As container technology has evolved, Kubernetes has emerged as the go-to platform to manage containers at scale. It is open source and highly extensible. Around it have grown a number of complementary open source projects like Prometheus, gRPC, and Grafeas. Kubernetes also enjoys support from pretty much every relevant IT vendor today. I don’t think it’s an overstatement to say that cloud services are now virtually synonymous with providing an end-to-end Kubernetes service.
Yet despite the popularity of Kubernetes, it is also one of those hot new technologies that organizations excitedly adopt, then realize it’s not as easy to use as they hoped. The challenges of Kubernetes include managing multiple clusters in multiple cloud environments, ensuring resource availability, configuring networking and communication between services, securing every part and interaction that happens in the system, and gaining visibility end-to-end.
Fortunately, with the open source community and cloud vendors consolidating around Kubernetes support, there are solutions to these challenges. One such solution that was born out of a collaboration between three cloud vendors—Google, IBM, and Red Hat—and is now being championed by the open source community is Istio. Originally conceived as a networking tool for cloud-native applications running in Kubernetes, Istio is proving to be a Swiss Army Knife of sorts, able to solve challenges beyond networking.
At the recent Istio day at OSCON 2018, Daniel Ciruli from Google delivered an interesting talk titled “Istio à la carte.” In it Ciruli covered the three primary use cases for Istio: observability, control, and security. His main observation after speaking with hundreds of organizations about Istio was that organizations typically have one goal from the group that they’re currently underachieving on, and are looking for solutions to. Istio is in a spot to deliver on these goals. However, though Istio can do a bit of it all (observability, control, and security), Ciruli says that organizations are better off having a single focus area (at least at the start) so they don’t get overwhelmed by all that Istio has to offer. Look at Istio as an á la carte menu rather than an all-you-can-eat buffet. This is great advice, and something that any organization looking to adopt Istio should pay heed to. Let’s flesh out Ciruli’s talk a bit.
Observability with Istio
Istio provides visibility into network communication, but the way it does this is what is unique and different from traditional networking or network monitoring tools. Istio has out-of-the-box add-ons for monitoring tools like Prometheus, Grafana, and Zipkin. Once set up, it enables observability into microservices, and the best part is that it does this without having to make any changes to the microservices themselves.
Mixer is the part of Istio that monitoring tools like Prometheus, Datadog, and New Relic can write custom plugins for, and have Istio pass on structured monitoring data to these tools for integrated monitoring. Mixer talks to Envoy (the sidecar proxy used by Istio to gather data from microservice systems), and passes monitoring data from Envoy to monitoring tools like Prometheus.
Observability is important for a microservices application because of the many layers of communication that happen within the system. It’s hard to gain visibility into performance and to triage incidents. Istio, with the help of monitoring tools, can bring order to this chaos.
Control with Istio
The primary way that Istio brings more control to Kubernetes management is via routing rules. Istio can handle complex routing rules, making it possible to easily manage any type of deployment: blue-green, rolling, and even canary deployments. You can execute a canary deployment with Kubernetes itself, but it’ll require many deployments, replicas, and manual execution of the deployments. With Istio, you can simply modify a VirtualService, which is simpler, and can be automated using structured code. All this does is implement precise routing from old services to new services, and it bakes in the goodness of observability that we discussed earlier so you have full visibility into how a canary deployment is progressing and where bottlenecks occur.
Istio also has many other features that provide more control over performance and deployments. These include benefits like circuit breaking, self-service routing and retry logic. As mentioned earlier, there’s a lot Istio can do, but it’s important to stay focused on what exactly you want it to do for you.
Security with Istio
As a tool designed primarily for connecting different services together, Istio might not at first glance appear to have much to do with security. But it does. In several key ways, Istio can improve the overall security of your microservices applications and environment.
Above all, Istio provides end-to-end TLS encryption. That means that when you use Istio, communications within your environment are encrypted by default, and you need not worry about setting up encryption manually.
In addition, Istio helps to prevent snooping or man-in-the-middle attacks by what Istio developers call secure naming. Istio’s secure naming framework prevents communication between two servers that are not authorized to talk to each other. Because the names are embedded into certificates, an attacker who steals a certificate cannot use it to authenticate with a server with which the attacker is not allowed to communicate with it based on its name.
Istio won’t secure your application itself, of course. It’s up to you to write secure code. But by helping to secure the environment in which your application’s services run, Istio allows you to focus on the application — which is likely your main goal if you’re a developer.
There are many reasons to love Istio. However, with so much on offer, it makes sense to choose a goal, be laser-focused on what success means to you, and then get started with your Istio pilot (pun intended). To take a step back, the big picture is clear: Kubernetes and Istio are the way of the future, and we’ll continue to see more examples of organizations adopting these two powerful open source tools to modernize their applications and enjoy the benefits of better observability, control, and security.
Attending Kubecon NA in Seattle this year and ready for more info on Istio? Join Twistlock CTO John Morello for his session called Is Istio the Most Next Gen Next Gen Firewall Ever?
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Cloud Platform Discovery: Identifying All Your Cloud Native ServicesRead the Blog
Using Twistlock to Secure Workloads on Pivotal Cloud FoundryRead the Blog
Twistlock, Azure Container Instances, and AKS virtual nodesRead the Blog
Twistlock 18.11 Release NotesRead the Blog
5 Questions to Ask When Choosing a Cloud Native Security Platform for DevOpsRead the Blog