Uploaded byKarenBruner
108 views

How to Make Istio Work with Your App

This document discusses how to make Istio work with applications and provides best practices for long-term success. It introduces service mesh concepts and Istio, discusses when to adopt Istio, describes common issues and solutions when using Istio, and recommends strategies like version controlling Istio configs and providing feedback to the Istio community.

Embed presentation

Download to read offline
How to Make IstioWork withYour App Karen Bruner
2©2019 StackRox. All rights reserved. Overview 1. Quick intro to Istio and Service Mesh concepts 2. Deciding to adopt Istio 3. Debugging issues with Istio routing 4. Common problems (and solutions) with Istio 5. Strategies and practices for long-term success
3©2019 StackRox. All rights reserved. Overview of the Istio Service Mesh • What is a service mesh? • Infrastructure layer dedicated to managing service-to-service communications • Istio • Background • Built on Lyft’s Envoy proxy • Joint project by Google, IBM, and Lyft • Features and capabilities • Security: zero-trust model, mTLS, authentication, authorization • Service routing: load balancing, HTTP request routing, A/B testing, throttling, deployment canaries, traffic shifting, traffic mirroring, fault injection • Visibility: detailed connection and request logging, request tracing • Multi-cluster mesh
4©2019 StackRox. All rights reserved. Istio Architecture
5©2019 StackRox. All rights reserved. Do you need Istio? • Driving factors • Security • Microservice visibility • Intelligent request routing • Counterarguments • Steep learning curve • Operational complexity • Other considerations • Istio’s tools and performance keep improving with each release • Adoption of most individual features and security restrictions can be turned on later
6©2019 StackRox. All rights reserved. Istio Debugging andTroubleshooting • Network connection logging • istio-proxy sidecar container logs • Log-level can be set globally or on-the-fly per pod • curl -s -XPOST http://localhost:15000/logging?level=debug • Mixer telemetry container logs (may change with Istio v1.4+) • kubectl logs -l app=telemetry -n istio-system -c mixer • Configuration propagation • Pilot logs • kubectl logs -l app=pilot -n istio-system -c discovery • istioctl • CLI • Interface for various Istio Control Plane services • Growing set of troubleshooting tools
7©2019 StackRox. All rights reserved. istioctl
8©2019 StackRox. All rights reserved. Common Application Issues Use case / Issue Best Solution Workarounds Proxy start-up latency Application should retry network connections Wrap your container command: ... spec: template: spec: containers: - name: my-app args: - 'while ! wget -q -O - http://localhost:15000/server_info | grep ''"state": "LIVE"''; do echo Waiting for proxy; done; echo Istio-proxy ready; exec /entrypoint' command: - /bin/sh - -c
9©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Kubernetes liveness/readiness probes and mTLS ● Use a separate port on the application container for health checks ● Exec check ● Global (for all Istio-managed services): Pass the --set values.sidecarInjectorWebhook.rewriteAppHTTP Probe=true option to helm ● Per deployment: add sidecar.istio.io/rewriteAppHTTPProbers: "true" annotation to the pod spec Mixed-protocol ports Use a different application container port for each protocol type Add a small proxy to the pod to handle one protocol Non-TCP protocols Use Kubernetes Network Policies to control service ingress and egress for UDP and SCTP
10©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Pod Security Policies or Contexts breaking istio-init container Use istio CNI to handle iptables rules outside application pods Services with their ownTLS certs ● Use your own CA in Citadel ● Convert application to use Istio auth Set mTLS mode to PERMISSIVE (could be security issue) Headless services ● Internal traffic: Add an Istio ServiceEntry resource per pod in the StatefulSet (cassandra-0, cassandra-1, etc) ● Traffic from outside mesh: Add Istio VirtualService entry per pod
11©2019 StackRox. All rights reserved. Long-term Strategies for Success with Istio • Keep Istio resource manifests with all other Kubernetes manifests for an application • Version controlled • Apply identical configs in pre-production environments as production • Create internal “library” of Istio resource manifest templates for different application types • Leverage the metrics and details Istio collects to show value and drive stack improvements • Suggest improvements to Istio • Open a feature request on GitHub • Join the Istio Slack channel
12©2019 StackRox. All rights reserved. Me + More • More Istio information at https://www.stackrox.com/post/ • Me: Karen Bruner • Personal tech blog: https://nightmare-before-devops.xyz/ • LinkedIn: https://www.linkedin.com/in/kmbruner • My cats:

More Related Content

PDF
Istio service mesh introduction
byKyohei Mizumoto
 
PDF
Introduction to Istio on Kubernetes
byJonh Wendell
 
PPTX
Getting the Most Value from Your Aviatrix Controller & Gateways
byKhash Nakhostin
 
PPTX
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
byStephanie Swart
 
PDF
Securing Microservices with Istio
byDaniel Berg
 
PPTX
Istio
byMichael Frembs
 
PDF
Five Connectivity and Security Use Cases for Azure VNets
byKhash Nakhostin
 
PDF
Network Troubleshooting in the Cloud: Tools, Techniques and Gotchas
byKhash Nakhostin
 
Istio service mesh introduction
byKyohei Mizumoto
 
Introduction to Istio on Kubernetes
byJonh Wendell
 
Getting the Most Value from Your Aviatrix Controller & Gateways
byKhash Nakhostin
 
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
byStephanie Swart
 
Securing Microservices with Istio
byDaniel Berg
 
Istio
byMichael Frembs
 
Five Connectivity and Security Use Cases for Azure VNets
byKhash Nakhostin
 
Network Troubleshooting in the Cloud: Tools, Techniques and Gotchas
byKhash Nakhostin
 

What's hot

PDF
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
byKhash Nakhostin
 
PDF
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
byKhash Nakhostin
 
PDF
Three Innovations that Define a “Next-Generation Global Transit Hub”
byKhash Nakhostin
 
PDF
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
PDF
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
byKhash Nakhostin
 
PDF
Using Istio to Secure & Monitor Your Services
byAlcide
 
PDF
What You Need to Know About Operationalizing Your AWS Transit Hub
byKhash Nakhostin
 
PDF
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
byKhash Nakhostin
 
PPTX
Istio - A Service Mesh for Microservices as Scale
byRam Vennam
 
PDF
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
byapidays
 
PDF
Cisco Connect Toronto 2017 - Model-driven Telemetry
byCisco Canada
 
PDF
Microservice API Gateways with NGINX
byGeoffrey Filippi
 
PDF
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
PDF
API Gateway Use Cases​ for Kubernetes​
byNGINX, Inc.
 
PDF
Fundamentals of microservices
byNGINX, Inc.
 
PPTX
Production-Grade Kubernetes With NGINX Ingress Controller
byNGINX, Inc.
 
PDF
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
bySergii Bishyr
 
PPTX
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
PDF
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
byCisco Canada
 
PPTX
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
byKhash Nakhostin
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
byKhash Nakhostin
 
Three Innovations that Define a “Next-Generation Global Transit Hub”
byKhash Nakhostin
 
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
byKhash Nakhostin
 
Using Istio to Secure & Monitor Your Services
byAlcide
 
What You Need to Know About Operationalizing Your AWS Transit Hub
byKhash Nakhostin
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
byKhash Nakhostin
 
Istio - A Service Mesh for Microservices as Scale
byRam Vennam
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
byapidays
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
byCisco Canada
 
Microservice API Gateways with NGINX
byGeoffrey Filippi
 
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
API Gateway Use Cases​ for Kubernetes​
byNGINX, Inc.
 
Fundamentals of microservices
byNGINX, Inc.
 
Production-Grade Kubernetes With NGINX Ingress Controller
byNGINX, Inc.
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
bySergii Bishyr
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
byCisco Canada
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 

Similar to How to Make Istio Work with Your App

PDF
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
PDF
21st Docker Switzerland Meetup - ISTIO
byNiklaus Hirt
 
PDF
Managing microservices with Istio Service Mesh
byRafik HARABI
 
PDF
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
PPTX
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Service Mesh in Practice
byBallerina
 
PPTX
ISTIO Deep Dive
byYong Feng
 
PDF
Service mesh on Kubernetes - Istio 101
byHuy Vo
 
PDF
Istio and Kubernetes Relationship
byKnoldus Inc.
 
PDF
Istio in Action 1st Edition Christian E. Posta
bykselacuchy
 
PDF
Hello istio
byJooho Lee
 
PDF
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
PPTX
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
byAspen Mesh
 
PPTX
Service Meshes with Istio
byRandyGupta
 
PDF
Service Mesh For Beginner
byMien Dinh
 
PPTX
Microservices With Istio Service Mesh
byNatanael Fonseca
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
21st Docker Switzerland Meetup - ISTIO
byNiklaus Hirt
 
Managing microservices with Istio Service Mesh
byRafik HARABI
 
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Service Mesh in Practice
byBallerina
 
ISTIO Deep Dive
byYong Feng
 
Service mesh on Kubernetes - Istio 101
byHuy Vo
 
Istio and Kubernetes Relationship
byKnoldus Inc.
 
