The Cloud Native Computing Foundation (CNCF) announced last month the graduation of Istio, the open-source service mesh that brings standard, universal traffic management, telemetry, and security to complex deployments.
In this episode of TFiR: Newsroom, Varun Talwar, founding Product Manager for Istio at Google and co-founder of Tetrate reflects on Istio, from its conception to graduation, as well as Tetrate’s major contributions to the project.
Talwar and Istio connection:
- Before co-founding Tetrate, Talwar had a long stint at Google, the last 5 years of which were in Google Cloud. He was the Product Manager for gRPC, the modern remote procedure call fabric which is now a well adopted API project in the Cloud Native Computing Foundation (CNCF).
- The idea of Istio came about from those conversations with companies about how they’re adopting microservices and how different development teams are building their services in different languages and stacks. It’s becoming harder for them to troubleshoot services and networking between them is becoming a reliability issue.
- He was the founding Product Manager for Istio at Google, which was eventually launched in May 2017 at GlueCon.
- He was also responsible for bringing in Envoy as another CNCF project. It’s the data plane or the proxy within the Istio project.
In a distributed services-based architecture, networking becomes harder because:
- Code bases live in different places.
- There is a need to account for who’s responsible when the network fails, ensuring no one intercepts requests in between and everything is encrypted going back and forth, troubleshooting end-user latency (is it one of the services, the network, or underlying compute).
- It is hard and expensive for every service owner to write and embed all cross-cutting logic into their own microservice, including reliability logic, monitoring logic, TLS logic, security logic, retry logic.
- There was a need for a dedicated piece of infrastructure that can abstract this out, so that 1) developers don’t have to write them and 2) organizations have a common way to control it via configuration.
- Istio proved what it can do in one Kubernetes cluster and the space has evolved into enabling it across their entire fleet of infrastructure. This motivated Talwar to start Tetrate.
How Tetrate helps companies:
- It provides next-generation networking and security with an Istio-based service mesh.
- It provides higher level abstraction, with APIs and interfaces that users are familiar with.
- Application teams can define what they want to do with their APIs and the rest can be handled by the complexity of Istio under the hood.
- Operations teams can troubleshoot service, network, or compute issues without needing to learn the nitty gritty of Istio.
- Tetrate and NIST have co-authored and published security standards, including the SP 800-204 series on microservice security, SP 800-207 for zero trust architecture, and SP 800-207A for zero trust at runtime.
On Istio’s graduation:
- CNCF graduation is a signal for end users that they can adopt it — It’s mature, proven, not a single vendor-backed project with reliable APIs and a community of people around it.
- Istio graduated fast because it already had a high adoption rate when it went into inception. There are also hundreds of companies that contribute to it.
- Over the last 2 years, Tetrate has been the largest contributor to both Envoy and Istio.
- Istio’s architecture has 2 parts: Envoy (the data plane where all the bits and bytes are flowing through) and Istio (the control plane).
Envoy is itself a very popular CNCF project:
- It’s used in Istio because of its modern code base, open in nature, and it supports all the modern protocols and APIs.
- Tetrate has been a heavy contributor to Envoy for years. It uses Envoy as its data plane in all of its product offerings.
- Many people were building different versions of ingress controllers on top of Envoy. Tetrate is extending Envoy on its own to become a built-in API gateway and load balancer for Kubernetes.
- Tetrate Academy offers courses on both Istio and Envoy and thousands of people have taken it.
What’s next for Istio after graduation:
- It still will continue to see growth, especially in Kubernetes environments.
- There are efforts to look at sidecar-less models for areas where sidecars are adding either latency, resource cost, or management headaches. Although the future is going to be mixed mode, some places with sidecars, some places don’t.
- Kubernetes is working on the next Ingress spec, which is the gateway API. Both Envoy and Istio are working towards conforming to that.
- It’s being used in larger and larger environments so it will be fine-tuned for even better performance, at scale.
This summary was written by Camille Gregory.