Istio 101: “The future of the service mesh is one which operates in symbiosis with technologies like Knative and Apache Whisk”
Istio is gaining a lot of attention especially now that 1.0 is here. But does it have what it takes to become the de facto service mesh for Kubernetes? If you ask Brian ‘Redbeard’ Harrington, Product Manager for Istio at Red Hat, the answer is yes. “With Istio, the deployment is straightforward and the integration with Kubernetes is top notch. It feels as if it should have been there all along.”
If you are already familiar with the features presented in 0.8, you should know that the list of new features presented in 1.0 is not that long; the team chose to focus on fixing bugs and improving performance. If you’d like to see all the changes introduced in Istio 1.0, I invite you to read the release notes.
We talked to Brian ‘Redbeard’ Harrington, Product Manager for Istio at Red Hat about his favorite feature(s), Istio’s future and whether it has what it takes to become the de facto service mesh for Kubernetes.
Istio: A game changer?
JAXenter: Istio might be relatively new but this tool for connecting, managing and securing microservices is gaining momentum. What is the reason behind the growth?
Brian ‘Redbeard’ Harrington: The big reason is a paradigm shift. The Netflix OSS (open source software suite) brought a lot of powerful capabilities to individuals developing enterprise Java applications, but it required that you integrate a cornucopia of libraries in order to realize the benefit of the entire suite. Istio is exciting because it provides users with functionality like A/B testing, circuit breaking, service authorization, and more all while making minimal code changes.
JAXenter: Google’s recently-announced Cloud Services Platform has Istio (and Kubernetes) at its core. What does this mean for Istio’s future?
Brian ‘Redbeard’ Harrington: This shows that the incumbents in the space have recognized a superior technology and understood that collaborating early will lead to more success for customers. In turn, if customers are successful they will increase the adoption of solutions presented by that vendor.
JAXenter: Does Istio have what it takes to become the de facto service mesh for Kubernetes?
Brian ‘Redbeard’ Harrington: I absolutely believe it does. Other solutions are typically manipulating components which were not built with cloud native principals in mind and thus may always feel a little kludgy. With Istio, the deployment is straightforward and the integration with Kubernetes is top notch. It feels as if it should have been there all along.
JAXenter: What’s your favorite feature included in Istio 1.0?
Brian ‘Redbeard’ Harrington: The feature that still knocks my socks off is the ability to control the routing of a quantile of traffic. When I have run services in the past, this is the component that always required a combination of expensive purpose-built load balancing hardware as well as modifications to my applications (and often times throwing them out and starting over again just to make it work well).
In Istio, it’s trivial to spin off 10% of your traffic to a different version of your service and keep those connections routed to that version of the service. The ease of use around that feature is a game changer to me.
JAXenter: Is modularity part of Istio’s future?
Brian ‘Redbeard’ Harrington: Modularity is part of Istio’s reality today. Istio dictates certain interfaces that need to be satisfied then allows users to utilize the software they’re most comfortable with to satisfy those interfaces. This is most evident in the “Nginmesh” project where Envoy (the proxy component of Istio) is replaced with Nginx.
Other users have similarly replaced Envoy with Linkerd.
JAXenter: What are Istio’s most important benefits?
Brian ‘Redbeard’ Harrington: A major area in which Istio really shines is its focus on the security of applications. The ability to set up mutual TLS automatically unlocks additional benefits like service to service authorization as well as encryption between the services. Istio also features the ability to integrate with other SPIFFE (Secure Production Identity Framework for Everyone) compliant systems which will aid in driving the adoption of more highly secure applications in the future.
Over time, I would love to see the security story expand further, including features similar to that of Google’s Identity Aware Proxy. The nice part about this is that some of the groundwork has already been laid through support for JSON Web Tokens and support for OpenID Connect.
JAXenter: What does Istio have that Linkerd doesn’t?
Brian ‘Redbeard’ Harrington: Istio has a thriving community that is growing at an astounding rate. Going by the numbers, Istio has been around for about 21 months and has over 200 individual contributors and a very active “pulse” on GitHub (even if you solely look at its core project and ignore sub-projects like Fortio).
JAXenter: What does the future of the service mesh look like?
Brian ‘Redbeard’ Harrington: I believe the future of the service mesh is tied part and parcel to serverless computing. We are converging on a state where developers are successfully breaking down code bases to atomic components.
This trend is even reflected in the question around the modularity of Istio. I feel that the future of the service mesh is one which operates in symbiosis with technologies like Knative and Apache Whisk, enabling developers to re-adopt the “UNIX ideology” of “do one thing and do it well” for the purpose of building the future of applications.