Service Mesh with Istio: Traffic Management & Security
In this tutorial, you'll learn about Service Mesh with Istio: Traffic Management & Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Istio is a service mesh that provides traffic management, security, and observability for Kubernetes applications by deploying sidecar proxies alongside each pod.
What You'll Learn
This tutorial covers Istio installation, virtual services for traffic routing, destination rules for Load Balancing, mutual TLS enforcement, authorization policies, and integrating applications.
Why It Matters
Service mesh solves inter-service communication challenges that become critical at scale: encrypted traffic, fine-grained access control, traffic splitting for canary deployments, and centralized observability.
Real-World Use
eBay uses Istio to manage traffic between hundreds of Microservices with mTLS encryption and rate limiting. Morgan Stanley uses Istio for zero-trust security between banking applications.
Installing Istio
# Download Istio CLI
curl -L https://istio.io/downloadIstio | sh -
# Install with demo profile
istioctl install --set profile=demo -y
# Enable sidecar injection on a namespace
kubectl label namespace default istio-injection=enabled
Verify the installation.
# Check Istio components
kubectl -n istio-system get pods
Expected output shows istiod, ingressgateway, egressgateway, and telemetry components.
Deploying Applications with Istio
Applications do not require code changes. Istio injects an Envoy sidecar proxy automatically.
# Deploy an application
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
# Verify sidecar injection
kubectl get pods
# Check that each pod has 2/2 containers ready
Traffic Management
Virtual Services
Virtual services define routing rules for HTTP and TCP traffic.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 90
- destination:
host: reviews
subset: v3
weight: 10
Destination Rules
Destination rules configure Load Balancing and Connection Pool settings.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
connectionPool:
tcp:
maxConnections: 100
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 10
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 60s
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
Security with Istio
Mutual TLS
Enable strict mTLS for all traffic in a namespace.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
Authorization Policies
Fine-grained access control based on identity and request attributes.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: reviews-policy
namespace: default
spec:
selector:
matchLabels:
app: reviews
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/productpage"]
to:
- operation:
methods: ["GET"]
Observability
# View traffic metrics
istioctl dashboard kiali
# View tracing
istioctl dashboard jaeger
# View metrics dashboards
istioctl dashboard grafana
Practice Questions
What is the role of the Envoy sidecar proxy in Istio? It intercepts all traffic to and from the container, applying routing, security, and telemetry policies.
How do you route traffic based on HTTP headers? Use VirtualService http.match with header conditions to route to specific subsets.
What is the difference between PeerAuthentication and AuthorizationPolicy? PeerAuthentication enforces mTLS between services. AuthorizationPolicy controls which services can access specific endpoints.
How does Istio enable canary deployments? VirtualServices with weight-based routing split traffic between subsets of different versions.
What happens when a pod does not have the sidecar injected? It cannot participate in Istio mesh features and communicates directly with other services.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro