Chapter 9. Service mesh implementation using Istio

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Service mesh implementation using Istio

This chapter discusses the service mesh implementation using Istio and has the following sections:

•9.1, “Overview” on page 290

•9.2, “Role of the service mesh” on page 290

•9.3, “Istio architecture” on page 292

•9.4, “Installation of Istio and enabling the application for Istio” on page 295

•9.5, “Service resiliency” on page 301

•9.6, “Achieving E2E security for microservices using Istio” on page 311

9.1 Overview

When talking to many enterprise customers who are at the beginning of their application modernization journey, the question that often pops up is: “What about a service mesh?”. This usually prompts many follow-up questions:

•How should we implement traffic control (firewall rules) for services?

•How to control ingress and egress from the Kubernetes cluster?

•What service registry to use?

•How to implement load balancing between the microservices?

•How to integrate the microservices on Kubernetes with existing ESB?

•Can the whole traffic be encrypted?

There are a lot of articles on the internet about different service registry and discovery solutions, and about microservices and cloud native programing frameworks. Many of them relate to a specific product or technology, but it is not obvious how these solutions relate to Kubernetes or to what extent they are applicable in hybrid, multi-cloud, enterprise-centric environments. Things that work fine for an enthusiastic cloud startup developer might not be easy for an enterprise developer who often operates in a highly regulated environment.

In the following section we briefly summarize the role of the service mesh and discuss which functions are fulfilled by Kubernetes itself and which ones need to be augmented by additional solution – in case of IBM Cloud Private the product of choice is Istio.

9.2 Role of the service mesh

In traditional applications, the communication pattern was usually built into application code and service endpoint configuration was usually static. This approach does not work in dynamic cloud-native environments. Therefore, there is a requirement for an additional infrastructure layer that helps manage communication between complex applications consisting of a large number of distinct services. Such a layer is usually called a service mesh.

The service mesh provides several important capabilities like:

•Service discovery

•Load balancing

•Encryption

•Observability and traceability

•Authentication and authorization

•Support for the circuit breaker pattern

The following sections describe each of these functionalities in more detail.

9.2.1 Service registry

Modern, cloud-native applications are often highly distributed and use a large number of components or microservices that are loosely coupled. In a dynamic, cloud environments placement of any service instance can change at any time, so there is a need for an information repository which will hold current information about which services are available and how they can be reached. This repository is called service registry. There are several popular implementations of service registry, for example Eureka developed by Netflix, Consul from Hashicorp, and Apache Zookeeper. None of these solutions are not Kubernetes specific, and their functions to some extent overlap with what Kubernetes natively provides.

IBM Cloud Private uses Kubernetes technology as its foundation. In Kubernetes, services are of primary importance, and Kubernetes provides implicit service registry using DNS. When a controller alters Kubernetes resources, for example starting or stopping some pods, it also updates the related service entries. Binding between pod instances and services that expose them is dynamic, using label selectors.

Istio leverages Kubernetes service resources, and does not implement a separate service registry.

9.2.2 Service discovery

The process of locating the service instance is called service discovery. There are 2 types of service discoveries:

Client-side discovery Application that requests a service network location gets all service instances from the service registry, and decides which one to contact. This approach is implemented, for example, by the Netflix Ribbon library.

Server-side discovery Application that sends a request to a proxy that routes a request to one of the available instances. This approach is used in that Kubernetes environment and in Istio.

9.2.3 Load balancing

When there are multiple instances of a target service available, the incoming traffic should be load balanced between them. Kubernetes natively implements this functionality, but Istio greatly enhances the available configuration options.

9.2.4 Traffic encryption

In Kubernetes internal data traffic can be either be all plain or all encrypted using IPSec. Istio allows dynamically to encrypt traffic to and from specific services based on policies and it does not require any changes to the application code.

9.2.5 Observability and traceability

This capability is not implemented in standard Kubernetes, and can be provided by the CNI network implementation. However project Calico used by IBM Cloud Private does not provide this capability. To trace traffic between applications, the applications must embed some distributed tracing libraries, such as Zipkin. Istio implements this capability, allowing all traffic to be traced and visualized, without any modification to the application code.

