoy proxy
    4. 1.4 What’s a service mesh?
    5. 1.5 Introducing the Istio service mesh
      1. 1.5.1 How a service mesh relates to an enterprise service bus
      2. 1.5.2 How a service mesh relates to an API gateway
      3. 1.5.3 Can I use Istio for non-microservices deployments?
      4. 1.5.4 Where Istio fits in distributed architectures
      5. 1.5.5 What are the drawbacks to using a service mesh?
    6. Summary
  8. 2 First steps with Istio
    1. 2.1 Deploying Istio on Kubernetes
      1. 2.1.1 Using Docker Desktop for the examples
      2. 2.1.2 Getting the Istio distribution
      3. 2.1.3 Installing the Istio components into Kubernetes
    2. 2.2 Getting to know the Istio control plane
      1. 2.2.1 Istiod
      2. 2.2.2 Ingress and egress gateway
    3. 2.3 Deploying your first application in the service mesh
    4. 2.4 Exploring the power of Istio with resilience, observability, and traffic control
      1. 2.4.1 Istio observability
      2. 2.4.2 Istio for resiliency
      3. 2.4.3 Istio for traffic routing
    5. Summary
  9. 3 Istio’s data plane: The Envoy proxy
    1. 3.1 What is the Envoy proxy?
      1. 3.1.1 Envoy’s core features
      2. 3.1.2 Comparing Envoy to other proxies
    2. 3.2 Configuring Envoy
      1. 3.2.1 Static configuration
      2. 3.2.2 Dynamic configuration
    3. 3.3 Envoy in action
      1. 3.3.1 Envoy’s Admin API
      2. 3.3.2 Envoy request retries
    4. 3.4 How Envoy fits with Istio
    5. Summary
  10. Part 2 Securing, observing, and controlling your service’s network traffic
  11. 4 Istio gateways: Getting traffic into a cluster
    1. 4.1 Traffic ingress concepts
      1. 4.1.1 Virtual IPs: Simplifying service access
      2. 4.1.2 Virtual hosting: Multiple services from a single access point
    2. 4.2 Istio ingress gateways
      1. 4.2.1 Specifying Gateway resources
      2. 4.2.2 Gateway routing with virtual services
      3. 4.2.3 Overall view of traffic flow
      4. 4.2.4 Istio ingress gateway vs. Kubernetes Ingress
      5. 4.2.5 Istio ingress gateway vs. API gateways
    3. 4.3 Securing gateway traffic
      1. 4.3.1 HTTP traffic with TLS
      2. 4.3.2 HTTP redirect to HTTPS
      3. 4.3.3 HTTP traffic with mutual TLS
      4. 4.3.4 Serving multiple virtual hosts with TLS
    4. 4.4 TCP traffic
      1. 4.4.1 Exposing TCP ports on an Istio gateway
      2. 4.4.2 Traffic routing with SNI passthrough
    5. 4.5 Operational tips
      1. 4.5.1 Split gateway responsibilities
      2. 4.5.2 Gateway injection
      3. 4.5.3 Ingress gateway access logs
      4. 4.5.4 Reducing gateway configuration
    6. Summary
  12. 5 Traffic control: Fine-grained traffic routing
    1. 5.1 Reducing the risk of deploying new code
      1. 5.1.1 Deployment vs. release
    2. 5.2 Routing requests with Istio
      1. 5.2.1 Cleaning up our workspace
      2. 5.2.2 Deploying v1 of the catalog service
      3. 5.2.3 Deploying v2 of the catalog service
      4. 5.2.4 Routing all traffic to v1 of the catalog service
      5. 5.2.5 Routing specific requests to v2
      6. 5.2.6 Routing deep within a call graph
    3. 5.3 Traffic shifting
      1. 5.3.1 Canary releasing with Flagger
    4. 5.4 Reducing risk even further: Traffic mirroring
    5. 5.5 Routing to services outside your cluster by using Istio’s service discovery
    6. Summary
  13. 6 Resilience: Solving application networking challenges
    1. 6.1 Building resilience into the application
      1. 6.1.1 Building resilience into application libraries
      2. 6.1.2 Using Istio to solve these problems
      3. 6.1.3 Decentralized implementation of resilience
    2. 6.2 Client-side load balancing
      1. 6.2.1 Getting started with client-side load balancing
      2. 6.2.2 Setting up our scenario
      3. 6.2.3 Testing various client-side load-balancing strategies
      4. 6.2.4 Understanding the different load-balancing algorithms
    3. 6.3 Locality-aware load balancing
      1. 6.3.1 Hands-on with locality load balancing
      2. 6.3.2 More control over locality load balancing with weighted distribution
    4. 6.4 Transparent timeouts and retries
      1. 6.4.1 Timeouts
      2. 6.4.2 Retries
      3. 6.4.3 Advanced retries
    5. 6.5 Circuit breaking with Istio
      1. 6.5.1 Guarding against slow services with connection-pool control
      2. 6.5.2 Guarding against unhealthy services with outlier detection
    6. Summary
  14. 7 Observability: Understanding the behavior of your services
    1. 7.1 What is observability?
