Service Mesh All the Things! - Istio, Kubernetes and AWS EKS - Part 1

Microservices, service mesh, service discovery, networking, security all inside containers and Kubernetes? What do all these things have in common? Just because something’s abstracted does not mean it isn’t complex. It just means the complexity is hidden (abstracted) from the user. When troubleshooting these things as operators need to do. It is essential to understand the concepts, just as one would with the basics of networking and security principles.

I won’t pretend to cover any of those at even the shallowest level in this post. What we’ll talk about is how istio integrates and routes, traces, collects and secures your workloads in a microservice environment.

This post assumes you’re familiar with Kubernetes and cloud infrastructure. It will be build on AWS EKS but that’s not really the important piece.

Create EKS Cluster

Lets deploy a cluster on AWS using eksctl from Weaveworks.

CLUSTER_NAME="eks-dev-cluster"
ENV="dev"
REGION="us-east-1"
ZONES="us-east-1b,us-east-1c,us-east-1d"
CIDR="10.244.0.0/16"
OWNER_NAME="Yandy"
SSH_KEY="${AWS_DEVPUB_SSHKEY}" # YOR PATH MAY BE DIFFERENT
MIN_NODES=3
MAX_NODES=6
K8S_VERSION="1.11"
TAGS=""

function createCluster() {
  eksctl create cluster \
    --name="${CLUSTER_NAME}" \
    --tags="Stage=${ENV},Owner=${OWNER_NAME},${TAGS}" \
    --region="${REGION}" \
    --zones="${ZONES}" \
    --vpc-cidr="${CIDR}" \
    --version="${K8S_VERSION}" \
    --nodegroup-name="${CLUSTER_NAME}-ng-1" \
    --node-type="m5.large" \
    --nodes-min=${MIN_NODES} \
    --nodes-max=${MAX_NODES} \
    --node-ami="auto" \
    --node-ami-family="AmazonLinux2" \
    --asg-access \
    --external-dns-access \
    --full-ecr-access \
    --storage-class \
    --ssh-access \
    --ssh-public-key="${SSH_KEY}" \
    --write-kubeconfig=true \
    --set-kubeconfig-context=true \
    --auto-kubeconfig
}

If you want to know what each option does, I suggest you visit the eksctl site. The creation can take anywhere from 8 to 15 minutes.

Istio Mesh

What is istio? What is a service mesh? To understand istio you must understand what a service mesh is.

What is a Service Mesh

In a modern microservices driven application world, keeping track of all these services (business functions) at the application layer is complex and nearly impossible to do in traditional application deployment, monitoring and operating procedures.

If you don’t know what a microservice is, look it up 😜 otherwise I’ll be here all day defining buzzwords and phrases.

The Mesh of all Things

Take the below simplistic containerized application, each of those services is a single container.

Service Mesh - Single

Now imagine all these services start to scale due to load or other reasons configured. Each of them creating more and more versions of themselves. Now imagine you need to add more services, such as integration, gateway or notification topics.

Service Mesh - Single

Managing this at scale? Knowing which service is talking to which (load-balancing)? Securing these services? Kubernetes by nature and most containerized workloads are flat and many-to-many by default.

This is where the service mesh comes in, there are others, but I chose to use istio for this because I can.

The service mesh is nothing more than the network of microservices all talking to each other to make up the application or applications. What interactions do these services have with each other? What relationships do they form?

What Should a Service Mesh Provide

At a minimum, service meshes should provide (this does not mean you should use all) these features.

  • Traffic management
    • routing based on labels
    • routing based on headers
    • routing based on cookies
  • Security
    • east-west security
    • zero trust
    • microsegmentation
  • Logging
    • capture application logs
    • microservice events
  • Tracing
    • distributed application traces
    • timeouts
    • API calls
    • time series events (Prometheus)
  • Visualization
    • this one’s a (maybe)
    • definitely should be able to export to visualization tools
    • Grafana
    • Logstash / Kibana

I’m sure there are others I forget or just didn’t include.

comments powered by Disqus