The data plane consists of one or more nodes running microservices containers in pods. Each pod has a sidecar that takes care of inter-service communication.
The sidecar proxy is agnostic to the language of the microservice since it works at the network layer. The proxy in a data plane intercepts inbound and outbound traffic for a microservice. With it, we can perform the following tasks:
- Traffic management
- Service-to-service user access control
- Authentication
- Communication encryption (TLS or mTLS)
- Monitoring
- Logging
- Timeouts
- Rate limits
- Retries
- Circuit breaking
- Load balancing
- Health checks
Kubernetes uses pods as single units where multiple containers within a pod share the same IP address or service name. All of the sidecar proxies conceptually form a data plane. Together, the control plane and data plane form the service mesh.
A service mesh proxy can be configured, deployed, and implemented in Kubernetes or non-Kubernetes environments.
In a Kubernetes environment, the sidecar proxy runs in the application pod, and there could be many such pods in a node. On the other hand, a sidecar proxy can run at a host level such as VM or bare metal in a non-Kubernetes environment. The next section will help us to understand sidecar proxies in more detail.