      1. 7.1.1 Observability vs. monitoring
      2. 7.1.2 How Istio helps with observability
    2. 7.2 Exploring Istio metrics
      1. 7.2.1 Metrics in the data plane
      2. 7.2.2 Metrics in the control plane
    3. 7.3 Scraping Istio metrics with Prometheus
      1. 7.3.1 Setting up Prometheus and Grafana
      2. 7.3.2 Configuring the Prometheus Operator to scrape the Istio control plane and workloads
    4. 7.4 Customizing Istio’s standard metrics
      1. 7.4.1 Configuring existing metrics
      2. 7.4.2 Creating new metrics
      3. 7.4.3 Grouping calls with new attributes
    5. Summary
  15. 8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali
    1. 8.1 Using Grafana to visualize Istio service and control-plane metrics
      1. 8.1.1 Setting up Istio’s Grafana dashboards
      2. 8.1.2 Viewing control-plane metrics
      3. 8.1.3 Viewing data-plane metrics
    2. 8.2 Distributed tracing
      1. 8.2.1 How does distributed tracing work?
      2. 8.2.2 Installing a distributed tracing system
      3. 8.2.3 Configuring Istio to perform distributed tracing
      4. 8.2.4 Viewing distributed tracing data
      5. 8.2.5 Trace sampling, force traces, and custom tags
    3. 8.3 Visualization with Kiali
      1. 8.3.1 Installing Kiali
      2. 8.3.2 Conclusion
    4. Summary
  16. 9 Securing microservice communication
    1. 9.1 The need for application-networking security
      1. 9.1.1 Service-to-service authentication
      2. 9.1.2 End-user authentication
      3. 9.1.3 Authorization
      4. 9.1.4 Comparison of security in monoliths and microservices
      5. 9.1.5 How Istio implements SPIFFE
      6. 9.1.6 Istio security in a nutshell
    2. 9.2 Auto mTLS
      1. 9.2.1 Setting up the environment
      2. 9.2.2 Understanding Istio’s PeerAuthentication resource
    3. 9.3 Authorizing service-to-service traffic
      1. 9.3.1 Understanding authorization in Istio
      2. 9.3.2 Setting up the workspace
      3. 9.3.3 Behavior changes when a policy is applied to a workload
      4. 9.3.4 Denying all requests by default with a catch-all policy
      5. 9.3.5 Allowing requests originating from a single namespace
      6. 9.3.6 Allowing requests from non-authenticated legacy workloads
      7. 9.3.7 Allowing requests from a single service account
      8. 9.3.8 Conditional matching of policies
      9. 9.3.9 Understanding value-match expressions
      10. 9.3.10 Understanding the order in which authorization policies are evaluated
    4. 9.4 End-user authentication and authorization
      1. 9.4.1 What is a JSON web token?
      2. 9.4.2 End-user authentication and authorization at the ingress gateway
      3. 9.4.3 Validating JWTs with RequestAuthentication
    5. 9.5 Integrating with custom external authorization services
      1. 9.5.1 Hands-on with external authorization
      2. 9.5.2 Configuring Istio for ExtAuthz
      3. 9.5.3 Using a custom AuthorizationPolicy resource
    6. Summary
  17. Part 3 Istio day-2 operations
  18. 10 Troubleshooting the data plane
    1. 10.1 The most common mistake: A misconfigured data plane
    2. 10.2 Identifying data-plane issues
      1. 10.2.1 How to verify that the data plane is up to date
      2. 10.2.2 Discovering misconfigurations with Kiali
      3. 10.2.3 Discovering misconfigurations with istioctl
    3. 10.3 Discovering misconfigurations manually from the Envoy config
      1. 10.3.1 Envoy administration interface
      2. 10.3.2 Querying proxy configurations using istioctl
      3. 10.3.3 Troubleshooting application issues
      4. 10.3.4 Inspect network traffic with ksniff
    4. 10.4 Understanding your application using Envoy telemetry
      1. 10.4.1 Finding the rate of failing requests in Grafana
      2. 10.4.2 Querying the affected Pods using Prometheus
    5. Summary
  19. 11 Performance-tuning the control plane
    1. 11.1 The control plane’s primary goal
      1. 11.1.1 Understanding the steps of data-plane synchronization
      2. 11.1.2 Factors that determine performance
    2. 11.2 Monitoring the control plane
      1. 11.2.1 The four golden signals of the control plane
    3. 11.3 Tuning performance
      1. 11.3.1 Setting up the workspace
      2. 11.3.2 Measuring performance before optimizations
      3. 11.3.3 Ignoring events: Reducing the scope of discovery using discovery selectors
      4. 11.3.4 Event-batching and push-throttling properties
    4. 11.4 Performance tuning guidelines
    5. Summary
  20. Part 4 Istio in your organization
  21. 12 Scaling Istio in your organization
    1. 12.1 The benefits of a multi-cluster service mesh
