Kubernetes has rapidly become the de facto standard for container orchestration, management and security. Now moving up the stack at an equally fast pace is Istio.
Riding on the coattails of Kubernetes, Istio is an open-source project designed to enable service meshes. Istio was originally developed by the ride-sharing service Lyft. Google and IBM began collaborating with Lyft two years ago on the project to create a standard service mesh with common ways to connect, manage and secure networks and their associated microservices. Istio is at the .8 draft with the 1.0 on pace for completion by summer’s end.
“It defines this idea of a service mesh and provides the structure to allow you to do security, telemetry and intelligent routing in a collection of services,” said Jason McGee, VP and CTO of IBM Cloud, who is working with IBM’s Istio team. “The security component to Istio is more about providing service-to-service security at a level of abstraction that’s higher than the network.”
Built on Kubernetes, Istio enables traffic flow management, enforces access policies and aggregates telemetry data among microservices and does so without developers needing to modify underlying application code. Istio is the control plane for the service mesh or data plane, called Envoy, which performs service discovery, health checking, routing, automated HTTP, gRPC and WeSocket load balancing, authentication and observability by gathering TCP traffic logs and distributed data tracing.
Istio offers granular traffic behavior and routing rules for failover, fault injection and retries. Its pluggable policy layer and configuration API supports access controls, rate limits and quotas, according to the project’s description. Istio also provides secure service-to-service communication in a cluster using its identity-based authentication and authorization.
In addition to Kubernetes, Istio can be deployed on Nomad, the open source cluster manager and scheduler using HashiCorp’s multiservice infrastructure and service discovery tool. Istio support is also in the works for the open source Apache Mesos and Cloud Foundry projects.
Last summer, participation to the Istio open source project was briefly greater than Kubernetes at the same stage of its lifecycle, IBM’s McGee noted. “Some of that is just because it builds on top of Kubernetes, where you get some kind of additive effect, but you know there’s a lot of momentum building,” he said.
“You can talk about policies around different applications or services that are allowed to talk to each other and the framework of Istio can automatically take care of reinforcement of that policy,” McGee said. “That changes the game because you can interact with the system in a very natural kind of application-oriented way.” McGee said he anticipates vendors will start to incorporate Istio by year’s end. Aqua Security is among those looking closely at Istio.
Liz Rice, a technical evangelist at Aqua Security who served as a co-chair of the recent KubeCon conference in Copenhagen back in May, said Istio was among the hottest topics at the event. “There is no question that the community interest in Istio is enormous,” she said. “There were literally hundreds of submissions about Istio. It was certainly one of not the most popular topic that people want to talk about.”