Introducing Istio

-

lstio is an open-source implementation of a service mesh. At a high level, Istio supports the following features: 

1. Traffic management 

Using configuration, we can control the flow of traffic between services. Setting up circuit breakers, timeouts, or retries can be done with a simple configuration change. 

1. Observability 

lstio gives us a better understanding of your services through tracing, monitoring, and logging, and it allows us to detect and fix issues quickly. 

1. Security 

lstio can manage authentication, authorization, and encryption of the communication at the proxy level. We can enforce policies across services with a quick configuration change. 


lstio Components 

lstio service mesh has two pieces: a data plane and a control plane. 

When building distributed systems, separating the components into a control plane and a data plane is a common pattern. The components in the data plane are on the request path, while the control plane components help the data plane to do its work. 

The data plane in lstio consists of Envoy proxies that control the communication between services. The control plane portion of the mesh is responsible for managing and configuring the proxies. 
















Envoy (data plane) 

Envoy is a high-performance proxy developed in C++. Istio service mesh injects the Envoy proxy as a sidecar container next to your application container. The proxy then intercepts all inbound and outbound traffic for that service. Together, the injected proxies form the data plane of a service mesh. 

Envoy proxy is also the only component that interacts with the traffic. In addition to the features mentioned earlier - the load balancing, circuit breakers, fault injection, etc. Envoy also supports a pluggable extension model based on WebAssembly (WASM). The extensibility allows us to enforce custom policies and generate telemetry for the traffic in the mesh. 


Istiod (control plane) 

Istiod is the control plane component that provides service discovery, configuration, and certificate management features. Istiod takes the high-level rules written in YAML and converts them into an actionable configuration for Envoy. Then, it propagates this configuration to all sidecars in the mesh. 

The pilot component inside Istiod abstracts the platform-specific service discovery mechanisms (Kubernetes, Consul, or VMs) and converts them into a standard' format that sidecars can consume. 

Using the built-in identity and credential management, we can enable strong service-to-service and end-user authentication. With authorization features, we can control who can access your services. 

The portion of the control plane, formerly known as Citadel, acts as a certificate authority and generates certificates that allow secure mutual TLS communication between the proxies in the data plane. 

Comments

Post a Comment

Popular posts from this blog

DevOps Interview Questions

-
Questions from GIT, Jenkins, Ansible, Dockers & Containers, Kubernetes, OpenShift, AWS, CI/CD, Scripting, Linux (RHEL), Monitoring, Python GIT ########### * What is GIT ? * What is difference between GIT & Github ? * Why we use GIT ? * What is SCM & VCS ? * What are the process of pushing the code to Github Repository ? * Why do we commit ? * What are the commands of GIT to push the code ? * How you can merge a git repository with another ?  * What is branching in git ? * Different types of branching in GIT ? * What is merge conflict in git ? * How you can resolve merge conflict if you are merging same    project and in the same branch ?    Jenkins ########## * What is Jenkins ? * Why we use Jenkins ? * What are the other tools/technologies present in market other than    Jenkins for CI/CD ? * How to move Jenkins from one server to another ?    * How to create Jenkins backup ?  * What are plugins in Jenkins ? * What are
Read more

Calico Certified Operator: AWS Expert Questions & Answers

-
Section 1 Which one of the following is NOT an AWS networking concept? 1 point possible (graded, results hidden) AWS Region Virtual Private Cloud Elastic Network Interface Cloud NAT submitted Which of the following are network configuration options for the Calico CNI in BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: VLAN based segmentation VXLAN encapsulation IP-IP encapsulation CrossSubnet mode submitted Why does AWS-CNI networking make use of source based routing on the nodes? 1 point possible (graded, results hidden) To provide more available IP addresses To allow the utilisation of all ENIs attached to the node To secure the node’s compute resources To ensure all pods use the same ENI submitted Which of the following are true when using the CrossSubnet mode in Calico CNI on BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: It is recommended that for best performanc
Read more

CKAD Certification Exam Preparation Guide and Tips

-
Image
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. The CNCF/Linux Foundation offers this performance-based exam which targets the developer aspect of Kubernetes skills such as deploying apps, configuring apps, rolling out the application, creating persistent volumes, etc. CKAD (Certified Kubernetes Application Developer) is designed for software developers who would like to develop and deploy their containerized applications in Kubernetes. The curriculum includes the following general domains with the associated weights: Core Concepts – 13% Configuration – 18% Multi-Container Pods – 10% Observability – 18% Pod Design – 20% Services & Networking – 13% State Persistence – 8% ------------------------------------------------------------------------- After my successful achievement of CKAD Certification, I would love to share my experience and tips to clear the exam. I have  practiced a lot on kubectl  commands and
Read more