Istio ⛵

Let’s talk about Istio. Tune in to the podcast episode released today, where Craig Box from Google joined me to discuss the history and benefits of Istio. The conversation was really eye-opening, and helped me get a much better understanding of why Istio, and how Istio compares to other platforms. In this episode Craig also does a good job of demystifying Istio (if it’s a mystery to you). While Istio is not a CNCF project, I don’t feel like we are breaking our character of discussing projects in the CNCF ecosystem, because Istio works well with Kubernetes and is built on top of Envoy.

Issue #122

Straight from the Istio docs, let’s start with a great writeup on what Istio is and what problems the software can help with. Remember, software isn’t going to single-handedly solve your operational problems. But if you identify with any of these problem statements, you should consider Istio.

Sachin Manpathak at Platform9 wrote a detailed comparison of three service meshes: Istio, Linkerd, and Consul. This isn’t an opinionated post; instead it starts out by building a comparison table. We’ve talked about the patterns that a service mesh brings to a cluster, and after the comparison table, Sachin goes into a little more detail on these patterns. This is a great post for anyone just getting started with a service mesh today. 🍎🍊

Let’s say you aren’t enforcing mTLS inside your cluster. How would you get started, and how can Istio help you migrate from your insecure setup to a secure one, without breaking production traffic? This doc shows how much effort the Istio team has put into thinking through “migrating to Istio” scenarios. 🚚🚦

This is a description of a new feature, introduced in Istio 1.9. Some folks may have complex and possibly proprietary existing authentication systems. And when you have that, it’s unlikely that you’ll change your entire auth system in order to adopt a single product. Istio now supports delegating access control decisions out to external providers. This is a great feature that could make it possible to use Istio in environments where it was difficult to use before. 🔑

In the podcast, Craig mentions that Istio isn’t limited to working inside a Kubernetes cluster. Here’s a walkthrough of connecting a VM to an Istio installation. Being able to connect to external (out of the cluster) VMs isn’t unique to Istio, but it’s a really powerful feature. I’m looking forward to the day when everything is in K8s, but maybe you have some older, legacy workloads that you’d like to secure. 🖥

A good writeup by Tomas Fernández that shows how to use Istio to manage blue-green deployments in Kubernetes. This post goes into a lot of detail, and assumes that you have Istio already installed. Hopefully you are deploying automatically via a CI/CD pipeline, and if you aren’t already able to to do blue-green deployments, this is a great read. 🔁

Apache Mesos is moved to the Apache Attic. Formally, projects move to the attic at the end of life. Just in case anyone out there wasn’t ready to commit to Kubernetes yet. ☠