Istio Architecture and Overview

A free video tutorial from Kumulus Technologies
Cloud Computing Education from Silicon Valley to You
6 courses
27,919 students
Learn more from the full course
Intro to Istio-Service Mesh for Cloud-Native Kubernetes Apps
Simplifying the complexity of managing polyglot and microservices-based, cloud-native applications
01:40:28 of on-demand video • Updated December 2019
Understand the basic architecture of Istio and Istio-Kubernetes interactions.
Understand how Istio provides a full-feature service mesh to better run and monitor applications.
Deploy Istio on Kubernetes
Use Istio to manage a polyglot, microservices-based application.
English
so sto is a layer that integrates with so sto is a layer that integrates with
tools like kubernetes but it actually tools like kubernetes but it actually tools like kubernetes but it actually
works with a number of other works with a number of other works with a number of other
technologies technologies technologies
mezzos is a scheduler or the mesosphere mezzos is a scheduler or the mesosphere mezzos is a scheduler or the mesosphere
environment that the DCOs environment so environment that the DCOs environment so environment that the DCOs environment so
that comes from Mesa sphere is a fairly that comes from Mesa sphere is a fairly that comes from Mesa sphere is a fairly
common and popular solution but any common and popular solution but any common and popular solution but any
container based environment certainly container based environment certainly container based environment certainly
works in addition you can apply these works in addition you can apply these works in addition you can apply these
same concepts to virtual machine based same concepts to virtual machine based same concepts to virtual machine based
services it's just a little bit more services it's just a little bit more services it's just a little bit more
complicated because we don't have the complicated because we don't have the complicated because we don't have the
central resources that you get out of a central resources that you get out of a central resources that you get out of a
kubernetes like environment or DCOs like kubernetes like environment or DCOs like kubernetes like environment or DCOs like
environment again we're talking environment again we're talking environment again we're talking
specifically here about kubernetes we specifically here about kubernetes we specifically here about kubernetes we
see that much like the control plane see that much like the control plane see that much like the control plane
within kubernetes there are some central within kubernetes there are some central within kubernetes there are some central
resources and then there are some edge resources and then there are some edge resources and then there are some edge
management resources it turns out that management resources it turns out that management resources it turns out that
in the sto sense in the sto sense in the sto sense
there isn't one central API there are a there isn't one central API there are a there isn't one central API there are a
couple of different key tools couple of different key tools couple of different key tools
now there's pilot which really sort of now there's pilot which really sort of now there's pilot which really sort of
manages the mesh it describes how these manages the mesh it describes how these manages the mesh it describes how these
resources talk to each other resources talk to each other resources talk to each other
there's the mixer component which is there's the mixer component which is there's the mixer component which is
really an input ingress or input data really an input ingress or input data really an input ingress or input data
collector so deals with telemetry data collector so deals with telemetry data collector so deals with telemetry data
metrics can also help with managing metrics can also help with managing metrics can also help with managing
policy understanding so are things policy understanding so are things policy understanding so are things
trying to push push data outside of trying to push push data outside of trying to push push data outside of
policy and then there's an auth policy and then there's an auth policy and then there's an auth
component and that's really a central component and that's really a central component and that's really a central
certificate authority for the security certificate authority for the security certificate authority for the security
in intra envoy security and at the edge in intra envoy security and at the edge in intra envoy security and at the edge
much like we had cubelet in the much like we had cubelet in the much like we had cubelet in the
kubernetes space here in ISTE oh we have kubernetes space here in ISTE oh we have kubernetes space here in ISTE oh we have
envoy envoy is in its own right a envoy envoy is in its own right a envoy envoy is in its own right a
standalone proxy it is the core of this standalone proxy it is the core of this standalone proxy it is the core of this
mesh what if Co is really doing is mesh what if Co is really doing is mesh what if Co is really doing is
adding a layer of control on top of what adding a layer of control on top of what adding a layer of control on top of what
Envoy can do so you can talk to envoy Envoy can do so you can talk to envoy Envoy can do so you can talk to envoy
directly and do all the sorts of things directly and do all the sorts of things directly and do all the sorts of things
that is tio does but without a control that is tio does but without a control that is tio does but without a control
plane it's a little harder to manage plane it's a little harder to manage plane it's a little harder to manage
that that particular envoy based that that particular envoy based that that particular envoy based
deployment and here you can see in this deployment and here you can see in this deployment and here you can see in this
diagram you can see the most common way diagram you can see the most common way diagram you can see the most common way
of actually deploying is do which is as of actually deploying is do which is as of actually deploying is do which is as
a side car or a second container within a side car or a second container within a side car or a second container within
a kubernetes pod all traffic within that a kubernetes pod all traffic within that a kubernetes pod all traffic within that
within that pod then gets directed into within that pod then gets directed into within that pod then gets directed into
and out of the Envoy proxy which then and out of the Envoy proxy which then and out of the Envoy proxy which then
handles all the forwarding security handles all the forwarding security handles all the forwarding security
metrics telemetry etc type type metrics telemetry etc type type metrics telemetry etc type type
resources so this teo is a service mesh it really so this teo is a service mesh it really so this teo is a service mesh it really
supports a micro-services style platform supports a micro-services style platform supports a micro-services style platform
and it gives us all the things that and it gives us all the things that and it gives us all the things that
micro services really need number one is micro services really need number one is micro services really need number one is
observability we can't actually observability we can't actually observability we can't actually
understand how traffic is flowing within understand how traffic is flowing within understand how traffic is flowing within
this environment we can actually now this environment we can actually now this environment we can actually now
trace traffic from ingress all the way trace traffic from ingress all the way trace traffic from ingress all the way
through to the different resources that through to the different resources that through to the different resources that
it's talking to so long as we're passing it's talking to so long as we're passing it's talking to so long as we're passing
