Istio service mesh Implementation¶

Istio is an open-source Service mesh that provides a uniform way to secure, connect, and monitor microservices. It manages traffic flow between services, enforces access policies, and aggregates telemetry data, all without requiring changes to the application code^[istio-control-plane-istio-101.md].

Core Concepts¶

• Service Mesh: A Service mesh is a dedicated infrastructure layer that handles service-to-service communication^[istio-control-plane-istio-101.md].
• Data Plane vs. Control Plane:
  • The Data Plane consists of a set of intelligent proxies (Envoy) deployed as sidecars alongside every service. These proxies intercept and manage all network communication between microservices^[istio-control-plane-istio-101.md].
  • The Control Plane (Istiod) manages and configures the proxies to route traffic, enforce policies, and collect telemetry^[istio-control-plane-istio-101.md].
• Sidecar Pattern: The primary way Istio integrates with a service is by deploying a proxy alongside it. This sidecar proxy intercepts traffic to and from the service, allowing Istio to apply logic without the service being aware^[istio-control-plane-istio-101.md].

Implementation Workflow¶

Implementing Istio typically follows a standard lifecycle involving installation, configuration, and updates^[istio-control-plane-istio-101.md].

1. Installation¶

The first step is to deploy the Istio control plane onto the Kubernetes cluster^[istio-control-plane-istio-101.md].

• Download: Download the latest release configuration appropriate for your host operating system^[istio-control-plane-istio-101.md].
• Deployment: Use the istioctl CLI tool or Helm to install the control plane components^[istio-control-plane-istio-101.md].
• Verification: Ensure the control plane pods (specifically istiod) are running^[istio-control-plane-istio-101.md].

2. Application Enablement¶

Once the control plane is active, applications must be connected to the mesh^[istio-control-plane-istio-101.md].

• Namespace Labeling: Enable automatic Istio Sidecar Injection for the application's namespace^[istio-control-plane-istio-101.md].
• Sidecar Injection: Deploy the application. Because the namespace is labeled, the Kubernetes injector automatically injects the Envoy proxy sidecar into the application pod^[istio-control-plane-istio-101.md].
• Verification: Use kubectl get pods to confirm that the application pods now have two containers (the application container and the istio-proxy container)^[istio-control-plane-istio-101.md].

3. Configuration¶

With the proxies running, configure the mesh behavior using the control plane^[istio-control-plane-istio-101.md].

• Traffic Management: Define VirtualServices and DestinationRules to route traffic (e.g., canary deployments) and configure connection settings (e.g., circuit breaking, timeouts)^[istio-control-plane-istio-101.md].
• Security: Configure PeerAuthentication to enforce mTLS (mutual TLS) for service-to-service encryption^[istio-control-plane-istio-101.md].
• Policies: Apply AuthorizationPolicies to control access to services (e.g., allowing only specific HTTP methods or JWT-based access)^[istio-control-plane-istio-101.md].

4. Updates¶

Service mesh implementations must be maintained. This involves upgrading the control plane and data plane components^[istio-control-plane-istio-101.md].

• In-Place Upgrades: Kubernetes Deployment Strategies can be used to update the control plane. istioctl provides commands to verify compatibility and upgrade the mesh^[istio-control-plane-istio-101.md].
• Canary Upgrades: A common strategy for production environments involves running the new version of the control plane alongside the old version and routing a small percentage of control plane traffic to it^[istio-control-plane-istio-101.md].
• Data Plane Updates: The control plane pushes the new proxy configuration to the data plane. Eventually, the application workloads need to be restarted (via a rolling update) to pick up the new version of the Envoy proxy binary^[istio-control-plane-istio-101.md].

Key Components¶

• Istiod: The unified control plane binary. It combines functionality for Pilot (traffic management), Citadel (security), and Galley (configuration management)^[istio-control-plane-istio-101.md].
• Envoy: The high-performance proxy used as the sidecar. It handles dynamic service discovery, load balancing, TLS termination, and health checking^[istio-control-plane-istio-101.md].
• Gateway: A Load Balancer operating at the edge of the mesh, managing incoming/outgoing HTTP/TCP connections^[istio-control-plane-istio-101.md].

Related Concepts¶

• Kubernetes
• Microservices Architecture
• Service Mesh

Sources¶

• 001-TODO__28490作日誌寫入機制.md