Istio: The Powerhouse Behind Kubernetes Networking and Security

What is Istio?

Istio is a service mesh that enables microservices to interact with each other securely and efficiently. Istio provides a range of capabilities that make it easier to develop, deploy, and manage microservices, including traffic management, service discovery, load balancing, rate limiting, and service-to-service authentication.

Why use Istio?

Istio provides a range of benefits over traditional microservices architectures, including improved network communication and security, as well as enhanced telemetry data. By integrating Istio into your Kubernetes cluster, you can manage network communication, enforce security policies, and monitor telemetry data for your microservices with ease.

For installation you can quickly get up and running by navigating to the releases listed at this link

https://github.com/istio/istio/releases

Ensure you run sha256sum to verify the platform binaries prior to installation for your perspective OS.

I’m inserting the following command to quickly refresh your memory if you forgot this command

sha256sum istio-1.16.2-linuxarm64.tar.gz.sha256

After that let’s navigate to our folder once extracted to our system

cd istio-1.16.2

So we still have to run the installation ensure that you run the following command to interact with Istioctl

export PATH=$PWD/bin:$PATH

Now let’s run our precheck command

istioctl x precheck
istioctl install --set profile=demo -y

What this does is install the profile of “demo” that is defined in our files you can see this in the /manifests/profile folder.

For the example that we will cover today is just a simple sample application

kubectl get pods -n istio-system
kubectl label namespace default istio-injection=enabled

This will instruct istio to automatically inject Envoy sidecar proxies when you deploy your application

Deploy the application sample

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

Ensure you are in still in the Istio folder we navigated to earlier

After this deployment is fully ready run the next command to test our service response

kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

This will show up as you see below in a red title.

Next we will open the application to outside traffic following the commands below this will get us more familiarized with the istio gateway as well

kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

To analyze istio if any configuration issues exist run the following command

istioctl analyze

Now we have to grab the Ingress IP and Ports this can get tricky depending on your clusters implementation if you have a Load Balancer this is addressed in the next commands

kubectl get svc istio-ingressgateway -n istio-system

If the External IP is set your cluster is running a external load balancer that can be used as the ingress gateway. If this value is set to <none>/<pending> your environment doesn’t provide a load balancer for ingress gateway in this case you can use the Node Port.

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

Its also noted in certain environments that External IP value might be exposed using a host name, instead of an IP address. If that is the case run the following command below.

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Set the Ingress Ports (If your environment does not have a external load balance – choose a node port instead following these in your cluster. For other cluster configuration work with the documentation as needed https://istio.io/latest/docs/setup/getting-started/

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

This deployment does take some time so for the sake of brevity I’ll cover this by analyzing the YAML file’s as well to assist with the operations behind the scenes

https://github.com/istio/istio/tree/master/samples/security/spire

Next after that is completed we will run the following commands to Set Gateway URL

export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo "$GATEWAY_URL"

Verify External Access

Run this following command

echo "http://$GATEWAY_URL/productpage"

Access the dashboard

Kiali is able to be utilized as a dashboard along with Prometheus, Grafana, and Jaeger if your familiar with my post you should know of Prometheus and Grafana from previous posts.

  1. Install Kiali – wait for this to be deployed
kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system

Now we can open the dashboard

istioctl dashboard kiali

For a few reasons on my cluster I was running into some trouble due to some private access and utilizing Windows as my underlying OS had some issues but the screen shot provided should look similar for you if you are utilizing localhost for your dashboard

Istio Kiali Dashboard – via istio.io

Istio is way more then this small post at a high level these are the added benefits of utilizing a service mesh

Istio’s security features are designed to help secure microservices within a Kubernetes cluster. Let’s take a closer look at each of these features:

  1. Mutual TLS (mTLS) authentication between services: mTLS is a cryptographic protocol that enables two parties to securely communicate with each other by verifying the identity of the other party. In Istio, mTLS is used to secure communication between microservices. By enabling mTLS, you can ensure that only authorized services are able to communicate with each other, preventing unauthorized access to sensitive data.
  2. Role-based access control (RBAC) for authorization: RBAC is a security feature that enables you to define roles and permissions for users and services within your cluster. In Istio, RBAC is used to enforce authorization policies for your microservices, ensuring that only authorized services are able to perform specific actions.
  3. Automatic encryption of communication between services: Istio automatically encrypts all communication between microservices, helping to protect sensitive data from being intercepted or viewed by unauthorized parties. This helps to ensure that all communication within the service mesh remains confidential and secure.

By leveraging these security features, Istio helps to ensure that your microservices are secure and that sensitive data is protected from unauthorized access. To fully utilize these features, it’s important to have a good understanding of how Istio works and how to properly configure and manage security policies within the Istio control plane.

Conclusion

In this blog post, we have demonstrated partially what Istio is via a sample along with exploring the visibility of connectivity and how to install and operate Istio in a Kubernetes cluster with added security. By integrating Istio into your Kubernetes cluster, you can manage network communication, enforce security policies, and monitor telemetry data for your microservices with ease. If you’re looking to improve the security and efficiency of your microservices, Istio is definitely worth considering.