the right class of information but the right class of information but the right class of information but
because we have some idea of how that because we have some idea of how that because we have some idea of how that
trend that traffic is flowing based on trend that traffic is flowing based on trend that traffic is flowing based on
the monitoring capabilities we can the monitoring capabilities we can the monitoring capabilities we can
actually trace the end and path within actually trace the end and path within actually trace the end and path within
an application traffic management an application traffic management an application traffic management
aspects so the Envoy component the Envoy aspects so the Envoy component the Envoy aspects so the Envoy component the Envoy
service that that is being managed by service that that is being managed by service that that is being managed by
sto is really a full-featured load sto is really a full-featured load sto is really a full-featured load
balancing type service and in doing so balancing type service and in doing so balancing type service and in doing so
we obviously have the classic we obviously have the classic we obviously have the classic
round-robin and weighted sorts of round-robin and weighted sorts of round-robin and weighted sorts of
traffic management but there's also traffic management but there's also traffic management but there's also
things like health checks that come into things like health checks that come into things like health checks that come into
play to verify that remote services are play to verify that remote services are play to verify that remote services are
available there's a number of different available there's a number of different available there's a number of different
technologies that are built around this technologies that are built around this technologies that are built around this
concept of managing the traffic and concept of managing the traffic and concept of managing the traffic and
managing the the forwarding path of of managing the the forwarding path of of managing the the forwarding path of of
data within the environment there's also data within the environment there's also data within the environment there's also
a policy layer so we can actually start a policy layer so we can actually start a policy layer so we can actually start
to determine who's allowed to talk to to determine who's allowed to talk to to determine who's allowed to talk to
who that's an important piece of the who that's an important piece of the who that's an important piece of the
puzzle and this policy layer does sit puzzle and this policy layer does sit puzzle and this policy layer does sit
effectively a layer higher than the effectively a layer higher than the effectively a layer higher than the
policy layer in kubernetes where the policy layer in kubernetes where the policy layer in kubernetes where the
kubernetes policy layer really looks at kubernetes policy layer really looks at kubernetes policy layer really looks at
just network to network or namespace to just network to network or namespace to just network to network or namespace to
namespace class communication this is namespace class communication this is namespace class communication this is
really looking at application component really looking at application component really looking at application component
to application component so might be a to application component so might be a to application component so might be a
little bit more flexible and functional little bit more flexible and functional little bit more flexible and functional
for what people are looking for when for what people are looking for when for what people are looking for when
looking at security or policy within a looking at security or policy within a looking at security or policy within a
micro services environment security micro services environment security micro services environment security
again this is really dealing with the again this is really dealing with the again this is really dealing with the
concept of mutual authentication knowing concept of mutual authentication knowing concept of mutual authentication knowing
that both sides of the connection are that both sides of the connection are that both sides of the connection are
actually the sides that they say they actually the sides that they say they actually the sides that they say they
are and again this is being delivered are and again this is being delivered are and again this is being delivered
through envoys ability to provide TLS through envoys ability to provide TLS through envoys ability to provide TLS
level security http/2 level security http/2 level security http/2
based security between two ends of an based security between two ends of an based security between two ends of an
adapter effectively to envoy instances adapter effectively to envoy instances adapter effectively to envoy instances
and that's a real powerful component and and that's a real powerful component and and that's a real powerful component and
what all this does together is it gives what all this does together is it gives what all this does together is it gives
us both the mesh us both the mesh us both the mesh
is really this concept of security is really this concept of security is really this concept of security
mapped to to the interaction between the mapped to to the interaction between the mapped to to the interaction between the
different services and and that's that's different services and and that's that's different services and and that's that's
really our service mask capability that really our service mask capability that really our service mask capability that
comes from sto built on top of tools comes from sto built on top of tools comes from sto built on top of tools
like envoy so one of the most like envoy so one of the most like envoy so one of the most
interesting things about this is that interesting things about this is that interesting things about this is that
while sto really sort of I think bloomed while sto really sort of I think bloomed while sto really sort of I think bloomed
within the kubernetes environment and within the kubernetes environment and within the kubernetes environment and
became more powerful because of it it became more powerful because of it it became more powerful because of it it
certainly works with a number of other certainly works with a number of other certainly works with a number of other
resources including tools like the Mises resources including tools like the Mises resources including tools like the Mises
and mesosphere schedulers and DCOs and mesosphere schedulers and DCOs and mesosphere schedulers and DCOs
Cloud Foundry OpenShift just about any Cloud Foundry OpenShift just about any Cloud Foundry OpenShift just about any
pass layer can potentially make use of pass layer can potentially make use of pass layer can potentially make use of
sto in the background and more sto in the background and more sto in the background and more
importantly we can still tie SEO importantly we can still tie SEO importantly we can still tie SEO
services into virtual machines as well services into virtual machines as well services into virtual machines as well
yes you effectively have to run envoy at yes you effectively have to run envoy at yes you effectively have to run envoy at
the edge within the virtual machine to the edge within the virtual machine to the edge within the virtual machine to
provide the same interaction services provide the same interaction services provide the same interaction services
but you can still do this and get all but you can still do this and get all but you can still do this and get all
the benefits of the service mesh even the benefits of the service mesh even the benefits of the service mesh even
for components that are not being for components that are not being for components that are not being
deployed in a containerized environment