You have already used APIRules to expose your services to the outside world. To secure, connect, and monitor the services, you want to use Istio and learn more about its features and mechanisms.
Using Istio
Objectives
After completing this lesson, you will be able to:
- Describe how to perform traffic management with Istio to control and route traffic
- Explain how you can secure service-to-service communication
- Describe observability features of Istio
- Identify how Istio is integrated into SAP BTP, Kyma runtime
Traffic Management with Istio: Usage Scenario
Traffic Management with Istio
Traffic management, in a nutshell, is the ability to take control of the flow of traffic in your service mesh. Without traffic management, requests are routed to any available service instance. In many cases, this is not desirable. For example, you want to redirect traffic based on rules, such as to forward only a certain percentage of traffic over to a new version of a service (a.k.a canary deployment). Or, before you let customers consume the new version of a service, you want to test it internally. So you can only route traffic to the latest service version for internal users (a.k.a dogfooding). Traffic management enables you to implement these scenarios.
The image depicts a scenario where you route only a fraction of the traffic to a new version of a backend service. Traffic is split up between the service's previous and the new version. With such a setup, you can test the new version of the service in production only on a subset of the users and roll back quickly if something goes wrong.
If the new version of the service works as expected, you can increase the percentage of traffic routed to the new version of the service.
But how does this work? Istio has a set of CustomResourceDefinitions (CRDs) that you can use to define traffic rules.
In Istio, you have several resources that you can use for traffic management:
- Gateway
- It's a Load Balancer operating at the edge of the mesh. The Gateway handles incoming or outgoing HTTP/TCP connections.
- VirtualService
- Describes a configuration that affects traffic routing. You can use it to expose multiple services behind a single entry point (Gateway).
- DestinationRule
- Specifies rules that apply to traffic intended for the service after routing.
For a complete list of Istio's traffic management resources, see Traffic Management.
Gateway
With the installation of Istio on Kubernetes, an Ingress Gateway is installed by default. This Gateway is exposed through your cluster's external IP address.
You can configure the default Istio Ingress Gateway to expose your services using a custom domain name. You can also configure multiple Gateway resources to expose your services through different domains. In Kyma, the API Gateway module configures the Gateway kyma-gateway, which is enabled by default.
A Gateway resource looks like this:
YAML
1234567891011121314apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: foo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.foo.com"VirtualService
You can use VirtualService resources to define the routing rules for your services based on the HTTP request paths, headers, or query parameters.
A VirtualService resource looks like this:
YAML
12345678910111213141516171819apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: shop-route
spec:
gateways:
- foo-namespace/foo-gateway
hosts:
- shop.foo.com
http:
- route:
- destination:
host: shop
subset: v1
weight: 90
- destination:
host: shop
subset: v2
weight: 10 This VirtualService resource defines a routing rule for the shop service. The rule routes 90% of the traffic to version v1 of the service and 10% to version v2.
Istio supports way more features to define routing rules. You can find more information about it in the VirutalService documentation.
DestinationRule
You can use DestinationRule to group your Kubernetes Services by subsets and define rules for each subset.
A DestinationRule resource looks like this:
YAML
12345678910111213apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: shop-route
spec:
host: shop
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2The shop service is grouped into two subsets based on versions in the example above.
To learn more, see the DestinationRules documentation.
Security with Istio
Istio's security features allow you to control the service mesh's security. With Istio, you don't have to implement security features such as traffic encryption by yourself. Istio enables you to secure the service-to-service communication in your service mesh by encrypting the traffic. These security features are essential to defend yourself against man-in-the-middle attacks and prevent unauthorized access to your services by validating the caller's identity.
Securing the communication between services in your cluster is one of the primary use cases for Istio. Istio provides traffic encryption with mutual TLS (mTLS) and allows you to authenticate the caller's identity. Mutual TLS is a protocol that allows the client and the server to authenticate each other. Mutual TLS is a protocol that allows the client and the server to authenticate each other. Unlike TLS, which only allows the server to authenticate the client, mTLS is a protocol that allows for mutual authentication by presenting certificates to each other.
To learn more about Istio's security features, see Security.
Observability with Istio
Since Istio intercepts all the traffic in your service mesh, it can provide you with detailed telemetry data for all service communication. This telemetry provides observability into the service mesh. To provide observability based on the collected telemetry data, Istio offers the following types:
- Metrics
- Metrics are numerical measurements that are used to track the state of a system. Istio provides a set of metrics that are used to monitor the health of the mesh, such as latency, traffic, errors, and so on.
- Distributed Traces
- In a cloud-native microservice architecture, a user request often flows through dozens of different microservices. With distributed tracing, you can trace the path of a request through the entire service mesh. Distributed tracing allows you to monitor the performance of your services and to identify bottlenecks.
- Access Logs
- Istio can also provide you with access logs for all the traffic that flows through the service mesh. Access logs provide detailed information about the traffic, such as the source and destination of the request or the response code.
Integration of Istio in SAP BTP, Kyma Runtime
In SAP BTP, Kyma runtime, the Telemetry module provides observability features that can help you collect all relevant data in a Kyma cluster, for example, those provided by the Istio service mesh. The Telemetry module also enriches the data and ships it to a backend for further analysis. To learn more, see Describing Observability in Kyma.
Summary
Istio provides CRDs that you can use to manage and redirect traffic to your Services, such as Gateways, VirtualServices, and DestinationRules. Furthermore, it enhances the security of service-to-service communication and provides mTLS traffic encryption. Istio also generates telemetry data such as metrics, distributed tracing, and access logs for all service communication inside the Istio service mesh. If you want to further analyze the data, you can use features offered by Kyma's Telemetry module.