Quick note: there’s a lot going on in the Service Mesh space for Kubernetes.
Istio (based on Envoy) is the elephant in the room with a ton of funding.
But there’s also Linkerd and SuperGloo.
And a recent announcement from AWS: AWS App Mesh.
Great summary of Istio:
Generally traffic is defined as north/south (into and out of the datacenter) or east/west (between servers in the datacenter).
Istio is for east/west traffic within your K8S cluster, designed to connect your services together by moving all the network traffic through the Envoy proxy. It is usually done by wrapping your deployments with an extra sidecar pod (automatically using K8S APIs) that intercepts all the networking to other services and pods. You would still use a load balancer or ingress to route external traffic into the cluster, although there are options like Heptio Contour that also use Envoy for this.
This provides a single data and control plane to centralize all network reliability, security, service discovery, and monitoring.
- Dynamic service discovery
- Load balancing
- TLS termination
- HTTP/2 and gRPC proxies
- Circuit breakers
- Health checks
- Staged rollouts with %-based traffic split
- Fault injection
- Rich metrics