Alex Handy
24 May 2017

Google, IBM, and Lyft have publicly revealed a six month old open source project they’ve been working on to build a Kubernetes-based microservices framework that can add load balancing, encryption, policy-based governance, and reporting to existing services without any code changes. The project, named Istio, kicked off in November of last year.

Installing Istio on a Kubernetes instance results in a service mesh using proxies at the entry and exit points of each service. That proxy is Lyft’s Envoy, plus some improvements from IBM and Google, and it allows legacy and existing services to be easily integrated into typical cluster services, like security, governance, and monitoring.

Varun Talwar, product manager at Google heads up both Istio and gRPC, which is support in Istio, but not required. “We think of Istio as a service mesh,” said Talwar. “As a layer of infrastructure between services and networks which you can inject into your existing services, your legacy services, your cloud services, and get all of these capabilities,” said Talwar.

Those capabilities include such enterprise holy grails as reporting, monitoring, governance, and the all-too-often problematic service-to-service authentication and security. “Operators get a policy-driven control plane where they can say, ‘I want this policy across all my services, or for these specific services,’ and both can operate almost independently,” said Talwar.

The Istio project itself contains many sub-tools, but Talwar broke it down into three key components. The first part is the Istio proxy, which is essentially Envoy, a project open sourced by Lyft late last year. With Envoy at the ingress and egress points for each service, traffic and data are being captured.

That leads to the second big part of Istio, said Talwar. “In Kubernetes-land, we do magic to auto-inject it. Then comes the Istio Mixer: the control plane. For every request, the Envoy can do access control checks. ‘Should I rate limit? Is it white-listed?’ Mixer can say yes or no to policy-based things,” said Talwar.

Mixer and Envoy can also conspire to bring logging and monitoring to bear upon all of those services, as well. Talwar said that Mixer is designed to send this information to a number of logging systems. Additionally, he said that this alpha signifies that the Istio team has brought the system to a working state on Kubernetes, with the intention of porting it to other cloud platforms in future releases.

Perhaps the most interesting part, and final major part, of this new microservices framework is its ability to provide authentication and security between services. Talwar said that this problem was often discussed, and customers have been scrambling for better solutions to the puzzle that is handling thousands of security keys as ephemeral as the containers to which they are attached.

“A lot of the ways people don’t do service to service security, or they do it with these libraries. we have [certificate authority] which mints and distributes certificates. You can have strong authentication between services, and down the road you’ll be able to say, ‘Only this service can talk to that service,’ said Talwar.

The current version of Istio stores security keys in Kubernetes Secrets. Talwar said that “Just the notion of strong service authentication is a huge win in itself. You could deploy Istio and say, ‘The main thing I want is the security piece,’ and not have policies for some of the other pieces, and enable some services and not others. It’s flexible in that way.”

At present, Istio is at version 0.1.3, though 0.1.4 is nearing release, with some testing issues coming up on Monday to delay this newer version.

Talwar wanted developers to know that Istio is designed to make their lives easier, while also easing the woes of operations and administrators through its policy management capabilities. “We are developing this in the open, as a microservices framework which is language agnostic. All the benefits are uniform, and by having a uniform constraint like this is great. If you don’t want to change any code and get a lot of benefits, then a uniform substrate like this does a lot in making developers lives a lot easier,” said Talwar.