Istio gets enterprise ready, pushing performance and scalability

Istio gets enterprise ready, pushing performance and scalability

Version 1.1 of service mesh Istio is now available to download and includes improvements especially targeted at enterprises trying to integrate the project into their infrastructure.

Since the control plane as well as the sidecars seem to have caused some performance and resource issues in large clusters with many services, the Istio team has added some restrictions. For example can users now set a limit to the number of services visible to the sidecar proxy using a Sidecar resource. Networking resources now also contain an exportTo field, which can prevent them from being seen in specific namespaces.

Those already using Istio should be aware however, that one of the changes to improve performance was to disable access logging for Envoy sidecars by default, so make sure to enable that function if you rely on the old behaviour. The same goes for policy checks: they are also turned off to make things quicker, so you need to activate them as needed.

To connect multiple clusters, pod-level VPNs aren’t needed anymore; ingress gateways on their own will do. There are also options to span namespaces across clusters to create global namespaces. If services in the same locality are available, Istio will now route to them before picking the ones in other localities.

Configuration management has been improved by the addition of Galley, which now takes care of validating, transforming and distributing the configuration state of components. This should also help with keeping the latter separate from details of container orchestrator Kubernetes.

Security aspects tackled in v1.1 include the integration of Vault PKI, authorisation for TCP services, securing of addon credentials, and identity provisioning through SDS. Apart from that, the Istio team has added a way of creating adapters to influence headers and routings of incoming requests, and improved tracing by implementing a new approach, expanding trace IDs, including new targets to send tracing data to, and offering an option to disable tracing for Mixer-backed services.

To make the most of the new version, updating the control plane and sidecar proxies manually will be necessary. A guide to help with that will become available as soon as the project website gets upgraded.

Istio was first publicly introduced by Google, IBM, and Lyft in May 2017 and makes use of service proxy Envoy. Istio can be used to create networks of deployed (micro-) services which include load balancing and monitoring functionalities, as well as authentication and communication between the services, access and traffic control.