Istio Architecture and Overview

English so sto is a layer that integrates with so sto is a layer that integrates with tools like kubernetes but it actually tools like kubernetes but it actually tools like kubernetes but it actually works with a number of other works with a number of other works with a number of other technologies technologies technologies mezzos is a scheduler or the mesosphere mezzos is a scheduler or the mesosphere mezzos is a scheduler or the mesosphere environment that the DCOs environment so environment that the DCOs environment so environment that the DCOs environment so that comes from Mesa sphere is a fairly that comes from Mesa sphere is a fairly that comes from Mesa sphere is a fairly common and popular solution but any common and popular solution but any common and popular solution but any container based environment certainly container based environment certainly container based environment certainly works in addition you can apply these works in addition you can apply these works in addition you can apply these same concepts to virtual machine based same concepts to virtual machine based same concepts to virtual machine based services it's just a little bit more services it's just a little bit more services it's just a little bit more complicated because we don't have the complicated because we don't have the complicated because we don't have the central resources that you get out of a central resources that you get out of a central resources that you get out of a kubernetes like environment or DCOs like kubernetes like environment or DCOs like kubernetes like environment or DCOs like environment again we're talking environment again we're talking environment again we're talking specifically here about kubernetes we specifically here about kubernetes we specifically here about kubernetes we see that much like the control plane see that much like the control plane see that much like the control plane within kubernetes there are some central within kubernetes there are some central within kubernetes there are some central resources and then there are some edge resources and then there are some edge resources and then there are some edge management resources it turns out that management resources it turns out that management resources it turns out that in the sto sense in the sto sense in the sto sense there isn't one central API there are a there isn't one central API there are a there isn't one central API there are a couple of different key tools couple of different key tools couple of different key tools now there's pilot which really sort of now there's pilot which really sort of now there's pilot which really sort of manages the mesh it describes how these manages the mesh it describes how these manages the mesh it describes how these resources talk to each other resources talk to each other resources talk to each other there's the mixer component which is there's the mixer component which is there's the mixer component which is really an input ingress or input data really an input ingress or input data really an input ingress or input data collector so deals with telemetry data collector so deals with telemetry data collector so deals with telemetry data metrics can also help with managing metrics can also help with managing metrics can also help with managing policy understanding so are things policy understanding so are things policy understanding so are things trying to push push data outside of trying to push push data outside of trying to push push data outside of policy and then there's an auth policy and then there's an auth policy and then there's an auth component and that's really a central component and that's really a central component and that's really a central certificate authority for the security certificate authority for the security certificate authority for the security in intra envoy security and at the edge in intra envoy security and at the edge in intra envoy security and at the edge much like we had cubelet in the much like we had cubelet in the much like we had cubelet in the kubernetes space here in ISTE oh we have kubernetes space here in ISTE oh we have kubernetes space here in ISTE oh we have envoy envoy is in its own right a envoy envoy is in its own right a envoy envoy is in its own right a standalone proxy it is the core of this standalone proxy it is the core of this standalone proxy it is the core of this mesh what if Co is really doing is mesh what if Co is really doing is mesh what if Co is really doing is adding a layer of control on top of what adding a layer of control on top of what adding a layer of control on top of what Envoy can do so you can talk to envoy Envoy can do so you can talk to envoy Envoy can do so you can talk to envoy directly and do all the sorts of things directly and do all the sorts of things directly and do all the sorts of things that is tio does but without a control that is tio does but without a control that is tio does but without a control plane it's a little harder to manage plane it's a little harder to manage plane it's a little harder to manage that that particular envoy based that that particular envoy based that that particular envoy based deployment and here you can see in this deployment and here you can see in this deployment and here you can see in this diagram you can see the most common way diagram you can see the most common way diagram you can see the most common way of actually deploying is do which is as of actually deploying is do which is as of actually deploying is do which is as a side car or a second container within a side car or a second container within a side car or a second container within a kubernetes pod all traffic within that a kubernetes pod all traffic within that a kubernetes pod all traffic within that within that pod then gets directed into within that pod then gets directed into within that pod then gets directed into and out of the Envoy proxy which then and out of the Envoy proxy which then and out of the Envoy proxy which then handles all the forwarding security handles all the forwarding security handles all the forwarding security metrics telemetry etc type type metrics telemetry etc type type metrics telemetry etc type type resources so this teo is a service mesh it really so this teo is a service mesh it really so this teo is a service mesh it really supports a micro-services style platform supports a micro-services style platform supports a micro-services style platform and it gives us all the things that and it gives us all the things that and it gives us all the things that micro services really need number one is micro services really need number one is micro services really need number one is observability we can't actually observability we can't actually observability we can't actually understand how traffic is flowing within understand how traffic is flowing within understand how traffic is flowing within this environment we can actually now this environment we can actually now this environment we can actually now trace traffic from ingress all the way trace traffic from ingress all the way trace traffic from ingress all the way through to the different resources that through to the different resources that through to the different resources that it's talking to so long as we're passing it's talking to so long as we're passing it's talking to so long as we're passing the right class of information but the right class of information but the right class of information but because we have some idea of how that because we have some idea of how that because we have some idea of how that trend that traffic is flowing based on trend that