Istio 101 : An overview of the architecture

A service mesh is the software that connects services and containerized applications that are running as pods. It also manages traffic control, the discovery of services, load-balancing, and security. 

A service mesh does the all the above, allowing the containerized applications to focus on its main tasks without worrying about securing connections to other services for example.

There are two main components that make up istio, the data plane and the control plane.

The data plane handles data, it manages inbound and outbound traffic. 

The service proxy sits between the containerized application and the rest of the cluster. It also has other features such as:
  • automatic retries.
  • circuit breaker.
  • service discovery.
  • ...
Envoy is the default service proxy for istio. It is a layer 7 proxy - L7 -, which has other features such as load-balancing for HTTPgRPC, ...

Envoy is deployed as a sidecar container inside the pods.

The control plane is used for the cluster administration, it also manages policies, quotas, networking rules, ...
The control plane has three main components,
 pilot, mixer, and citadel.

Pilot ensures that the configuration is pushed to all the components 
of the cluster, for example the routing tables. 
Pilot also manages important services like the VirtualService, which is an istio object that dictates how traffic reaches its different destinations.
It also implements some features like retries and timeouts.

Istio components sends data - includes the different behaviors and actions within the cluster - in the form of telemetry to the mixer
We could use the mixer to apply policies, quota, limits, ...

Citadel handles the signing and issuing of certificates. It uses the X.509 certificates model. 
It also takes advantage of the mutual Transport Layer Security - mTLS - to encrypt traffic between services.


Leave as a comment: