Introduction to Istio Resources
Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. It supports managing traffic, enforcing access policies, and aggregating telemetry data, all without requiring changes to the actual services. This article will introduce the basic resources of Istio, including Gateway
, VirtualService
, DestinationRule
, ServiceEntry
, Sidecar
, and AuthorizationPolicy
.
Gateway
Purpose:
Defines an entry point into the service mesh (usually at the edge of the cluster) for external traffic.
Example:
This Gateway allows HTTPS traffic on port 443 to a my-app service.
1 | apiVersion: networking.istio.io/v1beta1 |
VirtualService
Purpose:
Defines rules for routing traffic to services inside the mesh.
Example:
This VirtualService directs requests to my-app based on different paths.
1 | apiVersion: networking.istio.io/v1beta1 |
Explanation:
• Requests with /v1 go to v1 of my-app.
• Requests with /v2 go to v2 of my-app.
DestinationRule
Purpose:
Defines policies for service subsets, load balancing, and connection settings.
Example:
This rule defines subsets for v1 and v2 of my-app.
1 | apiVersion: networking.istio.io/v1beta1 |
Explanation:
• Defines subsets v1 and v2, mapped to corresponding pod labels (version: v1 and version: v2).
• Uses ROUND_ROBIN load balancing.
ServiceEntry
Purpose:
Allows Istio to handle services that are external to the mesh.
Example:
This ServiceEntry registers api.external.com as an external service.
1 | apiVersion: networking.istio.io/v1beta1 |
Explanation:
• Allows traffic to api.external.com (e.g., a SaaS API).
• Uses DNS resolution to route traffic.
Sidecar
Purpose:
Controls egress traffic for a specific namespace or workload.
Example:
This Sidecar restricts traffic for workloads in default namespace.
1 | apiVersion: networking.istio.io/v1beta1 |
Explanation:
• Limits outbound traffic to only services within the default namespace.
PeerAuthentication
Purpose:
Defines mutual TLS (mTLS) and authentication policies.
Example:
This enforces STRICT mTLS for all services in a namespace.
1 | apiVersion: security.istio.io/v1beta1 |
Explanation:
• All services in default namespace must communicate using mTLS.
AuthorizationPolicy
Purpose:
Controls access permissions to services within the mesh.
Example:
This policy allows only users with a specific JWT claim to access my-app.
1 | apiVersion: security.istio.io/v1beta1 |
Explanation:
• Only requests with user@example.com as JWT claim are allowed.
Summary of Key Istio CRDs
CRD | Purpose |
---|---|
Gateway | Defines external entry points (e.g., ingress) |
VirtualService | Controls request routing |
DestinationRule | Defines subsets, load balancing, and connection settings |
ServiceEntry | Enables communication with external services |
Sidecar | Configures egress traffic control for workloads |
PeerAuthentication | Enforces mTLS for secure communication |
AuthorizationPolicy | Manages access control for services |