Istio in Action

Solve difficult service-to-service communication challenges around security, observability, routing, and resilience with an Istio-based service mesh. Istio allows you to define these traffic policies as configuration and enforce them consistently without needing any service-code changes.

In Istio in Action you will learn:

Why and when to use a service mesh
Envoy’s role in Istio’s service mesh
Allowing “North-South” traffic into a mesh
Fine-grained traffic routing
Make your services robust to network failures
Gain observability over your system with telemetry “golden signals”
How Istio makes your services secure by default
Integrate cloud-native applications with legacy workloads such as in VMs

Reduce the operational complexity of your microservices with an Istio-powered service mesh! Istio in Action shows you how to implement this powerful new architecture and move your application-networking concerns to a dedicated infrastructure layer. Non-functional concerns stay separate from your application, so your code is easier to understand, maintain, and adapt regardless of programming language. In this practical guide, you’ll go hands-on with the full-featured Istio service mesh to manage microservices communication. Helpful diagrams, example configuration, and examples make it easy to understand how to control routing, secure container applications, and monitor network traffic.

Foreword by Eric Brewer.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
Offload complex microservice communication layer challenges to Istio! The industry-standard Istio service mesh radically simplifies security, routing, observability, and other service-to-service communication challenges. With Istio, you use a straightforward declarative configuration style to establish application-level network policies. By separating communication from business logic, your services are easier to write, maintain, and modify.

About the book
Istio in Action teaches you how to implement an Istio-based service mesh that can handle complex routing scenarios, traffic encryption, authorization, and other common network-related tasks. You’ll start by defining a basic service mesh and exploring the data plane with Istio’s service proxy, Envoy. Then, you’ll dive into core topics like traffic routing and visualization and service-to-service authentication, as you expand your service mesh to workloads on multiple clusters and legacy VMs.

What's inside

Comprehensive coverage of Istio resources
Practical examples to showcase service mesh capabilities
Implementation of multi-cluster service meshes
How to extend Istio with WebAssembly
Traffic routing and observability
VM integration into the mesh

About the reader
For developers, architects, and operations engineers.

About the author
Christian Posta is a well-known architect, speaker, and contributor. Rinor Maloku is an engineer at Solo.io working on application networking solutions.

Table of Contents
PART 1 UNDERSTANDING ISTIO
1 Introducing the Istio service mesh
2 First steps with Istio
3 Istio’s data plane: The Envoy proxy
PART 2 SECURING, OBSERVING, AND CONTROLLING YOUR SERVICE’S NETWORK TRAFFIC
4 Istio gateways: Getting traffic into a cluster
5 Traffic control: Fine-grained traffic routing
6 Resilience: Solving application networking challenges
7 Observability: Understanding the behavior of your services
8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali
9 Securing microservice communication
PART 3 ISTIO DAY-2 OPERATIONS
10 Troubleshooting the data plane
11 Performance-tuning the control plane
PART 4 ISTIO IN YOUR ORGANIZATION
12 Scaling Istio in your organization
13 Incorporating virtual machine workloads into the mesh
14 Extending Istio on the request path

Istio in Action

59.99 In Stock

Istio in Action

Add to Wishlist

Istio in Action

Paperback

$59.99

View All Available Formats & Editions

Paperback
$59.99

View All Available Formats & Editions

SHIP THIS ITEM

In stock. Ships in 1-2 days.
PICK UP IN STORE

Your local store may have stock of this item.

Available within 2 business hours

Want it Today?
Check Store Availability

Related collections and offers

Overview

Product Details

ISBN-13:	9781617295829
Publisher:	Manning
Publication date:	04/26/2022
Pages:	480
Product dimensions:	7.38(w) x 9.25(h) x 0.90(d)

About the Author

Christian Posta is Global Field CTO at Solo.io, and well known in the cloud-native community for being an architect, engineer, author, speaker, and contributor to various open-source projects in the service mesh and cloud-native ecosystem.

Rinor Maloku is a software and DevOps engineer working at Red Hat. As a member of the Platform-as-a-Service team, he builds middleware software ensuring the high-availability, resiliency, and scalability of customer-facing apps. Prior to that, he consulted multiple DAX 30 member companies in their endeavour to utilise the full potential of cloud computing and the Cloud Native Computing Foundation technologies.