9.2.6 Access control

Kubernetes, by default, defines network policies that govern which pods can communicate but implementation of network policies is done at the Container Network Interface (CNI) network level. Project Calico used by IBM Cloud Private allows for defining firewall rules between pods based on IP and port combinations. Istio enhances access control up to L7 (layer 7).

9.2.7 Circuit breaker pattern support

By default, Kubernetes does not provide this capability. It can be embedded in application code using, for example, Hystrix from Netflix OSS, but can be also implemented at the proxy level like in Istio or Consul.

9.3 Istio architecture

An Istio service mesh is logically split into a data plane and a control plane¹.

The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices along with Mixer, a general-purpose policy and telemetry hub.

The control plane manages and configures the proxies to route traffic. Additionally, the control plane configures Mixers to enforce policies and collect telemetry.

9.3.1 Components

The following section describes the components of the planes.

Figure 9-1 on page 293 shows the different components that make up each plane.

Figure 9-1 Istio architecture²

Envoy

Istio uses an extended version of the Envoy proxy. Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh. Istio leverages Envoy’s many built-in features, for example:

•Dynamic service discovery

•Load balancing

•TLS termination

•HTTP/2 and gRPC proxies

•Circuit breakers

•Health checks

•Staged rollouts with percentage-based traffic split

•Fault injection

•Rich metrics

Envoy is deployed as a sidecar to the relevant service in the same Kubernetes pod. This deployment allows Istio to extract a wealth of signals about traffic behavior as attributes. Istio can, in turn, use these attributes in Mixer to enforce policy decisions, and send them to monitoring systems to provide information about the behavior of the entire mesh.

The sidecar proxy model also allows you to add Istio capabilities to an existing deployment with no need to rearchitect or rewrite code. You can read more about why we chose this approach in our Design Goals.

Mixer

Mixer is a platform-independent component. Mixer enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services. The proxy extracts request level attributes, and sends them to Mixer for evaluation. You can find more information about this attribute extraction and policy evaluation in Mixer Configuration documentation.

Mixer includes a flexible plug-in model. This model enables Istio to interface with a variety of host environments and infrastructure backends. Thus, Istio abstracts the Envoy proxy and Istio-managed services from these details.

Pilot

Pilot provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing (e.g., A/B tests, canary deployments, etc.), and resiliency (timeouts, retries, circuit breakers, etc.).

Pilot converts high level routing rules that control traffic behavior into Envoy-specific configurations, and propagates them to the sidecars at run time. Pilot abstracts platform-specific service discovery mechanisms and synthesizes them into a standard format that any sidecar conforming with the Envoy data plane APIs can use. With this loose coupling, Istio can run on multiple environments, such as Kubernetes, Consul, or Nomad, while maintaining the same operator interface for traffic management.

Citadel

Citadel provides strong service-to-service and end-user authentication with built-in identity and credential management. You can use Citadel to upgrade unencrypted traffic in the service mesh. Using Citadel, operators can enforce policies based on service identity rather than on network controls. Starting from release 0.5, you can use Istio’s authorization feature to control who can access your services.

Galley

Galley validates user authored Istio API configuration on behalf of the other Istio control plane components. Over time, Galley will take over responsibility as the top-level configuration ingestion, processing and distribution component of Istio. It will be responsible for insulating the rest of the Istio components from the details of obtaining user configuration from the underlying platform (for example Kubernetes).

9.3.2 Istio functions

Istio has the following major functions.

Connect

Istio provides traffic management for services. The traffic management function includes:

•Intelligent routing: The ability to perform traffic splitting and traffic steering over multiple versions of the service

•Resiliency: The capability to increase micro services application performance and fault tolerance by performing resiliency tests, error and fault isolation and failed service ejection.

Secure

Istio implements a Role-based Access Control (RBAC) which allow a specific determination on which service can connect to which other services. Istio uses Secure Production Identity Framework for Everyone (SPIFFE) to identify the ServiceAccount of a micro service uniquely and use that to make sure communication are allowed.

Control

Istio provides a set of Policies that allows control to be enforced based on data collected. This capability is performed by Mixer.

Observe

While enforcing the policy, Itsio also collects data that is generated by the Envoy proxies. The data can be collected as metrics into Prometheus or as tracing data that can be viewed through Jaeger and Kiali.

