Istio is an open technology that provides a way for developers to seamlessly connect, manage and secure networks of different microservices — regardless of platform, source or vendor. Istio is currently one of the fastest-growing open source projects based on Github contributors, and its strength is its community. IBM is proud to be a founder and contributor of the Istio project and a leader of Istio Working Groups.
To learn more about the world of service mesh, read the O’Reilly ebook, Istio Explained, written by Istio control board members, Lin Sun, IBM Master Inventor, and Dan Berg, IBM Distinguished Engineer.
The following courses show how to manage microservices with IBM Cloud® Kubernetes Service and Istio.
Set up and deploy an application; scale and update applications with IBM Watson® services.
Learn how 12-factor method, microservices and Istio work in IBM Cloud Kubernetes Service.
Install Istio beside microservices as Guestbook mock application; deploy it to a cluster.
Istio is a configurable, open source service-mesh layer that connects, monitors, and secures the containers in a Kubernetes cluster. Istio works natively with Kubernetes only, but its open source nature makes it possible for anyone to write extensions enabling Istio to run on any cluster software.
Kubernetes is a container orchestration tool, and one core unit of Kubernetes is a node. A node consists of one or more containers, along with other components. Kubernetes manages availability and resource consumption of nodes, adding pods as demand increases with the pod autoscaler. Istio injects additional containers into the pod to add security, management and monitoring.
Because it is open source, Istio can run on any public cloud provider that supports it and any private cloud with willing administrators.
When organizations move to microservices, they need to support dozens or hundreds of specific applications. Managing those endpoints separately means supporting a large number of virtual machines (VMs), including demand. Cluster software like Kubernetes can create pods and scale them up, but Kubernetes does not provide routing, traffic rules, or strong monitoring or debugging tools.
Enter the service mesh.
As the number of services increases, the number of potential ways to communicate increases exponentially. Two services have only two communication paths. Three services have six, while 10 services have 90. A service mesh provides a single way to configure those communications paths by creating a policy for the communication.
A service mesh instruments the services and directs communications traffic according to a predefined configuration. Instead of configuring a running container, or writing code to do so, an administrator can provide configuration to the service mesh and have it complete that work. Previously, this had to happen with web servers and service-to-service communication.
The most common way to do this in a cluster is to use the sidecar pattern. A sidecar is a new container, inside the pod, that routes and observes communications traffic between services and containers.
Istio layers on top of Kubernetes, adding containers that are essentially invisible to the programmer and administrator. Called sidecar containers, these act as a "person in the middle," directing traffic and monitoring the interactions between components. The two work in combination in the following three ways.
Configuration: The primary method to set configuration with Kubernetes is the kubectl command, commonly kubectl -f <filename>, where the file is a YAML file. Istio users can either run new and different types of YAML files with kubectl or use the new, optional, ioctl command.
Monitoring: With Istio, you can monitor the health of your applications running with Kubernetes. Istio instrumentation can manage and visualize the health of applications, providing more insight than the general monitoring of cluster and nodes that Kubernetes provides.
Management: Because the interface for Istio is essentially the same as Kubernetes, managing it takes little additional work. Istio allows the user to create policies that impact and manage the entire Kubernetes cluster, reducing time to manage each cluster while eliminating the need for custom management code.
Istio uses a heavily extended version of Envoy to perform the monitoring, management and logging. Every pod needs to be tracked, and Istio needs to aggregate and provide information about all of the pods. One possible alternative to using Istio would be to deploy Envoy into the Kubernetes cluster directly and write management code. This is essentially recreating Istio, with the associated costs and bugs of a custom development project.