traffic is flowing based on trend that traffic is flowing based on the monitoring capabilities we can the monitoring capabilities we can the monitoring capabilities we can actually trace the end and path within actually trace the end and path within actually trace the end and path within an application traffic management an application traffic management an application traffic management aspects so the Envoy component the Envoy aspects so the Envoy component the Envoy aspects so the Envoy component the Envoy service that that is being managed by service that that is being managed by service that that is being managed by sto is really a full-featured load sto is really a full-featured load sto is really a full-featured load balancing type service and in doing so balancing type service and in doing so balancing type service and in doing so we obviously have the classic we obviously have the classic we obviously have the classic round-robin and weighted sorts of round-robin and weighted sorts of round-robin and weighted sorts of traffic management but there's also traffic management but there's also traffic management but there's also things like health checks that come into things like health checks that come into things like health checks that come into play to verify that remote services are play to verify that remote services are play to verify that remote services are available there's a number of different available there's a number of different available there's a number of different technologies that are built around this technologies that are built around this technologies that are built around this concept of managing the traffic and concept of managing the traffic and concept of managing the traffic and managing the the forwarding path of of managing the the forwarding path of of managing the the forwarding path of of data within the environment there's also data within the environment there's also data within the environment there's also a policy layer so we can actually start a policy layer so we can actually start a policy layer so we can actually start to determine who's allowed to talk to to determine who's allowed to talk to to determine who's allowed to talk to who that's an important piece of the who that's an important piece of the who that's an important piece of the puzzle and this policy layer does sit puzzle and this policy layer does sit puzzle and this policy layer does sit effectively a layer higher than the effectively a layer higher than the effectively a layer higher than the policy layer in kubernetes where the policy layer in kubernetes where the policy layer in kubernetes where the kubernetes policy layer really looks at kubernetes policy layer really looks at kubernetes policy layer really looks at just network to network or namespace to just network to network or namespace to just network to network or namespace to namespace class communication this is namespace class communication this is namespace class communication this is really looking at application component really looking at application component really looking at application component to application component so might be a to application component so might be a to application component so might be a little bit more flexible and functional little bit more flexible and functional little bit more flexible and functional for what people are looking for when for what people are looking for when for what people are looking for when looking at security or policy within a looking at security or policy within a looking at security or policy within a micro services environment security micro services environment security micro services environment security again this is really dealing with the again this is really dealing with the again this is really dealing with the concept of mutual authentication knowing concept of mutual authentication knowing concept of mutual authentication knowing that both sides of the connection are that both sides of the connection are that both sides of the connection are actually the sides that they say they actually the sides that they say they actually the sides that they say they are and again this is being delivered are and again this is being delivered are and again this is being delivered through envoys ability to provide TLS through envoys ability to provide TLS through envoys ability to provide TLS level security http/2 level security http/2 level security http/2 based security between two ends of an based security between two ends of an based security between two ends of an adapter effectively to envoy instances adapter effectively to envoy instances adapter effectively to envoy instances and that's a real powerful component and and that's a real powerful component and and that's a real powerful component and what all this does together is it gives what all this does together is it gives what all this does together is it gives us both the mesh us both the mesh us both the mesh is really this concept of security is really this concept of security is really this concept of security mapped to to the interaction between the mapped to to the interaction between the mapped to to the interaction between the different services and and that's that's different services and and that's that's different services and and that's that's really our service mask capability that really our service mask capability that really our service mask capability that comes from sto built on top of tools comes from sto built on top of tools comes from sto built on top of tools like envoy so one of the most like envoy so one of the most like envoy so one of the most interesting things about this is that interesting things about this is that interesting things about this is that while sto really sort of I think bloomed while sto really sort of I think bloomed while sto really sort of I think bloomed within the kubernetes environment and within the kubernetes environment and within the kubernetes environment and became more powerful because of it it became more powerful because of it it became more powerful because of it it certainly works with a number of other certainly works with a number of other certainly works with a number of other resources including tools like the Mises resources including tools like the Mises resources including tools like the Mises and mesosphere schedulers and DCOs and mesosphere schedulers and DCOs and mesosphere schedulers and DCOs Cloud Foundry OpenShift just about any Cloud Foundry OpenShift just about any Cloud Foundry OpenShift just about any pass layer can potentially make use of pass layer can potentially make use of pass layer can potentially make use of sto in the background and more sto in the background and more sto in the background and more importantly we can still tie SEO importantly we can still tie SEO importantly we can still tie SEO services into virtual machines as well services into virtual machines as well services into virtual machines as well yes you effectively have to run envoy at yes you effectively have to run envoy at yes you effectively have to run envoy at the edge within the virtual machine to the edge within the virtual machine to the edge within the virtual machine to provide the same interaction services provide the same interaction services provide the same interaction services but you can still do this and get all but you can still do this and get all but you can still do this and get all the benefits of the service mesh even the benefits of the service mesh even the benefits of the service mesh even for components that are not being for components that are not being for components that are not being deployed in a containerized environment