    2. 12.2 Overview of multi-cluster service meshes
      1. 12.2.1 Istio multi-cluster deployment models
      2. 12.2.2 How workloads are discovered in multi-cluster deployments
      3. 12.2.3 Cross-cluster workload connectivity
      4. 12.2.4 Common trust between clusters
    3. 12.3 Overview of a multi-cluster, multi-network, multi-control-plane service mesh
      1. 12.3.1 Choosing the multi-cluster deployment model
      2. 12.3.2 Setting up the cloud infrastructure
      3. 12.3.3 Configuring plug-in CA certificates
      4. 12.3.4 Installing the control planes in each cluster
      5. 12.3.5 Enabling cross-cluster workload discovery
      6. 12.3.6 Setting up cross-cluster connectivity
      7. 12.3.7 Load-balancing across clusters
    4. Summary
  22. 13 Incorporating virtual machine workloads into the mesh
    1. 13.1 Istio’s VM support
      1. 13.1.1 Simplifying sidecar proxy installation and configuration in a VM
      2. 13.1.2 Virtual machine high availability
      3. 13.1.3 DNS resolution of in-mesh services
    2. 13.2 Setting up the infrastructure
      1. 13.2.1 Setting up the service mesh
      2. 13.2.2 Provisioning the VM
    3. 13.3 Mesh expansion to VMs
      1. 13.3.1 Exposing istiod and cluster services to the VM
      2. 13.3.2 Representing a group of workloads with a WorkloadGroup
      3. 13.3.3 Installing and configuring the istio-agent in the VM
      4. 13.3.4 Routing traffic to cluster services
      5. 13.3.5 Routing traffic to the WorkloadEntry
      6. 13.3.6 VMs are configured by the control plane: Enforcing mutual authentication
    4. 13.4 Demystifying the DNS proxy
      1. 13.4.1 How the DNS proxy resolves cluster hostnames
      2. 13.4.2 Which hostnames is the DNS proxy aware of?
    5. 13.5 Customizing the agent’s behavior
    6. 13.6 Removing a WorkloadEntry from the mesh
    7. Summary
  23. 14 Extending Istio on the request path
    1. 14.1 Envoy’s extension capabilities
      1. 14.1.1 Understanding Envoy’s filter chaining
      2. 14.1.2 Filters intended for extension
      3. 14.1.3 Customizing Istio’s data plane
    2. 14.2 Configuring an Envoy filter with the EnvoyFilter resource
    3. 14.3 Rate-limiting requests with external call-out
      1. 14.3.1 Understanding Envoy rate limiting
    4. 14.4 Extending Istio’s data plane with Lua
    5. 14.5 Extending Istio’s data plane with WebAssembly
      1. 14.5.1 Introducing WebAssembly
      2. 14.5.2 Why WebAssembly for Envoy?
      3. 14.5.3 Building a new Envoy filter with WebAssembly
      4. 14.5.4 Building a new Envoy filter with the meshctl tool
      5. 14.5.5 Deploying a new WebAssembly Envoy filter
    6. Summary
  24. appendix A. Customizing the Istio installation
    1. A.1 The IstioOperator API
    2. A.2 The Istio installation profiles
    3. A.3 Installing and customizing Istio using istioctl
    4. A.4 Installing and customizing Istio with the istio-operator
      1. A.4.1 Installing the istio-operator
      2. A.4.2 Updating the installation of a mesh
  25. appendix B. Istio’s sidecar and its injection options
    1. B.1 Sidecar injection
      1. B.1.1 Manual sidecar injection
      2. B.1.2 Automatic sidecar injection
    2. B.2 Security issues with istio-init
  26. appendix C. Istio security: SPIFFE
    1. C.1 Authentication using PKI (public key infrastructure)
      1. C.1.1 Traffic encryption via TLS and end-user authentication
    2. C.2 SPIFFE: Secure Production Identity Framework for Everyone
      1. C.2.1 SPIFFE ID: Workload identity
      2. C.2.2 Workload API
      3. C.2.3 Workload endpoints
      4. C.2.4 SPIFFE Verifiable Identity Documents
      5. C.2.5 How Istio implements SPIFFE
      6. C.2.6 Step-by-step bootstrapping of workload identity
    3. C.3 Understanding request identity
      1. C.3.1 Metadata collected by the RequestAuthentication resource
      2. C.3.2 Overview of the flow of one request
  27. appendix D. Troubleshooting Istio components
    1. D.1 Information exposed by the Istio agent
      1. D.1.1 Endpoints to introspect and troubleshoot the Istio agent
      2. D.1.2 Querying Istio Pilot debug endpoints through the Istio agent
    2. D.2 Information exposed by the Istio Pilot
      1. D.2.1 The Istio Pilot debug endpoints
      2. D.2.2 The ControlZ interface
  28. appendix E. How the virtual machine is configured to join the mesh
  29. index

Product information

  • Title: Istio in Action
  • Author(s): Rinor Maloku, Christian E. Posta
  • Release date: March 2022
  • Publisher(s): Manning Publications
  • ISBN: 9781617295829