How to set up a service mesh for your microservices using Istio
Microservices architecture is a method of software development that breaks down an extensive application into smaller, independent services. As companies transition to this method, they’re discovering new challenges. One such challenge is the difficulty involved in creating a central, standardized security policy across many distributed microservices.
The world of microservices is dynamic, complex, and constantly changing. IT teams must be able to secure new services and respond to shifting user demand to remain effective when using this architecture. Moreover, it's essential that all services are stable. Istio is an effective solution for securely and predictably facilitating microservices networks.
In this tutorial, you will learn about Istio in detail and how to install it using the production installation configuration profile.
What is Istio?
Istio is a service mesh platform that helps facilitate your microservice’s communication and keeps traffic visible. To understand and master Istio, you first need to understand what a service mesh is.
Fig. 1: Istio implements a service mesh between your services to facilitate traffic. (Source: Istio)
A service mesh is a layer that facilitates service-to-service communication. It adds security and observability to your microservices architecture. Service meshes are widely used for:
- Load balancing
- Service discovery
- Enforcing access control and authentication
- Fetching service performance metrics
Istio is a good tool to add to your development workflow because:
- It protects service-to-service communication using transparent TLS encryption;
- It enforces network policies that facilitate network infrastructure. This infrastructure gives you routing rules, call retries, and fault injection that help you manage your network traffic swiftly.
- It makes it possible for you to do canary deployments.
The above functionalities allow you to better manage and secure your microservices architecture. Istio handles both containers and VM workloads.
Istio provides service observability and thus helps catch service vulnerabilities and performance flaws. This function was the main goal when Istio was launched in 2017 as a joint project between Lyft, IBM, and Google.
How does Istio work?
The Istio layer is implemented in between the application service and network. Istio has two planes that make up the Istio architecture: a data plane and a control plane.
The data plane controls network communication between services, as it has a network-proxying system that intercepts and redirects traffic. It also collects telemetrics data from all service meshes.
The control plane manages traffic using the following components:
- Istio Pilot is responsible for taking configurations and distributing them to Istio components to orchestrate the microservices proxy orchestrator.
- Istio Citadel provides security mechanisms that enable you to upgrade unencrypted traffic; it mostly facilitates end-user authentication.
- Istiod transforms high-level routing rules into an Envoy-specific configuration, which will be distributed to sidecars during runtime.
- Istio Galley isolates Istio components from the details of obtaining user configurations from Kubernetes and other underlying platforms; it also validates and processes configurations.
How to install Istio on different operating systems
The command line istioctl is used to install Istio in your production environment. You can also use it to operate Istio. This command line makes Istio features available at your fingertips and has strong user input validation to alleviate installation errors. It’s available in Linux, macOS, and Windows as well. Before we learn how to install Istio, let’s look at the istioctl installation profiles used to configure the installation process:
Istio is a dynamic platform that needs further configuration. With istioctl, you can customize Istio by adding configuration profiles to tailor it to suit your infrastructure.
The table below comprises concise descriptions of different installation configurations profiles for istioctl.
| Profile | Description |
|---|---|
| Default profile | Installs istioctl using the IstioOperator API. It is used for production deployments. |
| External profile | This profile is suitable when using a remote cluster that is controlled by an external control plane. |
| Preview profile | Installs Istio features that are still in the experimental stage. Use this profile to explore new features coming to Istio. |
| Empty profile | This profile does not deploy anything. It is useful for custom configuration. |
If you install istioctl without specifying the profile then the demo profile will be used, which uses Istio functionality with limited resources. If you intend to use the demo profile but need to control plane components, you should opt for the minimal profile.
To install Istio on your production environment, download the istioctl binary suitable for your environment. Open your terminal and change the directory to the istioctl one (the directory where you’ve previously extracted the istioctl binary files).
cd C:\istioctl
Use the following command to install istioctl accompanied by the default installation profile, which is suitable for production environments:
istioctl install --set profile=default -y
You will get the following output:
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
- Pruning removed resources
Removed Deployment:istio-system:istio-egressgateway.
Removed Service:istio-system:istio-egressgateway.
Removed ServiceAccount:istio-system:istio-egressgateway-service-account.
Removed RoleBinding:istio-system:istio-egressgateway-sds.
Removed Role:istio-system:istio-egressgateway-sds.
Removed PodDisruptionBudget:istio-system:istio-egressgateway.
✔ Installation complete Making
this installation the default for injection and validation.
2022-10-10T08:43:35.553705Z error klog couldn't get resource
list for metrics.k8s.io/v1beta1: the server is currently unable to handle the request
2022-10-10T08:43:35.564392Z error klog couldn't get resource list for metrics.k8s.io/v1beta1: the server is currently unable to handle the request
Thank you for installing Istio 1.15. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/SWHFBmwJspusK1hv6
Use the following command to check if istioctl has been installed successfully:
istioctl version
You will get the following output:
client version: 1.15.1
control plane version: 1.15.1
data plane version: 1.15.1 (7 proxies)
Use the following command to get the details about the installation profile used:
istioctl profile dump
You will get the following output:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: false
name: istio-egressgateway
ingressGateways:
- enabled: true
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
hub: docker.io/istio
meshConfig:
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
profile: default
How to upgrade and uninstall istioctl
Before upgrading istioctl to the next version, use the following command to check if it is ready and compatible to upgrade:
istioctl x precheck
You will get the following output:
←[32m✔←[0m No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out
https://istio.io/latest/docs/setup/getting-started/
After Istio is declared as safe to install, use the following command to upgrade:
istioctl install --set revision=canary
If you no longer wish to use Istio, use the following commands to uninstall it:
kubectl delete -f samples/addons
istioctl uninstall -y --purge
Executing the below command will delete the Istio namespace:
kubectl delete namespace istio-system
Troubleshooting Istio and best practices
Users can have a bumpy start when using Istio for the first time—some Istio functions are bound to fail because you’ve used the wrong configurations. In the next section, we’ll cover ways to approach and troubleshoot Istio errors.
Analyzing service logs and performance metrics
Istio generates access logs to help identify the root cause of flaws and vulnerabilities. The access logs can also be displayed using the kubectl logs command. In addition, Istio provides the following metrics:
- Overall volume of traffic
- Error rates within the traffic
- Response times for requests
Analyzing logs and metrics regularly is the only way to detect flaws on time and prevent cyberattackers from potentially exploiting vulnerabilities in your infrastructure.
Using patterns to combat unwanted traffic
Since Istio adds a layer between the application and network to facilitate communication between entities, it is crucial to make sure that it is up to date with the best security configurations and settings. The ALLOW-with-positive-matching or DENY-with-negative-matching patterns have to be implemented to ensure that only matching fields are accepted.
Dealing with Istio issues
If your requests are being rejected by the Envoy, faulty configurations may be the underlying reason. Rule out a mutual TLS configuration conflict and make sure that the DestinationRule and VirtualService components are configured correctly.
Working with Istio in production for the first time can be challenging—for instance, you may experience repeated network issues. Istio has a helpful documentation page on troubleshooting network errors.
Conclusion
In this article, we’ve learned how to install Istio using istioctl.
