Service Mesh Tutorial (Istio & Linkerd)
Overviewβ
A service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between microservices. It provides features like traffic management, security, and observability without requiring changes to application code.
Service Mesh Architectureβ
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Service A β β Service B β β Service C β
β β β β β β
β βββββββββ β β βββββββββ β β βββββββββ β
β β Proxy β βββββΊβ β Proxy β βββββΊβ β Proxy β β
β β(Envoy)β β β β(Envoy)β β β β(Envoy)β β
β βββββββββ β β βββββββββ β β βββββββββ β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β β β
βββββββββββββββββββββΌββββββββββββββββββββ
β
βββββββββββββββ
βControl Planeβ
β (Istio/ β
β Linkerd) β
βββββββββββββββ
Istio Service Meshβ
Installation and Setupβ
Install Istio using istioctl:
# Download Istio
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-1.19.0/bin:$PATH
# Install Istio
istioctl install --set values.defaultRevision=default
# Enable sidecar injection for default namespace
kubectl label namespace default istio-injection=enabled
Verify Installation:
# Check Istio components
kubectl get pods -n istio-system
# Verify proxy configuration
istioctl proxy-config cluster productpage-v1-6b746f74dc-9wnz8.default
Traffic Managementβ
Virtual Service Configuration:
# virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 50
- destination:
host: reviews
subset: v3
weight: 50
Destination Rules:
# destinationrule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
trafficPolicy:
connectionPool:
tcp:
maxConnections: 10
http:
http1MaxPendingRequests: 10
maxRequestsPerConnection: 2
circuitBreaker:
consecutiveGatewayErrors: 5
interval: 30s
baseEjectionTime: 30s
Gateway Configuration:
# gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- bookinfo.example.com
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: bookinfo-secret
hosts:
- bookinfo.example.com
Security Policiesβ
Authentication Policy:
# authentication.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: production
spec:
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
Authorization Policy:
# authorization.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: production
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend"]
- to:
- operation:
methods: ["GET", "POST"]
- when:
- key: source.ip
values: ["10.0.0.0/16", "192.168.0.0/16"]
Observability Configurationβ
Telemetry v2:
# telemetry.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: metrics
namespace: istio-system
spec:
metrics:
- providers:
- name: prometheus
- overrides:
- match:
metric: ALL_METRICS
tagOverrides:
request_id:
value: "%{REQUEST_ID}"
- match:
metric: requests_total
disabled: false
Distributed Tracing:
# tracing.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: tracing
namespace: istio-system
spec:
tracing:
- providers:
- name: jaeger
- customTags:
my_tag:
header:
name: x-custom-header
Linkerd Service Meshβ
Installationβ
# Download and install Linkerd CLI
curl -sL https://run.linkerd.io/install | sh
export PATH=$PATH:$HOME/.linkerd2/bin
# Check pre-installation
linkerd check --pre
# Install Linkerd control plane
linkerd install | kubectl apply -f -
# Verify installation
linkerd check
# Install Linkerd-Viz extension
linkerd viz install | kubectl apply -f -
Injecting Workloadsβ
Automatic Injection:
# Enable automatic injection for namespace
kubectl annotate namespace production linkerd.io/inject=enabled
# Verify injection
kubectl get pods -n production -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.annotations.linkerd\.io/proxy-version}{"\n"}{end}'
Manual Injection:
# Inject single deployment
kubectl get deploy webapp -o yaml | linkerd inject - | kubectl apply -f -
# Inject multiple resources
linkerd inject deployment.yaml | kubectl apply -f -
Traffic Policiesβ
Service Profiles:
# serviceprofile.yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: webapp
namespace: production
spec:
routes:
- name: get_books
condition:
method: GET
pathRegex: "/api/books/[0-9]+"
responseClasses:
- condition:
status:
min: 200
max: 299
isFailure: false
- condition:
status:
min: 500
max: 599
isFailure: true
timeout: 30s
retryBudget:
retryRatio: 0.2
minRetriesPerSecond: 10
ttl: 10s
Traffic Split:
# trafficsplit.yaml
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: webapp-split
namespace: production
spec:
service: webapp
backends:
- service: webapp-v1
weight: 90
- service: webapp-v2
weight: 10
Multi-cluster Setupβ