Foreword xvii

Preface xix

Acknowledgments xxi

About this book xxiii

About the authors xxvii

About the cover illustration xxviii

Part 1 Understanding Istio 1

1 Introducing the Istio service mesh 3

1.1 Challenges of going faster 5

Our cloud infrastructure is not reliable 6

Making service interactions resilient 7

Understanding what's happening in real time 8

1.2 Solving these challenges with application libraries 8

Drawbacks to application-specific libraries 9

1.3 Pushing these concerns to the infrastructure 11

The application-aware service proxy 11

Meet the Envoy proxy 12

1.4 What's a service mesh? 13

1.5 Introducing the Istio service mesh 15

How a service mesh relates to an enterprise service bus 17

How a service mesh relates to an API gateway 18

Can I use Istio for non-microservices deployments? 20

Where Istio fits in distributed architectures 21

What are the drawbacks to using a service mesh? 22

2 First steps with Istio 24

2.1 Deploying Istio on Kubernetes 25

Using Docker Desktop for the examples 25

Getting the Istio distribution 26

Installing the Istio components into Kubernetes 27

2.2 Getting to know the Istio control plane 29

Istiod 30

Ingress and egress gateway 33

2.3 Deploying your first application in the service mesh 34

2.4 Exploring the power of Istio with resilience, observability, and traffic control 39

Istio observability 40

Istio for resiliency 47

Istio for traffic routing 49

3 Istio's data plane: The Envoy proxy 54

3.1 What is the Envoy proxy? 55

Envoy's core features 57

Comparing Envoy to other proxies 61

3.2 Configuring Envoy 62

Static configuration 62

Dynamic configuration 63

3.3 Envoy in action 65

Envoy's Admin API 69

Envoy request retries 69

3.4 How Envoy fits with Istio 71

Part 2 Securing, Observing, and Controlling Your Service's Network Traffic 75

4 Istio gateways: Getting traffic into a cluster 77

4.1 Traffic ingress concepts 78

Virtual IPs: Simplifying service access 78

Virtual hosting: Multiple services from a single access point 79

4.2 Istio ingress gateways 80

Specifying Gateway resources 82

Gateway routing with virtual services 83

Overall view of traffic flow 86

Istio ingress gateway vs. Kubernetes Ingress 87

Istio ingress gateway vs. API gateways 88

4.3 Securing gateway traffic 88

HTTP traffic with TES 89

HTTP redirect to HTTPS 93

HTTP traffic with mutual TES 94

Serving multiple virtual hosts with TLS 97

4.4 TCP traffic 98

Exposing TCP ports on an Istio gateway 99

Traffic routing with SNI passthrough 101

4.5 Operational tips 104

Split gateway responsibilities 104

Gateway injection 105

Ingress gateway access logs 106

Reducing gateway configuration 107

5 Traffic control: Fine-grained traffic routing 110

5.1 Reducing the risk of deploying new code 111

Deployment vs. release 111

5.2 Routing requests with Istio 114

Cleaning up our workspace 114

Deploying v1 of the catalog service 115

Deploying v2 of the catalog service 116

Routing all traffic to v1 of the catalog service 117

Routing specific requests to v2 119

Routing deep within a call graph 120

5.3 Traffic shifting 122

Canary releasing with Flagger 124

5.4 Reducing risk even further: Traffic mirroring 129

5.5 Routing to services outside your cluster by using Istio's service discovery 131

6 Resilience: Solving application networking challenges 136

6.1 Building resilience into the application 137

Building resilience into application libraries 137

Using Istio to solve these problems 138

Decentralized implementation of resilience 138

6.2 Client-side load balancing 139

Getting started with client-side load balancing 140

Setting up our scenario 142

Testing various client-side load-balancing strategies 144

Understanding the different load-balancing algorithms 147

6.3 Locality-aware load balancing 149

Hands-on with locality load balancing 149

More control over locality load balancing with weighted distribution 153

6.4 Transparent timeouts and retries 156

Timeouts 156

Retries 158

Advanced retries 164

6.5 Circuit breaking with Istio 166

Guarding against slow services with connection-pool control 168

Guarding against unhealthy services with outlier detection 173

7 Observability: Understanding the behavior of your services 177

7.1 What is observability? 178

Observability vs. monitoring 179

How Istio helps with observability 179

7.2 Exploring Istio metrics 180

Metrics in the data plane 180

Metrics in the control plane 186

7.3 Scraping Istio metrics with Prometheus 187

Setting up Prometheus and Grafana 189

Configuring the Prometheus Operator to scrape the Istio control plane and workloads 190

