In today’s world, with new technology scaling rapidly, it’s imperative that communication services and microservices are established and structurally resistant to attacks and mishaps. Service Mesh plays that exact role and fills the gap rightly.
What is a service mesh?
- A service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices, using a proxy sidecar for each pod.
- A proxy sidecar is just another container that runs alongside the containers inside a pod. Any inbound or outbound requests for these containers are routed through the sidecar container.
- This gives us the power to intercept communications, and enforce rules on these requests via the proxies. We can configure these proxies cluster-wide, namespace-wide, or even separately for each microservice.
- To sum it up, a service mesh helps us to solve the aforementioned problems without any application code changes.
Why do we need a service mesh?
When working with a Kubernetes cluster, the following issues must be addressed:
1. No firewall to block communication between two pods
(A) Consider a simple Kubernetes cluster with only 3 namespaces and the following assumptions -
- services from namespace A and namespace B need to communicate with each other
- services from namespace B and namespace C need to communicate with each other
- services from namespace A and namespace C don’t need to communicate with each other
(B) To maximize security, we must ensure that any microservice from namespace A can not communicate with any microservice in namespace C. In this simple scenario, it may seem like a little task. But in real life examples, we have lots of namespaces with their own applications and microservices. Configuring these firewalls becomes a very big hassle much too quickly.
2. Interpod communications are unencrypted
Consider the scenario where an attacker has managed to get access to one of the containers inside our cluster. Now, they will be able to read any traffic coming in and out of this container. We can prevent this by setting mutual TLS for our microservices. But again, in any real-case scenario, there may be hundreds of microservices. Manually creating and managing certificates for each of these microservice is a very big and tedious task.
3. Monitoring and observability
We need to monitor our microservices to see if there are any non-2XX responses or if any service is down or unreachable. Again, setting up this architecture for the entire cluster is a very tedious task.
4. A Strict structure for the above issues
The developers can make application-side changes to resolve the above problems. But then we would need to replicate these changes on each application or microservice we use, which is a redundant task. This greatly increases the time needed to move any application from dev to production.
Features of Istio Service Mesh
Istio has 3 major features:
1. Traffic Management
Istio simplifies the configuration of service-level properties such as retired and timeouts, along with traffic splitting and load balancing capabilities.
2. Security
Istio provides simple solutions to maximize security. With the help of sidecars, Istio can verify the identity of each pod and encrypt the communication between them, along with authentication and authorization support.
3. Observability
Istio provides us with out of the box solutions for telemetry monitoring requiring one time setup. This helps in understanding the interaction behavior among microservices, and also in troubleshooting and optimizing them.
Istio has two major components:
i. Control plane (Istiod) — a deployment which takes in the configurations to be applied
ii. Data plane (sidecar envoy proxies) — mounted on each pod during run-time, these sidecars are responsible for enforcing the configurations provided to istiod
Apart from these, Istio also provides other functionalities such as ingress and egress, load balancing, rules for external services, traffic mirroring, canary deployments, single-sign-on and much more.
In conclusion, Service Mesh is a dedicated layer allowing applications to scale keeping configurations, monitoring, and security all in a single place.
