Book description
Solve difficult service-to-service communication challenges around security, observability, routing, and resilience with an Istio-based service mesh. Istio allows you to define these traffic policies as configuration and enforce them consistently without needing any service-code changes.In Istio in Action you will learn:
- Why and when to use a service mesh
- Envoy’s role in Istio’s service mesh
- Allowing “North-South” traffic into a mesh
- Fine-grained traffic routing
- Make your services robust to network failures
- Gain observability over your system with telemetry “golden signals”
- How Istio makes your services secure by default
- Integrate cloud-native applications with legacy workloads such as in VMs
Reduce the operational complexity of your microservices with an Istio-powered service mesh! Istio in Action shows you how to implement this powerful new architecture and move your application-networking concerns to a dedicated infrastructure layer. Non-functional concerns stay separate from your application, so your code is easier to understand, maintain, and adapt regardless of programming language. In this practical guide, you’ll go hands-on with the full-featured Istio service mesh to manage microservices communication. Helpful diagrams, example configuration, and examples make it easy to understand how to control routing, secure container applications, and monitor network traffic.
About the Technology
Offload complex microservice communication layer challenges to Istio! The industry-standard Istio service mesh radically simplifies security, routing, observability, and other service-to-service communication challenges. With Istio, you use a straightforward declarative configuration style to establish application-level network policies. By separating communication from business logic, your services are easier to write, maintain, and modify.
About the Book
Istio in Action teaches you how to implement an Istio-based service mesh that can handle complex routing scenarios, traffic encryption, authorization, and other common network-related tasks. You’ll start by defining a basic service mesh and exploring the data plane with Istio’s service proxy, Envoy. Then, you’ll dive into core topics like traffic routing and visualization and service-to-service authentication, as you expand your service mesh to workloads on multiple clusters and legacy VMs.
What's Inside
- Comprehensive coverage of Istio resources
- Practical examples to showcase service mesh capabilities
- Implementation of multi-cluster service meshes
- How to extend Istio with WebAssembly
- Traffic routing and observability
- VM integration into the mesh
About the Reader
For developers, architects, and operations engineers.
About the Authors
Christian Posta is a well-known architect, speaker, and contributor. Rinor Maloku is an engineer at Solo.io working on application networking solutions.
Quotes
Presents a clear-headed vision of how to achieve the goal of decoupling applications from infrastructure. I hope you’ll enjoy this book as much as I have.
- From the Foreword by Eric Brewer, VP Infrastructure and Google Fellow
I really enjoyed the gentle introduction to Istio. I can easily recommend this book to everyone starting development with Kubernetes.
- Christoph Schubert, SAP SE
A comprehensive guide for building an in-depth understanding of the Istio service mesh.
- Fotis Stamatelopoulos, Upwork
It felt like I was shadowing a highly skilled subject matter expert.
- Paolo Antinori, Red Hat
Table of contents
- Istio in Action
- Copyright
- dedication
- contents
- front matter
- Part 1 Understanding Istio
- 1 Introducing the Istio service mesh
- 2 First steps with Istio
- 3 Istio’s data plane: The Envoy proxy
- Part 2 Securing, observing, and controlling your service’s network traffic
- 4 Istio gateways: Getting traffic into a cluster
- 5 Traffic control: Fine-grained traffic routing
- 6 Resilience: Solving application networking challenges
- 7 Observability: Understanding the behavior of your services
- 8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali
-
9 Securing microservice communication
- 9.1 The need for application-networking security
- 9.2 Auto mTLS
-
9.3 Authorizing service-to-service traffic
- 9.3.1 Understanding authorization in Istio
- 9.3.2 Setting up the workspace
- 9.3.3 Behavior changes when a policy is applied to a workload
- 9.3.4 Denying all requests by default with a catch-all policy
- 9.3.5 Allowing requests originating from a single namespace
- 9.3.6 Allowing requests from non-authenticated legacy workloads
- 9.3.7 Allowing requests from a single service account
- 9.3.8 Conditional matching of policies
- 9.3.9 Understanding value-match expressions
- 9.3.10 Understanding the order in which authorization policies are evaluated
- 9.4 End-user authentication and authorization
- 9.5 Integrating with custom external authorization services
- Summary
- Part 3 Istio day-2 operations
- 10 Troubleshooting the data plane
- 11 Performance-tuning the control plane
- Part 4 Istio in your organization
-
12 Scaling Istio in your organization
- 12.1 The benefits of a multi-cluster service mesh
- 12.2 Overview of multi-cluster service meshes
-
12.3 Overview of a multi-cluster, multi-network, multi-control-plane service mesh
- 12.3.1 Choosing the multi-cluster deployment model
- 12.3.2 Setting up the cloud infrastructure
- 12.3.3 Configuring plug-in CA certificates
- 12.3.4 Installing the control planes in each cluster
- 12.3.5 Enabling cross-cluster workload discovery
- 12.3.6 Setting up cross-cluster connectivity
- 12.3.7 Load-balancing across clusters
- Summary
-
13 Incorporating virtual machine workloads into the mesh
- 13.1 Istio’s VM support
- 13.2 Setting up the infrastructure
-
13.3 Mesh expansion to VMs
- 13.3.1 Exposing istiod and cluster services to the VM
- 13.3.2 Representing a group of workloads with a WorkloadGroup
- 13.3.3 Installing and configuring the istio-agent in the VM
- 13.3.4 Routing traffic to cluster services
- 13.3.5 Routing traffic to the WorkloadEntry
- 13.3.6 VMs are configured by the control plane: Enforcing mutual authentication
- 13.4 Demystifying the DNS proxy
- 13.5 Customizing the agent’s behavior
- 13.6 Removing a WorkloadEntry from the mesh
- Summary
- 14 Extending Istio on the request path
- appendix A. Customizing the Istio installation
- appendix B. Istio’s sidecar and its injection options
- appendix C. Istio security: SPIFFE
- appendix D. Troubleshooting Istio components
- appendix E. How the virtual machine is configured to join the mesh
- index
Product information
- Title: Istio in Action
- Author(s):
- Release date: March 2022
- Publisher(s): Manning Publications
- ISBN: 9781617295829
You might also like
book
Designing Data-Intensive Applications
Data is at the center of many challenges in system design today. Difficult issues need to …
book
Developing Apps with GPT-4 and ChatGPT
This minibook is a comprehensive guide for Python developers who want to learn how to build …
book
Learning Go
Go is rapidly becoming the preferred language for building web services. While there are plenty of …
book
Clean Code: A Handbook of Agile Software Craftsmanship
Even bad code can function. But if code isn’t clean, it can bring a development organization …