Service Mesh
服务网格
Objective
Distributed multi-cloud, multi-region architecture
Enables core capabilities by default at the platform level
A layer that lets you connect, secure, control, observe microservices
Products
Linkerd (CNCF graduated project)
Kuma (CNCF sandbox project)
Traefik Mesh (formerly Maesh)
Open Service Mesh (CNCF sandbox project)
Cilium eBPF
Core Features
Capabilities
Proxy lib
Application A
Proxy lib
Application B
Control Plane
HTTP, gRPC, TCP
mTLS
Routing
Policy management
Cert management
Proxy
Service A
Proxy
Service B
Istio Control Plane
HTTP, gRPC, TCP
mTLS
Routing
Policy management
Cert management
Application A
Application B
Sidecar network Policy
Proxy
Service A
Proxy
Service B
Istio Control Plane
HTTP, gRPC, TCP
mTLS
Routing
Policy management
Cert management
Application A
Application B
Ingress
gateway
mTLS
Egress
gateway
mTLS
High-Level Architecture (old)
High-Level Architecture (1.5+)
Proxy: Sidecar Injection
Istio proxy sidecar injected during pod creation time via mutatingwebhookconfiguration istio-sidecar-injector
Istio-init: the init container sets up the iptable rules so inbound/outbound traffic will go through sidecar proxy
Istio-proxy: the sidecar proxy based on envoy
To see the template being used:
kubectl -n istio-system get configmap istio-sidecar-injector
Spec:
initContainers:
- name: istio-init
image: docker.io/istio/proxy_init:1.0.2
args:
- istio-iptables
- -p
- "15001"
- -u
- 1337
.....
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
containers:
- name: istio-proxy
Proxy: Packet walk
Pod
Istio-proxy
Envoy
Application
iptable
:15001
eth0
:8080
IO
127.0.0.1:8080
127.0.0.1:15001
K8s Pod
Pilot
Traffic Management (networking.istio.io)
VirtualService rules that control how requests for services are routed within the mesh
DestinationRule specifies a set of policies to be applied to the request
Gateway HTTP/TCP loadbalancer, at the ingress to enable traffic
ServiceEntry enable requests to services outside of the mesh
Traffic Management Features
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
...
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
ConditionRouting: based on http header
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
...
spec:
hosts:
- reviews
http:
- match:
- sourceLabel:
app: reviews
version: v1
route:
- destination:
host: rate
subset: v2
- route:
- destination:
host: rate
subset: v1
ConditionRouting: based on source label
Traffic Management Features
Timeout
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v2
timeout: 0.5s
Retry
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v2
retries:
attempts: 3
perTryTimeout: 2s
Traffic Management Features
Circuit Break
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
...
spec:
host: httpbin
trafficPolicy:
connectionPool:
http:
http1MaxPendingRequests: 1
maxRequestsPerConnection: 1
tcp:
maxConnections: 1
outlierDetection:
baseEjectionTime: 3m
consecutive5xxErrors: 1
interval: 1s
maxEjectionPercent: 100
Security Features
Enable mutual TLS per namespace
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "default"
namespace: "foo"
spec:
mtls:
mode: STRICT
Allow access with GET method to the specified workload
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: "productpage-viewer"
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]
Security Architecture