Kubernetes Service Mesh: Istio Edition

Service Mesh Breakdown

A Service Mesh, inside and outside of Kubernetes, has one primary purpose; control how different parts of an application communicate with one another. Although a service mesh is specifically for applications, it’s technically considered part of the infrastructure layer. The reason why is because a lot of what a service mesh is doing is sending traffic between services, which is primarily a networking component.

  • Control plane — this is like the “headquarters”. It handles the configuration for the proxy (the proxy is a big part of the Data Plane), encryption, certs, and configurations that are needed for the services to talk to each other
  • Data plane — distributed proxies that are made up of [sidecars](https://www.nginx.com/resources/glossary/sidecar/#:~:text=A sidecar is a separate,a helper application of sorts.). The sidecars are simply the “helper” containers. It contains the proxy information that tells services to talk to each other (which is what the core of a service mesh is doing).
Source: https://www.google.com/url?sa=i&url=https%3A%2F%2Fservicemesh.es%2F&psig=AOvVaw1aUWOBCmDVki3_o8n5bstM&ust=1649601895787000&source=images&cd=vfe&ved=0CAoQjRxqFwoTCKD1qoqch_cCFQAAAAAdAAAAABA5
  • Load balancing
  • Observability
  • Security including authorization policies, TLS encryption, and access control

Why a Service Mesh Is Important

You may be thinking to yourself aren’t microservices and Kubernetes already doing this for me? and the answer is sort of. Kubernetes handles traffic out of the box with Kube-proxy. Kube-proxy is installed on every Kubernetes worker node and handles the local cluster networking. It implements iptables and IPVS rules for handling routing and load balancing on the Pods network.

  • It’ll be easier to troubleshoot network latency
  • You’ll have out-of-the-box security between services. Without a service mesh, there’s no security between services. You could handle this with a TLS cert, but do you really want to add on more work from that perspective?
  • Communication resiliency between services so you don’t have to worry about timeouts, retries, and rate limiting
  • Observability for tracing and alerting

Getting Started With Istio

Now that you know why you’d want to implement a service mesh, let’s learn how to do it! The installation process is pretty quick and only requires a few commands.

curl -L <https://istio.io/downloadIstio> | sh -
cd istio-version_number
export PATH=$PWD/bin:$PATH
istioctl install
kubectl label namespace default istio-injection=enabled



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Levan

Michael Levan


Leader in Kubernetes consulting, research, and content creation ┇AWS Community Builder (Dev Tools Category)┇ HashiCorp Ambassador