In the dynamic landscape of microservices and cloud-native architectures, the role of service meshes has become increasingly crucial. These programmable frameworks empower users to seamlessly connect, secure, and observe their microservices, relieving them of the complexities associated with these critical tasks within their applications.
Istio, a leading service mesh project, has been at the forefront of this evolution since its inception in 2017. The Cloud Native Computing Foundation (CNCF) reaffirmed the maturity of Istio earlier this year when it accepted it as a graduated CNCF project in July 2023.
I had the privilege to sit down with Lin Sun, Director of Open Source at solo.io, on OpenObservability Talks. Lin serves on the Istio Steering Committee, and is one of the project’s top contributors. In case you missed it, I discussed the big open source and observability news of the recent KubeCon North America 2023 in Chicago with Lin in the first part of our talk, which I recapped in my previous blog post.
In the second part, we took a deep dive on the latest happenings in the Istio project and community, and some exciting developments that came to light during the show.
Background on Service Mesh Architectures
Service mesh provides a programmable, low-latency infrastructure layer for handling service-to-service communication in a microservices architecture. It aims to handle various tasks related to networking, security, observability, and more, offloading these concerns from the application code.
Service mesh architecture has a central control plane that configures the data plane, to enable programmable networking capabilities. The data plane is effectively a proxy that sits alongside the containerized application, providing it with utility services around connectivity, security, and observability. With the proxy in place, the application does not need to concern itself with addressing these peripheral capabilities, and can remain focused on the core business logic.
The early days of service mesh saw the emergence of two architectural approaches for the proxy: the sidecar proxy architecture that was adopted by the Istio project, and the per-node proxy architecture that was adopted by Linkerd. These contending approaches were the hot topic in the community back in KubeCon Austin in 2017.
In this context, “sidecar architecture” refers to running a sidecar container alongside an application container in a Kubernetes pod, while the “per-node proxy architecture” employs a single proxy to serve all the pods running on the Kubernetes node. However, the landscape continued to evolve.
Later, Linkerd realized issues with the per-node architecture, and converted to the sidecar architecture as well. In 2021, following the growing interest and support in the eBPF technology, the Cilium project entered the service mesh arena, advocating for eBPF-based service mesh without a sidecar proxy (a.k.a. “sidecarless”). The eBPF-based approach resurrected the per-node proxy architecture, which reignited the architectural debate in the service mesh world.
The debate revolved around Layer 7 (L7, the “application layer” in the OSI networking model) processing capabilities, such as how to attribute cost in a multi-tenancy environment and how to handle noisy neighbors and achieve tenant isolation, as a busy tenant could impact the others on the node sharing the same proxy. This prompted the launch of Istio Ambient Mesh last year, in September 2022.
Istio Ambient Mesh: A Revolutionary Approach
Istio Ambient Mesh introduces a new data plane mode, allowing users to run applications in the service mesh without sidecars. The innovation lies in slicing functions into two layers: Layer 4 (L4, the “transport layer” in the OSI networking model), providing a secure overlay tunnel (Zero Trust Tunnel) per node, and L7 proxy per tenant that enables L7 processing to get access to the full range of Istio features.
“There was tremendous interest around Ambient Mesh at KubeCon, and the question we got most was actually when Ambient is going to be production-ready,” Lin said.
Here are some key takeaways on the service mesh domain from KubeCon North America and its co-located event Istio Day:
- Envoy is the De Facto Proxy for Service Mesh: Istio relies on Envoy as its sidecar proxy. Envoy offers a modern, high-performance, and feature-rich proxy. Envoy is a mature and CNCF-graduated project that features advanced capabilities around timeout, retries, traffic shifting and more. Envoy has become the go-to proxy for many other projects in this domain, such as Consul, Cilium, Kong, and Kuma, and is widely deployed in production environments.
- CNCF Graduation: Cilium has achieved graduation within the CNCF in October 2023, ahead of KubeCon. Cilium joins Linkerd, which graduated in 2021 and Istio, which has achieved graduation in July this year (2023). This speaks to their maturity and widespread adoption in production environments.
- Diversity and Sustainability: The diversity of projects within CNCF, including Istio, Linkerd, and Cilium, showcases the community’s commitment to providing users with varied options to best suit different needs and use cases. This diversity also promotes sustainability by avoiding a single point of failure, topics which I’ve discussed with the CNCF’s CTO on this blog post.
- Enterprise Adoption: Istio has witnessed widespread adoption in enterprises, with prominent names such as Airbnb, Splunk, Salesforce, and T-Mobile leveraging its features for their applications. The ability to support large, heterogeneous workloads across multiple clusters and environments sets Istio apart.
- Certification and Training: The Linux Foundation and the CNCF introduced official training and certification for Istio, offering users a standardized path to enhance their expertise in the service mesh.
Istio’s Roadmap and Kubernetes Networking Updates
Looking ahead, Istio’s roadmap is centered on advancing Ambient Mesh to beta status. Challenges, particularly around L7 API and integration with the CI stack, are being addressed meticulously to ensure a robust and stable release. The goal is to make Ambient production-ready, with an optimistic timeline for reaching beta early next year.
Istio Day at KubeCon was a treasure trove of insights, diving deep into various aspects of Istio and the service mesh landscape. Here are some additional highlights from the event:
- Gateway API reached GA: Kubernetes Networking SIG (special interest group) announced the v1.0 release of Gateway API. Graduating to general availability denotes the API maturity and stability, and comes with backwards compatibility guarantees. Istio is the first project to have implemented the Gateway API, which is used for north/south traffic.
- GAMMA Initiative in Kubernetes: Lin Sun provided valuable insights into the GAMMA initiative for providing Gateway API support for Service Mesh. The goal of GAMMA (Gateway API for Mesh Management and Administration) is to define how the Gateway API can be used to configure a service mesh for east/west traffic. It is a dedicated Kubernetes workstream focused on standardizing service mesh APIs and determining the needed Gateway API extension.
- Lin emphasized that the GAMMA project will not mature any time soon. This is why Istio still has its own API for east/west traffic, and will retain it for the near future. Nonetheless, being an early adopter, Istio has implemented the GAMMA API, so users can start experimenting with it.
- Native Sidecar Support: The recent Kubernetes release 1.28 introduced native sidecar support, a feature that Istio has implemented. While still in its alpha stage, this feature aims to simplify sidecar management and lifecycle in Kubernetes.
Endnote
KubeCon is a great place to catch up on the service mesh sphere, with dedicated tracks for service mesh and networking, as well as with the designated co-located events such as Istio Day, CiliumCon, EnvoyCon and Linkerd Day (depending on the KubeCon edition).
The service mesh domain is moving at a fast pace, together with advancements in the core Kubernetes project, from native sidecar support to Gateway API support and the GAMMA initiative. The domain is also maturing up, with both Istio and Cilium joining the graduated CNCF, alongside Linkerd and Envoy.
According to Lin Sun, Istio is “the most deployed in production service mesh”. Istio continues to be a trailblazer in the service mesh domain, evolving to meet the ever-changing demands of microservices and cloud-native architectures. The roadmap presented at KubeCon reflects Istio’s commitment to innovation, diversity, and user-centric development, with much anticipation towards Ambient Mesh reaching production readiness.
Want to learn more? Listen to the full discussion on the latest episode of OpenObservability Talks: KubeCon NA Highlights and Istio Spotlight.
Leave a Reply