×
Community Blog Using Istio on Alibaba Cloud Container Service for Kubernetes

Using Istio on Alibaba Cloud Container Service for Kubernetes

This article describes how to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices.

The first Istio version (V1.0) available for production was officially released on July 31, 2018.

1

Istio is an open platform used to connect, manage, and secure microservices. It provides a simple method for creating a microservice network, and delivers capabilities such as load balancing, service-to-service authentication, and monitoring. In addition, these functions can be implemented without any changes to services themselves.

Istio provides the following functions:

  1. Traffic management: Controls the call traffic and API calls between services to make calls more reliable and the network more robust in severe cases.
  2. Observability: Obtains dependencies between services and traffic directions of service calls to quickly identify problems.
  3. Policy enforcement: Controls the service access policies without modifying services themselves.
  4. Service identity and security: Provide verifiable identities for services in a service mesh and capabilities for protecting service traffic so that traffic can be transferred on networks with different levels of trustworthiness.

This article describes how to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.

Istio Architecture

In terms of architecture, Istio is divided into two parts:

  1. Control plane: the management proxy used for traffic routing and policy enforcement at runtime.
  2. Data plane: consists of a set of intelligent proxies (Envoy by default), which are used for network interaction between the mediation and control services.

2

Proxy/Envoy

Envoy is deployed as an independent sidecar to the relevant microservice in the same Kubernetes pod, and provides a series of attributes for Mixer. Based on these attributes, Mixer enforces policies and sends these attributes to the monitoring system.

This type of sidecar proxy model does not need to change the logic of any service. In addition, it can add many functions.

Mixer

Mixer enforces access control and usage policies across the service mesh, and collects the telemetry data from the Envoy proxy and other services.The proxy extracts request level attributes, and sends them to Mixer for evaluation.

Mixer includes a flexible plugin model. This model enables Istio to interface with a variety of host environments and infrastructure backends. Thus, Istio abstracts the Envoy proxy and Istio-managed services from these details.The relevant content will be described in subsequent articles.

Pilot

Pilot collects and authenticates the configurations, and propagates them to various Istio components.It extracts environment-specific implementation details from Mixer and Envoy, and provides abstract representation of user services for them, which are independent of the underlying platform.In addition, Pilot can be used to program the traffic management rules at runtime, that is, the universal layer-4 and layer-7 HTTP/gRPC routing rules.

Citadel

Citadel provides inter-service and inter-user authentication and enhances security between services without any changes in service code.Citadel consists of the following three components:

  1. Identity recognition: When Istio runs on Kubernetes, Auth uses the service account provided by Kubernetes to identify the subjects that run the services.
  2. Key management: Auth provides a CA to automatically generate and manage keys and certificates.
  3. Communication security: For service-to-service communication, Envoy provides tunnels on the client and server to ensure security of service calls.

The following describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Prepare the Kubernetes Environment

Alibaba Cloud Container Service for Kubernetes V1.10.4 has been released. You can use the container service console to conveniently and quickly create a Kubernetes cluster.For more information about the process, see create a Kubernetes cluster.

Use the Application Catalog for Simple Deployment

Click App Catalog on the left-side navigation bar, and select ack-istio on the right side, as shown below:

3

Click Parameters. You can modify parameter settings to customize Istio. The following table lists the common parameters.

Parameter Description Default
global.hub Specifies the HUB for most images used by Istio registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog
global.tag Specifies the TAG for most images used by Istio 1.0.0
global.proxy.image Specifies the proxy image name istio-proxyv2
global.imagePullPolicy Specifies the image pull policy IfNotPresent
global.controlPlaneSecurityEnabled Specifies whether control plane mTLS is enabled false
global.mtls.enabled Specifies whether mTLS is enabled by default between services false
global.mtls.mtlsExcludedServices List of FQDNs to exclude from mTLS -"kubernetes.default.svc.cluster.local"
global.rbacEnabled Specifies whether to create Istio RBAC rules or not true
global.refreshInterval Specifies the mesh discovery refresh interval 10s
global.arch.amd64 Specifies the scheduling policy for amd64 architectures 2
global.arch.s390x Specifies the scheduling policy for s390x architectures 2
global.arch.ppc64le Specifies the scheduling policy for ppc64le architectures 2
galley.enabled Specifies whether Galley should be installed for server-side config validation.Requires k8s >= 1.9 false

In addition to the preceding common parameters, you can customize different modules. For example, you can determine whether to enable Grafana, Prometheus, tracing, Weave Scope, and Kiali.

#
# addons configuration
#
grafana:
  enabled: true
  replicaCount: 1
  image: istio-grafana
  service:
    name: http
    type: ClusterIP
    externalPort: 3000
    internalPort: 3000
....
prometheus:
  enabled: true
  replicaCount: 1
  image:
    repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-prometheus
    tag: latest
....
tracing:
  enabled: true
  jaeger:
    enabled: true
....
weave-scope:
  enabled: true
  global:
    # global.image: the image that will be used for this release
    image:
      repository: weaveworks/scope
      tag: "1.9.0"
      # global.image.pullPolicy: must be Always, IfNotPresent, or Never
      pullPolicy: "IfNotPresent"
....
kiali:
  enabled: true
  replicaCount: 1
  image:
    repository: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-kiali
    tag: dev

After modification, select the corresponding cluster and namespace on the right, specify the release name, and click Deploy. It is recommended that you create a namespace, such as istio-system.

4

Several minutes later, an Istio instance, which is an open platform for connecting, managing, and securing microservices, is created.

Experiment with Istio

Click Container Group on the left-side navigation bar. The container group information related to the created Istio instance is displayed on the right side, as shown below:

5

Click Services on the left-side navigation bar. The access addresses of services related to the created Istio instance are displayed on the right side, as shown below:

6

By default, the following function modules are enabled:

  1. Intelligent routing
  2. Fault injection
  3. Traffic shifting
  4. OpenTracing/Jaeger used for distributed tracing
  5. Prometheus used for telemetry metric collection
  6. Grafana used for telemetry metric visualization
  7. Service graph and Weave support
  8. Kiali used for service mesh monitoring

The next article uses an official example to explain how to use Istio to develop, manage, protect, and monitor microservices on the basis of Alibaba Cloud Container Service for Kubernetes.

Summary

We can use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform for connecting, managing, and securing microservices, and to introduce and configure multiple relevant services for applications.You are welcome to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform and integrate Istio to microservice development in your project.

This article series introduces Istio and its core components, as well as describes how to quickly build an Istio open platform for connecting, managing, and securing microservices on the basis of Alibaba Cloud Container Service for Kubernetes. These articles also use an official example to demonstrate how to deploy an application in the Istio environment; how to configure intelligent routing and distributed tracing; and how to configure Istio functions of collecting, querying, and visualizing the telemetry data.

To review these articles, see:

  1. Using Istio on Alibaba Cloud Container Service for Kubernetes
  2. Go through Istio Features with Samples on Alibaba Cloud Container Service for Kubernetes
  3. Intelligent Routing with Istio on Alibaba Cloud Container Service for Kubernetes
  4. Distributed Tracking with Istio on Alibaba Cloud Container Service for Kubernetes
  5. Telemetry Data Collection, Query, and Visualization with Istio on Alibaba Cloud Container Service for Kubernetes
  6. Fault Diagnosis and Detection using Istio within Alibaba Cloud Container Service for Kubernetes
  7. Observability Analysis using Istio and Kiali within Alibaba Cloud Container Service for Kubernetes
1 1 1
Share on

Xi Ning Wang(王夕宁)

56 posts | 8 followers

You may also like

Comments

Raja_KT February 15, 2019 at 3:59 am

Nice one. I have not experimented it but if we can manage microservices in a well-balanced mode, then it will be promising.

Xi Ning Wang(王夕宁)

56 posts | 8 followers

Related Products