Istio in Action 1st Edition Christian E. Posta
bykselacuchy
 
Hello istio
byJooho Lee
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
byAspen Mesh
 
Service Meshes with Istio
byRandyGupta
 
Service Mesh For Beginner
byMien Dinh
 
Microservices With Istio Service Mesh
byNatanael Fonseca
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 

Recently uploaded

PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 

How to Make Istio Work with Your App

  • 1.
    How to MakeIstioWork withYour App Karen Bruner
  • 2.
    2©2019 StackRox. Allrights reserved. Overview 1. Quick intro to Istio and Service Mesh concepts 2. Deciding to adopt Istio 3. Debugging issues with Istio routing 4. Common problems (and solutions) with Istio 5. Strategies and practices for long-term success
  • 3.
    3©2019 StackRox. Allrights reserved. Overview of the Istio Service Mesh • What is a service mesh? • Infrastructure layer dedicated to managing service-to-service communications • Istio • Background • Built on Lyft’s Envoy proxy • Joint project by Google, IBM, and Lyft • Features and capabilities • Security: zero-trust model, mTLS, authentication, authorization • Service routing: load balancing, HTTP request routing, A/B testing, throttling, deployment canaries, traffic shifting, traffic mirroring, fault injection • Visibility: detailed connection and request logging, request tracing • Multi-cluster mesh
  • 4.
    4©2019 StackRox. Allrights reserved. Istio Architecture
  • 5.
    5©2019 StackRox. Allrights reserved. Do you need Istio? • Driving factors • Security • Microservice visibility • Intelligent request routing • Counterarguments • Steep learning curve • Operational complexity • Other considerations • Istio’s tools and performance keep improving with each release • Adoption of most individual features and security restrictions can be turned on later
  • 6.
    6©2019 StackRox. Allrights reserved. Istio Debugging andTroubleshooting • Network connection logging • istio-proxy sidecar container logs • Log-level can be set globally or on-the-fly per pod • curl -s -XPOST http://localhost:15000/logging?level=debug • Mixer telemetry container logs (may change with Istio v1.4+) • kubectl logs -l app=telemetry -n istio-system -c mixer • Configuration propagation • Pilot logs • kubectl logs -l app=pilot -n istio-system -c discovery • istioctl • CLI • Interface for various Istio Control Plane services • Growing set of troubleshooting tools
  • 7.
    7©2019 StackRox. Allrights reserved. istioctl
  • 8.
    8©2019 StackRox. Allrights reserved. Common Application Issues Use case / Issue Best Solution Workarounds Proxy start-up latency Application should retry network connections Wrap your container command: ... spec: template: spec: containers: - name: my-app args: - 'while ! wget -q -O - http://localhost:15000/server_info | grep ''"state": "LIVE"''; do echo Waiting for proxy; done; echo Istio-proxy ready; exec /entrypoint' command: - /bin/sh - -c
  • 9.
    9©2019 StackRox. Allrights reserved. Use case / Issue Best Solution Workarounds Kubernetes liveness/readiness probes and mTLS ● Use a separate port on the application container for health checks ● Exec check ● Global (for all Istio-managed services): Pass the --set values.sidecarInjectorWebhook.rewriteAppHTTP Probe=true option to helm ● Per deployment: add sidecar.istio.io/rewriteAppHTTPProbers: "true" annotation to the pod spec Mixed-protocol ports Use a different application container port for each protocol type Add a small proxy to the pod to handle one protocol Non-TCP protocols Use Kubernetes Network Policies to control service ingress and egress for UDP and SCTP
  • 10.
    10©2019 StackRox. Allrights reserved. Use case / Issue Best Solution Workarounds Pod Security Policies or Contexts breaking istio-init container Use istio CNI to handle iptables rules outside application pods Services with their ownTLS certs ● Use your own CA in Citadel ● Convert application to use Istio auth Set mTLS mode to PERMISSIVE (could be security issue) Headless services ● Internal traffic: Add an Istio ServiceEntry resource per pod in the StatefulSet (cassandra-0, cassandra-1, etc) ● Traffic from outside mesh: Add Istio VirtualService entry per pod
  • 11.
    11©2019 StackRox. Allrights reserved. Long-term Strategies for Success with Istio • Keep Istio resource manifests with all other Kubernetes manifests for an application • Version controlled • Apply identical configs in pre-production environments as production • Create internal “library” of Istio resource manifest templates for different application types • Leverage the metrics and details Istio collects to show value and drive stack improvements • Suggest improvements to Istio • Open a feature request on GitHub • Join the Istio Slack channel
  • 12.
    12©2019 StackRox. Allrights reserved. Me + More • More Istio information at https://www.stackrox.com/post/ • Me: Karen Bruner • Personal tech blog: https://nightmare-before-devops.xyz/ • LinkedIn: https://www.linkedin.com/in/kmbruner • My cats: