A service mesh is a dedicated infrastructure layer built into an application that controls service-to-service communication in a microservices architecture. It controls the delivery of service requests to other services, performs load balancing, encrypts data, and discovers other services. Istio is a popular solution for service mesh, managing the different microservices that make up a cloud-native application. Istio service mesh also supports how those microservices communicate and share data with one another. It is for observability, security in depth, and management that speeds deployment cycles.
Istio sidecar topology
Classic or sidecar Istio solution for service mesh consist of:
- Control palne: the “brain”, receives configuration from the administrator using Kubernetes CRD. This is a centralized server for all proxy connections and might be easily installed and configured with Helm or cli. Where:
- Pilot is a core xDS server;
- Citadel – CA certificate signing mechanism
- Mixer is responsible for telemetry and control plane metrics
- Data plane: responsible for applying the rules and configuring workload properties inside the sidecar. In this case, traffic is forced to pass through the proxy.
- Ingress/Egress gateway: allows north/south traffic management.
- Encryption: all of traffic in the mesh is encrypted by default using mTLS.
What is sidecar in term of Istio?
Sidecar is architecture pattern, which commonly used in networking to separate configuration from application logic and increate a system observability. Find more about sidecar pattern in our previous article.
In case of Istio mesh the sidecar is based on Envoy proxy data plane:
- Istio sidecar injection happens on namespace via mutation webhook on a new Pod.
- First, Istio initiate a container for
iptable
rules forward and then Istio-agent starts a new Envoy sidecar. - Using simple
port-forward
we could access Envoy admin interface
So, what are the benefits using service mesh in Kubernetes?
- Traffic management. Istio decouples clients requests from destination workload. It increase network resilience and testing across the services in the mesh. Provide possibility setting default routes for services and control configuration sharing across namespaces. Adds additional capabilities as:
- Timeouts
- Retries
- Fault injection
- Circuit breakers
- Observability. Istio provides telemetry, logging and tracing by default. It might be easily integrated to popular open-source tools like Prometheus, Grafana, Kiali and Jeager.
- Security:
- Istion provides service identity.
- Authentication is done via mutual TLS
- Authorization enforces access control to the inbound traffic in the server. Allows policy creation with third party tools.
- Certificate Management support with external integration.
Ambient mesh
In June, Istio 1.18 was released , marking the second release of Istio in 2023 and the first to offer official support for ambient mode.
Ambient mesh is a new deployment model for Istio that splits the duties currently performed by the Envoy sidecar into two separate components: a node-level component for encryption (called “ztunnel”) and an Envoy instance deployed per service for all Layer 7 processing (called the “waypoint”).
What Are the Design Goals of Ambient Mode?
- Transparency and incremental adoption by introducing a sidecar-less data plane. Splits the behavior of network into two separate layers:
- Layer 4 is handled by a
daemonset
responsible for encryption (mTLS) providing Zero Trust. - Layer 7 is handled by an optional Envoy component interpreting HTTP or gRPC connections.
- Layer 4 is handled by a
- Non-intrusive. Ambient mode does not require injecting sidecar proxies into the application’s pods and only requires the application to be tagged to automatically join the mesh, potentially reducing the mesh’s impact on the application.
- Efficient resource utilization. Ambient mode can optimize resource utilization for some use cases by sharing the
ztunnel
proxy across the mesh. If certain L7 functionality of Istio is required, it can also be addressed by deployingWaypoints
precisely for aServiceAccount
orNamespace
, providing more control over resource consumption. - Security. Ambient mode provides TLS support by running a shared proxy
ztunnel
on each node, and when users require the same security as sidecar mode, they also need to deploy one or more Waypoints in each namespace to handle L7 traffic in that namespace. - Simplicity. Ambient mode simplifies service mesh deployment by using Kubernetes manifests and externalize sidecar containers to one shared component.
Which Mode Should I Choose?
Istio is a brand standard in service mesh solution today. It provides stable and well-architectured implementation of sidecars. Ambient mode is a very promising and may potentially resolves a lot of performance issues and security concerns. But this is still a very new approach which does not suppose to replace Envoy data plane right now.
from Matt Turner’s tetrate.io
So what does that choice look like today? We think the broad majority of Istio users will still benefit the most from Istio’s proven sidecar data plane. Ambient mode may offer reduced resource usage in some circumstances (even then it’s nuanced due to kernel cleverness). Any performance gains from using ambient mode must be weighed against its more complex topology, as there are now two types of component making up the mesh’s data plane. Additionally, observability of requests and responses is reduced. And most importantly for most of the users we talk to, the security stance is weakened, often by an unacceptable amount. You can read up on how the two modes compare and a fuller list of consequences, in our previous blog on the topic.
While ambient mode can allow an Istio mesh to run in otherwise impossible resource constraints, we at Tetrate don’t believe it’ll ever replace sidecars for most of our customers. Their strong isolation requirements and need for comprehensive, accurate observability for audit, mean they can’t make the ambient trade. But we’ll leave the choice with our customers, and we’ll be watching the development of ambient, excited to see where it goes in the future.
Hope you like the post. Please find more Kubernetes related guides on #CyberTechTalk WIKI pages. Subscribe to our newsletter or follow us on Twitter and LinkedIn.
Save your privacy, bean ethical!