​Beyond Kubernetes: Istio network service mesh

Kubernetes makes managing containers on the cloud easier, and Istio makes it even stronger by adding a network services mesh to it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

First, Docker transformed how we ran applications. Then, Kubernetes changed how we managed containers. Now, the open-source project Istio is building on both to add a network service mesh.

Istio is built on the open-source Envoy proxy. This service mesh enables microservices sharing distributed applications to communicate and work with one another. As Matt Klein, Envoy's creator wrote, Istio provides modern microservice and cloud-native applications with a "unified control plane that ties the pieces together in a coherent way."

Istio also enables DevOps. In a soon-to-be-released blog, Google Cloud's Eric Brewer, VP Infrastructure, and Eyal Manor, VP of Engineering, point out that Istio provides vital DevOps framework "such as a common system for monitoring, logging, authorization, and billing."

Also: Kubernetes: The smart person's guide TechRepublic

Brewer and Manor go on: "You need tools to manage the collection of microservices, and to ensure consistent policies across them. More importantly, these policies need to be decoupled from the individual services, so that they can be more uniform and updated independently of the services."

Istio does this at the network level. By working over the network, Istio makes it easy to integrate microservices with load balancing, service-to-service authentication, monitoring, and more, with no changes to the underlying code.

Brewer and Manor continue: "Istio offers visibility in the form of telemetry for monitoring and logs for your services, plus security by giving each service a strong identity based on its role, as well as enabling encryption by default. With that core functionality place, Istio can also be the basis for higher-level services, e.g., helping to enforce network security policies, or controlling software rollouts through canary deployments."

This, in turn, means, "Istio also ensures a proper decoupling between development and operations, allowing operations teams to change the behavior of the system without actually changing the source code."

Thus, Brewer and Manor said this decoupling of development and operations logic that Istio provides accomplishes two things: It allows your developers to focus on writing business logic, not infrastructure (thus making them more productive), and it gives your operations teams the tools they need to run your applications and services more reliably.

Also: The Docker and Kubernetes Certification Training Bundle CNET

Istio has already reached its 1.0 release. And, now it's being deployed by such users as Descartes Labs, eBay, and AutoTrader UK. "Istio was a missing piece in the Kubernetes ecosystem. Kubernetes gave us the ability to distribute an application, but Istio gave us the ability to understand the application," said Tim Kelton, a Descartes Labs co-founder, in a statement.

Google is pushing to bringing more users to Istio. Istio will be made available for Google Cloud users on Google Kubernetes Engine (GKE) in beta in December. On GKE, Istio layers a service mesh on your existing GKE clusters, and gathers telemetry on their containers. This data is then sent to Stackdriver or Prometheus. With these, you can monitor your Kubernetes-based microservices' traffic, error rates, and latencies.

Google's not the only company betting Istio is about to become important. IBM, Red Hat, and VMware are also working on improving the open-source network service mesh. It may well be that Istio may be an important part in IBM's Red Hat post-acquisition hybrid-cloud plans.

Related stories:

Editorial standards