Istio in Action

Istio in Action
contents
foreword
preface
acknowledgments
about this book
	Who should read this book
	How this book is organized: A roadmap
	About the code
	liveBook discussion forum
about the authors
about the cover illustration
brief contents
Part 1 Understanding Istio
	1 Introducing the Istio service mesh
		1.1 Challenges of going faster
			1.1.1 Our cloud infrastructure is not reliable
			1.1.2 Making service interactions resilient
			1.1.3 Understanding what’s happening in real time
		1.2 Solving these challenges with application libraries
			1.2.1 Drawbacks to application-specific libraries
		1.3 Pushing these concerns to the infrastructure
			1.3.1 The application-aware service proxy
			1.3.2 Meet the Envoy proxy
		1.4 What’s a service mesh?
		1.5 Introducing the Istio service mesh
			1.5.1 How a service mesh relates to an enterprise service bus
			1.5.2 How a service mesh relates to an API gateway
			1.5.3 Can I use Istio for non-microservices deployments?
			1.5.4 Where Istio fits in distributed architectures
			1.5.5 What are the drawbacks to using a service mesh?
		Summary
	2 First steps with Istio
		2.1 Deploying Istio on Kubernetes
			2.1.1 Using Docker Desktop for the examples
			2.1.2 Getting the Istio distribution
			2.1.3 Installing the Istio components into Kubernetes
		2.2 Getting to know the Istio control plane
			2.2.1 Istiod
			2.2.2 Ingress and egress gateway
		2.3 Deploying your first application in the service mesh
		2.4 Exploring the power of Istio with resilience, observability, and traffic control
			2.4.1 Istio observability
			2.4.2 Istio for resiliency
			2.4.3 Istio for traffic routing
		Summary
	3 Istio’s data plane: The Envoy proxy
		3.1 What is the Envoy proxy?
			3.1.1 Envoy’s core features
			3.1.2 Comparing Envoy to other proxies
		3.2 Configuring Envoy
			3.2.1 Static configuration
			3.2.2 Dynamic configuration
		3.3 Envoy in action
			3.3.1 Envoy’s Admin API
			3.3.2 Envoy request retries
		3.4 How Envoy fits with Istio
		Summary
Part 2 Securing, observing, and controlling your service’s network traffic
	4 Istio gateways: Getting traffic into a cluster
		4.1 Traffic ingress concepts
			4.1.1 Virtual IPs: Simplifying service access
			4.1.2 Virtual hosting: Multiple services from a single access point
		4.2 Istio ingress gateways
			4.2.1 Specifying Gateway resources
			4.2.2 Gateway routing with virtual services
			4.2.3 Overall view of traffic flow
			4.2.4 Istio ingress gateway vs. Kubernetes Ingress
			4.2.5 Istio ingress gateway vs. API gateways
		4.3 Securing gateway traffic
			4.3.1 HTTP traffic with TLS
			4.3.2 HTTP redirect to HTTPS
			4.3.3 HTTP traffic with mutual TLS
			4.3.4 Serving multiple virtual hosts with TLS
		4.4 TCP traffic
			4.4.1 Exposing TCP ports on an Istio gateway
			4.4.2 Traffic routing with SNI passthrough
		4.5 Operational tips
			4.5.1 Split gateway responsibilities
			4.5.2 Gateway injection
			4.5.3 Ingress gateway access logs
			4.5.4 Reducing gateway configuration
		Summary
	5 Traffic control: Fine-grained traffic routing
		5.1 Reducing the risk of deploying new code
			5.1.1 Deployment vs. release
		5.2 Routing requests with Istio
			5.2.1 Cleaning up our workspace
			5.2.2 Deploying v1 of the catalog service
			5.2.3 Deploying v2 of the catalog service
			5.2.4 Routing all traffic to v1 of the catalog service
			5.2.5 Routing specific requests to v2
			5.2.6 Routing deep within a call graph
		5.3 Traffic shifting
			5.3.1 Canary releasing with Flagger
		5.4 Reducing risk even further: Traffic mirroring
		5.5 Routing to services outside your cluster by using Istio’s service discovery
		Summary
	6 Resilience: Solving application networking challenges
		6.1 Building resilience into the application
			6.1.1 Building resilience into application libraries
			6.1.2 Using Istio to solve these problems
			6.1.3 Decentralized implementation of resilience
		6.2 Client-side load balancing
			6.2.1 Getting started with client-side load balancing
			6.2.2 Setting up our scenario
			6.2.3 Testing various client-side load-balancing strategies
			6.2.4 Understanding the different load-balancing algorithms
		6.3 Locality-aware load balancing
			6.3.1 Hands-on with locality load balancing
			6.3.2 More control over locality load balancing with weighted distribution
		6.4 Transparent timeouts and retries
			6.4.1 Timeouts
			6.4.2 Retries
			6.4.3 Advanced retries
		6.5 Circuit breaking with Istio
			6.5.1 Guarding against slow services with connection-pool control
			6.5.2 Guarding against unhealthy services with outlier detection
		Summary
	7 Observability: Understanding the behavior of your services
		7.1 What is observability?
			7.1.1 Observability vs. monitoring
			7.1.2 How Istio helps with observability
		7.2 Exploring Istio metrics
			7.2.1 Metrics in the data plane
			7.2.2 Metrics in the control plane
		7.3 Scraping Istio metrics with Prometheus
			7.3.1 Setting up Prometheus and Grafana
			7.3.2 Configuring the Prometheus Operator to scrape the Istio control plane and workloads
		7.4 Customizing Istio’s standard metrics
			7.4.1 Configuring existing metrics
			7.4.2 Creating new metrics
			7.4.3 Grouping calls with new attributes
		Summary
	8 Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali
		8.1 Using Grafana to visualize Istio service and control- plane metrics
			8.1.1 Setting up Istio’s Grafana dashboards
			8.1.2 Viewing control-plane metrics
			8.1.3 Viewing data-plane metrics
		8.2 Distributed tracing
			8.2.1 How does distributed tracing work?
			8.2.2 Installing a distributed tracing system
			8.2.3 Configuring Istio to perform distributed tracing
			8.2.4 Viewing distributed tracing data
			8.2.5 Trace sampling, force traces, and custom tags
		8.3 Visualization with Kiali
			8.3.1 Installing Kiali
			8.3.2 Conclusion
		Summary
	9 Securing microservice communication
		9.1 The need for application-networking security
			9.1.1 Service-to-service authentication
			9.1.2 End-user authentication
			9.1.3 Authorization
			9.1.4 Comparison of security in monoliths and microservices
			9.1.5 How Istio implements SPIFFE
			9.1.6 Istio security in a nutshell
		9.2 Auto mTLS
			9.2.1 Setting up the environment
			9.2.2 Understanding Istio’s PeerAuthentication resource
		9.3 Authorizing service-to-service traffic
			9.3.1 Understanding authorization in Istio
			9.3.2 Setting up the workspace
			9.3.3 Behavior changes when a policy is applied to a workload
			9.3.4 Denying all requests by default with a catch-all policy
			9.3.5 Allowing requests originating from a single namespace
			9.3.6 Allowing requests from non-authenticated legacy workloads
			9.3.7 Allowing requests from a single service account
			9.3.8 Conditional matching of policies
			9.3.9 Understanding value-match expressions
			9.3.10 Understanding the order in which authorization policies are evaluated
		9.4 End-user authentication and authorization
			9.4.1 What is a JSON web token?
			9.4.2 End-user authentication and authorization at the ingress gateway
			9.4.3 Validating JWTs with RequestAuthentication
		9.5 Integrating with custom external authorization services
			9.5.1 Hands-on with external authorization
			9.5.2 Configuring Istio for ExtAuthz
			9.5.3 Using a custom AuthorizationPolicy resource
		Summary
Part 3 Istio day-2 operations
	10 Troubleshooting the data plane
		10.1 The most common mistake: A misconfigured data plane
		10.2 Identifying data-plane issues
			10.2.1 How to verify that the data plane is up to date
			10.2.2 Discovering misconfigurations with Kiali
			10.2.3 Discovering misconfigurations with istioctl
		10.3 Discovering misconfigurations manually from the Envoy config
			10.3.1 Envoy administration interface
			10.3.2 Querying proxy configurations using istioctl
			10.3.3 Troubleshooting application issues
			10.3.4 Inspect network traffic with ksniff
		10.4 Understanding your application using Envoy telemetry
			10.4.1 Finding the rate of failing requests in Grafana
			10.4.2 Querying the affected Pods using Prometheus
		Summary
	11 Performance-tuning the control plane
		11.1 The control plane’s primary goal
			11.1.1 Understanding the steps of data-plane synchronization
			11.1.2 Factors that determine performance
		11.2 Monitoring the control plane
			11.2.1 The four golden signals of the control plane
		11.3 Tuning performance
			11.3.1 Setting up the workspace
			11.3.2 Measuring performance before optimizations
			11.3.3 Ignoring events: Reducing the scope of discovery using discovery selectors
			11.3.4 Event-batching and push-throttling properties
		11.4 Performance tuning guidelines
		Summary
Part 4 Istio in your organization
	12 Scaling Istio in your organization
		12.1 The benefits of a multi-cluster service mesh
		12.2 Overview of multi-cluster service meshes
			12.2.1 Istio multi-cluster deployment models
			12.2.2 How workloads are discovered in multi-cluster deployments
			12.2.3 Cross-cluster workload connectivity
			12.2.4 Common trust between clusters
		12.3 Overview of a multi-cluster, multi-network, multi- control-plane service mesh
			12.3.1 Choosing the multi-cluster deployment model
			12.3.2 Setting up the cloud infrastructure
			12.3.3 Configuring plug-in CA certificates
			12.3.4 Installing the control planes in each cluster
			12.3.5 Enabling cross-cluster workload discovery
			12.3.6 Setting up cross-cluster connectivity
			12.3.7 Load-balancing across clusters
		Summary
	13 Incorporating virtual machine workloads into the mesh
		13.1 Istio’s VM support
			13.1.1 Simplifying sidecar proxy installation and configuration in a VM
			13.1.2 Virtual machine high availability
			13.1.3 DNS resolution of in-mesh services
		13.2 Setting up the infrastructure
			13.2.1 Setting up the service mesh
			13.2.2 Provisioning the VM
		13.3 Mesh expansion to VMs
			13.3.1 Exposing istiod and cluster services to the VM
			13.3.2 Representing a group of workloads with a WorkloadGroup
			13.3.3 Installing and configuring the istio-agent in the VM
			13.3.4 Routing traffic to cluster services
			13.3.5 Routing traffic to the WorkloadEntry
			13.3.6 VMs are configured by the control plane: Enforcing mutual authentication
		13.4 Demystifying the DNS proxy
			13.4.1 How the DNS proxy resolves cluster hostnames
			13.4.2 Which hostnames is the DNS proxy aware of?
		13.5 Customizing the agent’s behavior
		13.6 Removing a WorkloadEntry from the mesh
		Summary
	14 Extending Istio on the request path
		14.1 Envoy’s extension capabilities
			14.1.1 Understanding Envoy’s filter chaining
			14.1.2 Filters intended for extension
			14.1.3 Customizing Istio’s data plane
		14.2 Configuring an Envoy filter with the EnvoyFilter resource
		14.3 Rate-limiting requests with external call-out
			14.3.1 Understanding Envoy rate limiting
		14.4 Extending Istio’s data plane with Lua
		14.5 Extending Istio’s data plane with WebAssembly
			14.5.1 Introducing WebAssembly
			14.5.2 Why WebAssembly for Envoy?
			14.5.3 Building a new Envoy filter with WebAssembly
			14.5.4 Building a new Envoy filter with the meshctl tool
			14.5.5 Deploying a new WebAssembly Envoy filter
		Summary
appendix A Customizing the Istio installation
	A.1 The IstioOperator API
	A.2 The Istio installation profiles
	A.3 Installing and customizing Istio using istioctl
	A.4 Installing and customizing Istio with the istio-operator
		A.4.1 Installing the istio-operator
		A.4.2 Updating the installation of a mesh
appendix B Istio’s sidecar and its injection options
	B.1 Sidecar injection
		B.1.1 Manual sidecar injection
		B.1.2 Automatic sidecar injection
	B.2 Security issues with istio-init
appendix C Istio security: SPIFFE
	C.1 Authentication using PKI (public key infrastructure)
		C.1.1 Traffic encryption via TLS and end-user authentication
	C.2 SPIFFE: Secure Production Identity Framework for Everyone
		C.2.1 SPIFFE ID: Workload identity
		C.2.2 Workload API
		C.2.3 Workload endpoints
		C.2.4 SPIFFE Verifiable Identity Documents
		C.2.5 How Istio implements SPIFFE
		C.2.6 Step-by-step bootstrapping of workload identity
	C.3 Understanding request identity
		C.3.1 Metadata collected by the RequestAuthentication resource
		C.3.2 Overview of the flow of one request
appendix D Troubleshooting Istio components
	D.1 Information exposed by the Istio agent
		D.1.1 Endpoints to introspect and troubleshoot the Istio agent
		D.1.2 Querying Istio Pilot debug endpoints through the Istio agent
	D.2 Information exposed by the Istio Pilot
		D.2.1 The Istio Pilot debug endpoints
		D.2.2 The ControlZ interface
appendix E How the virtual machine is configured to join the mesh
index
	Numerics
	A
	B
	C
	D
	E
	F
	G
	H
	I
	J
	K
	L
	M
	N
	O
	P
	Q
	R
	S
	T
	U
	V
	W
	X
	Z
Istio in Action - back