This chapter describes mainly the resiliency (9.5, “Service resiliency” on page 301) and security (9.6, “Achieving E2E security for microservices using Istio” on page 311) implementation using Istio, while intelligent routing is discussed in “Chapter 4 Manage your service mesh with Istio” of the IBM Redbooks IIBM Cloud Private Application Developer's Guide, SG24-8441.

9.4 Installation of Istio and enabling the application for Istio

Istio can be enabled during IBM Cloud Private installation time, or it can be installed after the cluster is set up. The IBM Knowledge Center for Cloud Private provides good guidance. You can see https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.2/manage_cluster/istio.html for more details.

Here we will introduce another approach by installing the Istio using the command-line interface, where you have more control on the options.

Tip: This approach can be used as a base in the airgap environment where you must use a local chart.

In addition, we will also demonstrate the sample bookInfo application deployed in IBM Cloud Private, where you must pay extra attention due to the enhanced security management features starting from IBM Cloud Private version 3.1.1.

9.4.1 Install Istio with the helm command

Before the installation, we assume that you have downloaded the couldctl, kubectl, and helm tools for your platform from the IBM Cloud Private dashboard.

1. Log in to IBM Cloud Private:

Run the command cloudctl -a https://Your_ICP_Host:8443/. Log in with the admin ID and password. Upon successful login, the tool sets up the kubctl and the Helm client.

2. Next you will set up the Helm repository. Run the command in Example 9-1 to add a Helm repository that points to the management repository from IBM Cloud Private.

Example 9-1 Command to add a Helm repository

helm repo add --ca-file ~/.helm/ca.pem --key-file ~/.helm/key.pem --cert-file ~/.helm/cert.pem icp https://Your_ICP_Host:8443/mgmt-repo/charts

Note that the ca-file, the key-file, and the cert-file are created automatically when you perform the first step.

Refresh the repository with the helm repo update command.

3. Create the secret for Grafana and Kali. We enable Grafana and Kali for this deployment. The secret for the console login is required. Create the files as in Example 9-2 and in Example 9-3 on page 296.

Example 9-2 Secret object for Kiali

apiVersion: v1

kind: Secretometadata:

namespace: istio-system

labels:

app: kiali

type: Opaque

data:

username: YWRtaW4K

passphrase: YWRtaW4K

Example 9-3 Secret object for Grafana

apiVersion: v1

kind: Secret

metadata:

namespace: istio-system

labels:

app: grafana

type: Opaque

data:

username: YWRtaW4K

passphrase: YWRtaW4K

Notice that the username and passphrase are base64 encoded. You can get the encoded value by running echo yourtext | base64.

4. Run the commands in Example 9-4 to apply the objects.

Example 9-4 Commands to apply the secret objects

kubectl apply -f grafana.yaml

kubectl apply -f kail.yaml

5. Now you need to customize your settings. Create a YAML file as shown in Example 9-5 to override the default settings of the istio Helm chart. Save it as vars.yaml.

You can see the values.yaml file in the chart. The default chart tarball can be downloaded with the following command:

curl -k -LO https://<Your Cluster>:8443/mgmt-repo/requiredAssets/ibm-istio-1.0.5.tgz

Example 9-5 Override the default settings of the Istio Helm chart

grafana:

enabled: true

tracing:

enabled: true

kiali:

enabled: true

Here we enable the grafana, tracing, and kiali, which are disabled by default.

6. Next you will deploy the Istio chart by running the command in Example 9-6 on page 297.

Example 9-6 Deploy the Istio Helm chart

helm.icp install --name istio --namespace istio-system -f vars.yaml icp/ibm-istio --tls

Note that the CostumResourceDefintions (CRD) no longer needs to be created separately before the deployment.

7. To validate the installation, run the command shown in Example 9-7.

Example 9-7 Validation

kubectl -n istio-system get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE

grafana-cbc8c66bb-bqdll 1/1 Running 0 103m 172.20.72.180 10.93.221.105 <none>

istio-citadel-7cc85b9986-vk7nn 1/1 Running 0 103m 172.20.72.138 10.93.221.105 <none>

istio-egressgateway-79895bb8f7-k6zfw 1/1 Running 0 103m 172.20.121.208 10.93.221.68 <none>

istio-galley-77554979fc-j2qcg 1/1 Running 0 103m 172.20.72.189 10.93.221.105 <none>

istio-ingressgateway-56758bf968-4gfmt 1/1 Running 0 103m 172.20.61.77 10.171.37.135 <none>