7.4 Customizing Istio's standard metrics 193

Configuring existing metrics 196

Creating new metrics 200

Grouping calls with new attributes 202

8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali 205

8.1 Using Grafana to visualize Istio service and control-plane metrics 205

Setting up Istio's Grafana dashboards 207

Viewing control-plane metrics 208

Viewing data-plane metrics 209

8.2 Distributed tracing 209

How does distributed tracing work? 210

Installing a distributed tracing system 212

Configuring Istio to perform distributed tracing 213

Viewing distributed tracing data 216

Trace sampling, force traces, and custom tags 217

8.3 Visualization with Kiali 223

Installing Kiali 223

Conclusion 228

9 Securing microservice communication 230

9.1 The need for application-networking security 230

Service-to-service authentication 231

End-user authentication 231

Authorization 231

Comparison of security in monoliths and microservices 231

How Istio implements SPIFFE 233

Istio security in a nutshell 233

9.2 Auto mTLS 234

Setting up the environment 235

Understanding Istio's PeerAuthentication resource 236

9.3 Authorizing service-to-service traffic 242

Understanding authorization in Istio 243

Setting up the workspace 244

Behavior changes when a policy is applied to a workload 245

Denying all requests by default with a catch-all policy 246

Allowing requests originating from a single namespace 247

Allowing requests from non-authenticated legacy workloads 248

Allowing requests from a single service account 248

Conditional matching of policies 249

Understanding value-match expressions 250

Understanding the order in which authorization policies are evaluated 252

9.4 End-user authentication and authorization 252

What is a JSON web token? 252

End-user authentication and authorization at the ingress gateway 255

Validating JWTs with RequestAuthentication 255

9.5 Integrating with custom external authorization services 260

Hands-on with external authorization 261

Configuring Istio for ExtAuthz 262

Using a custom AuthorizationPolicy resource 263

Part 3 Istio Day-2 operations 265

10 Troubleshooting the data plane 267

10.1 The most common mistake: A misconfigured data plane 268

10.2 Identifying data-plane issues 270

How to verify that the data plane is up to date 270

Discovering misconfigurations with Kiali 272

Discovering misconfigurations with istioctl 274

10.3 Discovering misconfigurations manually from the Envoy config 275

Envoy administration interface 276

Querying proxy configurations using istioctl 276

Troubleshooting application issues 282

Inspect network traffic with ksniff 288

10.4 Understanding your application using Envoy telemetry 291

Finding the rate of failing requests in Grafana 291

Querying the affected Pods using Prometheus 292

11 Performance-tuning the control plane 295

11.1 The control plane's primary goal 295

Understanding the steps of data-plane synchronization 297

Factors that determine performance 298

11.2 Monitoring the control plane 298

The four golden signals of the control plane 299

11.3 Tuning performance 303

Setting-up the workspace 304

Measuring performance before optimizations 305

Ignoring events: Reducing the scope of discovery using discovery selectors 309

Event-batching and push-throttling properties 310

11.4 Performance tuning guidelines 314

Part 4 Istio in your organization 317

12 Scaling Istio in your organization 319

12.1 The benefits of a multi-cluster service mesh 320

12.2 Overview of multi-cluster service meshes 320

Istio multi-cluster deployment models 321

How workloads are discovered in multi-cluster deployments 323

Cross-cluster workload connectivity 324

Common trust between clusters 324

12.3 Overview of a multi-cluster, multi-network, multi-control-plane service mesh 326

Choosing the multi-cluster deployment model 327

Setting up the cloud infrastructure 327

Configuring plug-in CA certificates 328

Installing the control planes in each cluster 329

Enabling cross-cluster workload discovery 333

Setting up cross-cluster connectivity 335

Load-balancing across clusters 341

13 Incorporating virtual machine workloads into the mesh 347

13.1 Istio's VM support 348

Simplifying sidecar proxy installation and configuration in a VM 348

Virtual machine high availability 351

DNS resolution of in-mesh services 354

13.2 Setting up the infrastructure 355

Setting up the service mesh 356

Provisioning the VM 357

13.3 Mesh expansion to VMs 359

Exposing istiod and cluster services to the VM 360

Representing a group of workloads with a WorkloadGroup 361

Installing and configuring the istio-agent in the VM 363

Routing traffic to cluster services 366

Routing traffic to the WorkloadEntry 367

VMs are configured by the control plane: Enforcing mutual authentication 371

13.4 Demystifying the DNS proxy 372

How the DNS proxy resolves cluster hostnames 372

Which hostnames is the DNS proxy aware of? 374

13.5 Customizing the agent's behavior 375

13.6 Removing a WorkloadEntry from the mesh 375

14 Extending Istio on the request path 378

14.1 Envoy's extension capabilities 379

Understanding Envoy's filter chaining 379

Filters intended for extension 382

Customizing Istio's data plane 382

14.2 Configuring an Envoy filter with the EnvoyFilter resource 383

14.3 Rate-limiting requests with external call-out 387

Understanding Envoy rate limiting 388

14.4 Extending Istio's data plane with Lua 392

14.5 Extending Istio's data plane with WebAssembly 395

Introducing WebAssembly 395

Why WebAssembly for Envoy"? 396

Building a new Envoy filter with WebAssembly 396

Building a new Envoy filter with the meshctl tool 397

Deploying a new WebAssembly Envoy filter 399

Appendix A Customizing the Istio installation 401

Appendix B Istio's sidecar and its injection options 408

Appendix C Istio security: SPIFFE 414

Appendix D Troubleshooting Istio components 424

Appendix E How the virtual machine is configured to join the mesh 433

Index 435

From the B&N Reads Blog

Page 1 of

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews