Название: Istio Ambient Explained: Getting Started with Istio Ambient Service Mesh Автор: Lin Sun, Christian Posta Издательство: O’Reilly Media, Inc. Год: 2022-10-03 Язык: английский Формат: epub (true), mobi Размер: 10.2 MB
Service meshes such as Istio provide a lot of value to teams running microservices architectures or cloud workloads. But they do have their drawbacks. To help you implement their capabilities, most service meshes use a sidecar proxy, an architecture that comes with operational complexities and costly resource overhead.
In this report, authors Lin Sun and Christian Posta from Solo.io dive into Istio ambient mesh, a new sidecarless data plane mode designed for transparent application onboarding, simplified operation, and reduced infrastructure cost. Developers, architects, and platform owners will examine the challenges of existing sidecar architecture, explore the benefits of ambient mesh, and learn how to get started with Istio ambient service mesh.
Istio ambient mesh is a new sidecar-less data plane option for Istio service mesh originally developed by Solo.io and Google. The goal for Istio ambient is to improve the operational experience of adopting, deploying, upgrading, and generally managing Istio throughout its life as critical infrastructure. Additional benefits over Istio’s existing sidecar deployments include resource cost savings, performance improvements, and improved security while maintaining Istio’s core feature set of zero-trust security, resilience, observability, traffic routing, and policy enforcement.
We (the creators of Istio) have always intended to make the service mesh transparent and incrementally adoptable, but in practice the sidecar approach has had drawbacks. The first drawback is in Kubernetes: the sidecar container is not a first-class citizen in a pod (i.e., the sidecar has no lifecycle or ordering controls). This creates scenarios where the workload container may become available before the Istio sidecar proxy. If the workload tries to make an outgoing connection, it will fail because the sidecar is not ready, creating a race condition. Another scenario happens when using Kubernetes Job resources. A Job that gets injected with a sidecar may run to completion, but the pod will not get cleaned up because the sidecar runs indefinitely.
With this report, you will:
Understand the challenges of sidecar architecture and why ambient was introduced Dig into the main architectural components of Istio ambient, such as the secure transport layer and waypoint proxies, to learn how this service mesh works Learn the benefit of adopting ambient mesh incrementally from the secure overlay layer to enable rich L7 functionalities such as resilience, observability, security, and policy enforcement, while understanding the adoption differences with sidecars Learn how to get started with ambient and take the next steps