istio-ingressgateway-56758bf968-zjzjz 1/1 Running 0 65m 172.20.121.209 10.93.221.68 <none>

istio-pilot-599f699d55-479ct 2/2 Running 0 103m 172.20.72.185 10.93.221.105 <none>

istio-policy-f8fcb8496-sgmck 2/2 Running 0 103m 172.20.72.184 10.93.221.105 <none>

istio-sidecar-injector-864d889459-zzlq2 1/1 Running 0 103m 172.20.72.190 10.93.221.105 <none>

istio-statsd-prom-bridge-75cc7c6c45-xq72c 1/1 Running 0 103m 172.20.72.131 10.93.221.105 <none>

istio-telemetry-665689b445-vfvqb 2/2 Running 0 103m 172.20.72.150 10.93.221.105 <none>

istio-tracing-694d9bf7b4-8tlhs 1/1 Running 0 103m 172.20.72.186 10.93.221.105 <none>

kiali-749cfd5f6-5kgjw 1/1 Running 0 103m 172.20.72.183 10.93.221.105 <none>

prometheus-77c5cc6dbd-h8bxv 1/1 Running 0 103m 172.20.72.187 10.93.221.105 <none>

All the pods under the namespace istio-system are running. Notice that other than the ingressgateway and egressgateway that run on the proxy node, the rest of the services all run on the management node.

9.4.2 Enable application for Istio

With the release of IBM Cloud Private Version 3.1.1, many security enhancements are turned on by default. This section documents what extra configurations are required in order for your application to be managed by Istio.

The bookinfo application is a sample application that was developed by istio.io to demonstrate the various Istio features. We will deploy the application into a dedicated namespace, istio-exp, instead of the default namespace, which you will more likely face in a real project.

1. Create the namespace as follows:

a. You can create the namespace with the Dashboard console. Go to Menu →Manage → Namespaces, then click Create Namespace. This action displays a dialog, as shown in Figure 9-2 on page 299.

Figure 9-2 Create a namespace

b. Name the namespace istio-exp, then select ibm-privileged-psp as the Pod Security Policy.

c. Click Create.

Note: You can also create these using the kubectl create ns istio-exp kubectl command.

d. Create the file named as rolebinding.yaml with the content shown in Example 9-8.

Example 9-8 Rolebinding to bind service account to predefined cluster role

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

namespace: istio-exp

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

subjects:

- apiGroup: rbac.authorization.k8s.io

kind: Group

e. Then run the command kubectl apply -f rolebinding.yaml.

When Istio injects the sidecar into the pod through initContainer, it needs the privileged right. Therefore, we assign the ibm-privileged-clusterrole to the service account of the namespace. If not, you might see the error message as Example 9-9.

Example 9-9 Error message when proper PSP is nor assigned

message: 'pods "details-v1-876bf485f-m84f8" is forbidden: unable to validate against

any pod security policy: [spec.initContainers[0].securityContext.capabilities.add:

Invalid value: "NET_ADMIN": capability may not be added]'

2. Next you will create the image policy.

a. The images for the bookInfo application are not in the whitelist. To run the application, create the file, image.policy.yaml, as in Example 9-10.

Example 9-10 Image policy for the bookInfo app

apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1

kind: ImagePolicy

metadata:

namespace: istio-exp

spec:

repositories:

- name: docker.io/istio/*

b. Then apply the policy with kubectl apply -f image.policy.yaml.

3. Now you will label the namespace for istio injection. Run the command kubectl label namespace istio-exp istio-injection=enabled to tag the target namespace with the flag of istio-injection to enable the automatic sidecar injection for the namespace.

4. Deploy the application by running the command:

kubectl -n istio-exp apply -f istio/istio-1.0.6/samples/bookinfo/platform/kube/bookinfo.yaml

5. Validate that the pods are running as shown in Example 9-11.

Example 9-11 Validate that the pods are running

kubectl -n istio-exp get pods

NAME READY STATUS RESTARTS AGE

details-v1-876bf485f-k58pb 2/2 Running 0 45m

productpage-v1-8d69b45c-6thb9 2/2 Running 0 45m

ratings-v1-7c9949d479-sbt8p 2/2 Running 0 45m

reviews-v1-85b7d84c56-pntvg 2/2 Running 0 45m

reviews-v2-cbd94c99b-hbpzz 2/2 Running 0 45m

reviews-v3-748456d47b-qtcs5 2/2 Running 0 45m

Notice the 2/2 of the output. The sidecar injection adds the additional istio-proxy container and makes it into two containers.

9.4.3 Uninstallation

To uninstall Istio, run the command helm delete istio --tls --purge to delete and purge the release.

You will also need to delete the CustomResourceDefinition objects that are left over in this version. To delete these object run the command kubectl delete -f istio/ibm-mgmt-istio/templates/crds.yaml.

9.5 Service resiliency

In a distributed system, dealing with unexpected failures is one of the hardest problems to solve. For example what happens when an instance of microservice is unhealthy? Apart from detecting it, we need a mechanism to auto-correct it. With an appropriate liveness/readiness probe in POD specification we can detect if the pod is working correctly, and Kubernetes will restart it if pod is not functioning properly.

But to achieve service resiliency we need to address the following challenges.

•How to handle services which are working, but taking too long to respond due to certain environment issue?

•How to handle services that respond after certain number of retries and within a certain amount of time?

•How to stop the incoming traffic for sometime (if the service has a problem), wait for the service to “heal” itself and when it is working resume the inbound traffic automatically.

•How to set a timeout for a request landed on Kubernetes so that in a definite time frame a response is given to the client?

•How to auto-remove a pod, which is unhealthy for quite sometime?

•How to do load balancing for pods to increase the throughput and lower the latency?

Kubernetes does not fulfill the previous challenges as ready-for-use functionality; we need service mesh for it. Service mesh provides critical capabilities including service discovery, load balancing, encryption, observability, traceability, authentication, and authorization and support for the circuit breaker pattern. There are different solutions for service mesh, such as Istio, Linkerd, Conduit, and so on. We will use the Istio service mesh to discuss how to achieve service resiliency.

Istio comes with several capabilities for implementing resilience within applications. Actual enforcement of these capabilities happens in the sidecar. These capabilities will be discussed in the following sections within the context of a microservices example.

To understand the Istio capabilities we will use the example published on the following IBM Redbooks GitHub url:

https://github.com/IBMRedbooks/SG248440-IBM-Cloud-Private-System-Administrator-s-Guide/tree/master/CH8-Istio.

The details about microservices setup are given in the readme file.

9.5.1 Retry

In the two following scenarios, the retry capability of Istio can be used:

•Transient, intermittent errors can come due to environment issues for example network, storage.

•The service or pod might have gone down only briefly.

With Istio’s retry capability, it can make a few retries before having to truly deal with the error.

Example 9-12 the virtual service definition for the catalog service.

Example 9-12 Virtual service definition for the catalog service

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:s

spec:

hosts:

- catalog

http:

- route:

- destination:

host: catalog

retries:

attempts: 3

perTryTimeout: 2s

1. Create a virtual service for the catalog. See Example 9-13.

Example 9-13 Create virtual service for catalog

root@scamp1:~/istio_lab# kubectl create -f catalog_retry.yaml

virtualservice.networking.istio.io/catalog created

2. Create a destination rule for all three microservices. See Example 9-14.

Example 9-14 Create a desalination rule for all three microservices

root@scamp1:~/istio_lab# istioctl create -f destination_rule.yaml

Created config destination-rule/default/user at revision 2544618

Created config destination-rule/default/catalog at revision 2544619

Created config destination-rule/default/product at revision 2544621

3. Get cluster IP for the user microservice. See Example 9-15.

Example 9-15 Get cluster I for user microservice

root@scamp1:~/istio_lab# kubectl get svc

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

catalog ClusterIP 10.0.0.31 <none> 8000/TCP 23h

kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 23h

product ClusterIP 10.0.0.221 <none> 8000/TCP 23h

user ClusterIP 10.0.0.55 <none> 8000/TCP 23h

4. Launch the user microservice to check the responses. See Example 9-16.

Example 9-16 Launch the user microservice to check the responses

root@scamp1:~/istio_lab# ./execute.sh 10.0.0.55

user==>catalog:v1==>product:Able to fetch infromation from product service

user==>catalog:v3==>product:Able to fetch infromation from product service

user==>catalog:v2==>product::Able to fetch infromation from product service