Service Mesh: Istio and Linkerd
Introduction
Service meshes manage microservice communication. This guide covers Istio and Linkerd for traffic management, security, and observability.
Core Concepts
Service Mesh Benefits
- Traffic Management: Routing and load balancing
- Security: mTLS and authorization policies
- Observability: Metrics, traces, and logs
- Resilience: Retries and circuit breaking
Good: Istio Setup
Installation
# โ
GOOD: Install Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
istioctl install --set profile=demo -y
Virtual Service
# โ
GOOD: Istio VirtualService
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: go-app
spec:
hosts:
- go-app
http:
- match:
- uri:
prefix: "/api"
route:
- destination:
host: go-app
port:
number: 8080
subset: v1
weight: 80
- destination:
host: go-app
port:
number: 8080
subset: v2
weight: 20
Destination Rule
# โ
GOOD: Istio DestinationRule
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: go-app
spec:
host: go-app
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 100
http2MaxRequests: 1000
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
Good: Linkerd Setup
Installation
# โ
GOOD: Install Linkerd
curl https://run.linkerd.io/install | sh
export PATH=$PATH:$HOME/.linkerd2/bin
linkerd install | kubectl apply -f -
Inject Sidecar
# โ
GOOD: Inject Linkerd sidecar
kubectl annotate namespace default linkerd.io/inject=enabled
kubectl rollout restart deployment/go-app
Good: Traffic Management
Retry Policy
# โ
GOOD: Retry policy
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: go-app
spec:
hosts:
- go-app
http:
- retries:
attempts: 3
perTryTimeout: 2s
route:
- destination:
host: go-app
Circuit Breaker
# โ
GOOD: Circuit breaker
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: go-app
spec:
host: go-app
trafficPolicy:
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
Good: Security
Authorization Policy
# โ
GOOD: Authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: go-app
spec:
selector:
matchLabels:
app: go-app
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/frontend"]
to:
- operation:
methods: ["GET"]
paths: ["/api/*"]
Best Practices
1. Start Simple
# โ
GOOD: Start with basic setup
# Install service mesh
# Inject sidecars
# Monitor metrics
# โ BAD: Complex configuration immediately
2. Monitor Metrics
# โ
GOOD: Monitor service mesh metrics
# Request rate
# Error rate
# Latency
# Traffic distribution
3. Use mTLS
# โ
GOOD: Enable mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
Resources
- Istio: https://istio.io/
- Linkerd: https://linkerd.io/
- Service Mesh: https://www.nginx.com/blog/what-is-a-service-mesh/
Summary
Service meshes provide powerful capabilities for microservice communication. Start with basic traffic management, gradually add security policies, and leverage observability features. Proper service mesh configuration ensures reliable, secure microservice architectures.
Comments