Link Clusters:
# Install multi-cluster extension
linkerd multicluster install | kubectl apply -f -
# Link clusters
linkerd multicluster link \
--cluster-name west \
--service-account-name linkerd-multicluster-link | \
kubectl apply -f - --context=east
Service Mirroring:
# mirror.yaml
apiVersion: multicluster.linkerd.io/v1alpha1
kind: Link
metadata:
name: west-link
namespace: linkerd-multicluster
spec:
clusterCredentialsSecret: west-cluster-credentials
targetClusterName: west
targetClusterDomain: cluster.local
selector:
matchLabels:
mirror.linkerd.io/exported: "true"
Advanced Configurationsβ
Fault Injectionβ
Istio Fault Injection:
# fault-injection.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ratings
spec:
http:
- match:
- headers:
end-user:
exact: jason
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
abort:
percentage:
value: 0.001
httpStatus: 500
route:
- destination:
host: ratings
subset: v1
Rate Limitingβ
Envoy Filter for Rate Limiting:
# ratelimit.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 100
tokens_per_fill: 100
fill_interval: 60s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
Custom Metricsβ
Telemetry v2 Custom Metrics:
# custom-metrics.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: custom-metrics
spec:
metrics:
- providers:
- name: prometheus
- overrides:
- match:
metric: requests_total
tagOverrides:
custom_header:
value: "%{REQUEST_HEADER_X_CUSTOM_HEADER:unknown}"
- match:
mode: CLIENT
metric: requests_total
tagOverrides:
destination_service_name:
value: "%{DESTINATION_SERVICE_NAME}"
Performance Optimizationβ
Resource Configurationβ
Proxy Resource Limits:
# proxy-resources.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
proxyMetadata:
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "200m"
memory: "256Mi"
Traffic Optimizationβ
Connection Pooling:
# connection-pool.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: httpbin
spec:
host: httpbin
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30s
keepAlive:
time: 7200s
interval: 75s
http:
http1MaxPendingRequests: 100
http2MaxRequests: 1000
maxRequestsPerConnection: 10
maxRetries: 3
consecutiveGatewayErrors: 5
interval: 30s
baseEjectionTime: 30s
Security Best Practicesβ
mTLS Configurationβ
Automatic mTLS:
# mtls-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: default
namespace: production
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Certificate Managementβ
External CA Integration:
# Create root CA certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
-subj '/O=example Inc./CN=example.com' \
-keyout example.com.key -out example.com.crt
# Create certificate for Istio
kubectl create secret tls cacerts \
--cert=example.com.crt \
--key=example.com.key \
-n istio-system
Monitoring and Troubleshootingβ
Debugging Commandsβ
Istio Debugging:
# Check proxy configuration
istioctl proxy-config cluster productpage-v1-123456789-abcde.default
# Analyze configuration
istioctl analyze
# Get proxy logs
kubectl logs productpage-v1-123456789-abcde -c istio-proxy
# Check listeners
istioctl proxy-config listener productpage-v1-123456789-abcde.default
# Verify mTLS status
istioctl authn tls-check productpage-v1-123456789-abcde.default
Linkerd Debugging:
# Check proxy status
linkerd stat deployments -n production
# Get detailed metrics
linkerd routes svc/webapp -n production
# Check proxy logs
kubectl logs webapp-123456789-abcde -c linkerd-proxy
# Verify traffic split
linkerd stat ts/webapp-split -n production
Common Issues and Solutionsβ
1. High Latency:
- Check connection pooling settings
- Verify circuit breaker configuration
- Monitor proxy resource usage
2. Certificate Issues:
- Verify certificate validity
- Check CA configuration
- Ensure proper certificate rotation
3. Traffic Routing Problems:
- Validate virtual service configuration
- Check destination rule settings
- Verify service discovery
Service meshes provide powerful capabilities for microservices communication. Start with basic traffic management features and gradually implement advanced security and observability features as your infrastructure matures.
Content Reviewβ
The content in this repository has been reviewed by chevp. Chevp is dedicated to ensuring that the information provided is accurate, relevant, and up-to-date, helping users to learn and implement programming skills effectively.
About the Reviewerβ
For more insights and contributions, visit chevp's GitHub profile: chevp's GitHub Profile.