10/23: Securing Microservices with Istio

[shimmerjs]

istio

• control traffic between services with dynamic route configuration

• conduct A/B tests

• release canaries

• gradually upgrade versions using red/black deployments

• apply organizational policy to interaction btwn services

• ensure acls are enforced and enable secure comms btwn services

• helps manage dependencies between services via telemetry and metrics

? can it be entire deployment orchestration tool? ? does it scale cleanly across clusters

components

envoy

L4/L7 hybrid proxy. mediates all inbound and outbound traffic for all services in the mesh.

features: dynamic service discovery, load balancing, tls terminiation, http/2 & grpc proxying, health checks, staged rollouts with %-based traffic split, fault injection, rich metrics

pilot

programs envoys, responsible for service discovery, registration, and load balancing

istio-auth

service-to-service and end-user authentication using mutual tls, with built-in identity and credential management

provides CA, stores them in kube secrets

adds fault tolerance to your app without any code changes via circuitbreaker

mixer

fleetwide policy enforcement and management

responsible for enforcing ACL and usage policies across the mesh, and collecting telemetry data from envoy proxy and other services.

demo

? istio controls every namespace on your cluster?

notes

• support for multiple clusters planned for 0.4
  • istio on both clusters? just production? staging namespace on production cluster?
• zipkin looks powerful
• expose custom metrics thru envoy? or direct prometheus <-> app via /metrics

additional reading

https://istio.io/blog/canary-deployments-using-istio.html https://spiffe.io

[kaledj]

envoy

• service discovery, load blanacing, tls, http2, grpc, circuit breaker, heatlhcheck , l3+7 routing, staged rollouts w %based traffic split, fault injection, rich metrics
• envoy proxy per pod
• pilot sends data down to envoy
• mTLS is envoy-envoy
• envoy pulls from control plane - future is event based / push

pilot progmramming enoys

istio-auth ?

mixer res for enforicing polices across mesh

isito security

• istio auth provides ca for mesh using spiffe.io stored as k8s secrets

resiliency

• istio adds fault tolernace with no application code changes
• timeouts, retires
• systematic fault injection / delay injection / retries etc

traffic splitting

• single service registry name
• traffic splitting from v1 to v2

traffic steering

• content based traffic steering