alcide

Alcide Blog

Cloud-native Security Provider

Istio Service Mesh in 2020: Control Plane Simplified

Mar 9, 2020 6:29:27 AM / by Alon Berger

1200x628-social - Istio Service Mesh in 2020

This blog was updated on June 1, 2020, supporting the latest release of version 1.6.

 

Since 2017, Kubernetes has soared and has played a key role within the cloud-native computing community. With this movement, more and more companies who already embraced microservices realized that a dedicated software layer for managing the service-to-service communication is required. 

Enter the Service Mesh, and its leading contender as a preferred control plane manager - Istio, a platform built around an Envoy proxy to manage, control and monitor traffic flow and securing services and the connections between one another.

According to the CNCF Survey 2019, Istio is at the top of the chart as the preferred service mesh project:

 

CNCF Survey 2019

Image source: CNCF Survey 2019

 

While Istio clearly made its mark as a powerful service mesh tool, it is still entwined with a relatively complex operation and integration requirements.

Istio’s roadmap for 2020 is all about supporting companies as they adopt microservices architectures for application development. The main focus of Istio’s latest release is simply making it faster and easier to use.

 

What Should We Expect?

Istio’s offering is a complete solution for enabling orchestration of a deployed services network with ease. It utilizes complex operational requirements like load-balancing, service-to-service authentication, monitoring, rate-limiting and more.

To achieve that, Istio provides its core features as key capabilities across a network of services:

  • Traffic management
  • Security
  • Observability
  • Platform support
  • Integration and customization

With its latest release, along with some most anticipated improvements, those features are getting buffed as well.

During 2019 Istio’s build and test infrastructure improved significantly, resulting in higher quality and easier release cycles. A big focus was around improving user experience, with many additional commands added to allow easier operations and smother troubleshooting experience.

Furthermore, Istio’s team reported exceptional growth in contributors within the product’s community.

 

90x728 FREE FOREVER Istio

 

Mixer Out, Envoy In

Extensibility with Istio was enabled by the Mixer, an entity responsible for providing policy controls and telemetry collection, which acts as an Intermediation layer that allows fine-grained control over all interactions between the mesh and infrastructure backends.

This entire model is now migrated directly in the proxies, in order to remove additional dependencies, resulting in a substantial reduction in latency and a significant improvement in overall performance. Eventually, the Mixer will be released as a separate add-on, as part of the Istio ecosystem.

The new model replacing Mixer will use Envoy’s extensions, which paves the path to even more capabilities and flexibility. There is already an ongoing implementation of a WebAssembly runtime in Envoy, which will potentially extend platform efficiency, This type of flexibility was a lot more challenging to achieve with Mixer.

Another key takeaway from this new model is the ability to avoid using a unique CRD for every integration with Istio.

 

Control Plane Simplified

The desire to have fewer moving parts during deployments drove the Istio team towards istiod, a new single binary, which now acts as a single daemon, responsible for the various microservices deployments.

This binary combines features from known key components such as the Pilot, Citadel, Galley and the sidecar. This approach reduces complexity within domains across the board.

Installation, ongoing maintenance, and troubleshooting efforts will become much more straightforward while supporting all functionalities from previous releases.

Additionally, the node-agent’s functionality used to distribute certificates, moved to the istio-agent, which already runs in each pod, reducing even more dependencies.

Below is a “Before and After” of Istio’s high-level architecture.

Can you spot the differences?

Before:

 

Image source: https://istio.io/blog/2020/tradewinds-2020/

 

After:

 

Image source: https://istio.io/blog/2020/tradewinds-2020/

 

Securing All Fronts

Another major focus is on buffing up several security fundamentals like reliable workload identity, robust access policies, and comprehensive audit logging. The imperative nature of such requirements is what pushes the team to double down on stabilizing the API for these features.

Inevitably, network traffic will take up several security reinforcements, including implementation of the automated rollout of mutual TLS and leveraging of Secret Discovery Service, which will introduce a safer way of distributing certificates, thus reducing the risk of detection by other workloads running on the machine.

These upgrades will trim down both dependencies and requirements for cluster-wide security policies, leading to a much more robust system.

 

Releasing Version 1.6

Since the release of this blog, Istio announced on another major update with version 1.6, highlighting the following:

  • Completed transition of functionalities into istiod, which was introduced in v1.5.
  • Improved lifecycle, reflected in a smoother experience for installing and upgrading, with a more polished istioctl.
  • Better observability of distributed applications, leveraging updated Grafana dashboards and visualizations.
  • Extended support for virtual machines, allowing non-Kubernetes workloads to be added to the mesh.
  • Enhanced traffic and network management, mainly focused on improved handling of secrets for better support for Kubernetes Ingress.

 

Here at Alcide we offer Istio hygiene checks as part of the Alcide Advisor. Check out our recent webinar Security For Istio - an Incremental Approach to learn more.

 

 

Topics: Istio, Control plane, Envoy

Subscribe to Email Updates