NorthCode logo

Embracing Istio: A New Era for Software Deployment

- updated
By embracing Istio, developers can leverage advanced security, comprehensive telemetry, and greater control over service communications, leading to more resilient and secure applications.
Photo by Niklas Siltakorpi - created using DALLE

In this article, NorthCode expert Niklas Siltakorpi shares his initial experiences with Istio, a powerful service mesh that can revolutionize software deployment and operations. He has been working as an architect with a customer in the finance industry to support them in their cloud transformation project.

At at customer case I’m working on, we are evaluating out Istio to resolve a few problems common for every environment:

  • How to really secure communication between different applications and databases? The most secure form of being that caller and callee verify each other before allowing traffic.

  • How to log and observe between different components?

  • How to manage ingress and egress traffic of different applications?

Solutions to these kinds of problems usually are managed firewalls, maybe some application changes or application servers that take care of these services. I’m not a fan of any of those, because usually managing firewalls using software is hard and application servers can create additional overhead.

Instead, as we are already operating in Kubernetes, we need to find Kubernetes-native solution. We have been evaluating Istio for a while now and next I’ll explain how Istio solves these problems for us.

Explaining Istios AuthorizationPolicies

Istio's AuthorizationPolicy object enables application developers to precisely control which applications or services can communicate with their app and to what extent. For instance, consider the following example:

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: allow-specific-namespaces   namespace: target-app-namespace spec:   rules:   - from:     - source:         namespaces: ["allowed-namespace"]     to:     - operation:         paths: ["/allowed-path/*"]

This policy ensures that only traffic from specific namespaces can access particular paths. Istio verifies the traffic's origin, using service accounts to grant access to applications running within those accounts. Developers can also define egress traffic rules to restrict applications to accessing only intended services, thereby significantly reducing the attack surface.

Istio can be configured to enforce mutual TLS (mTLS) between services, creating a secure environment for inter-service communication without requiring application changes. This secure communication also extends to external connections, such as database interactions.

Logging and telemetry in Istio

Telemetry has been a topic for a while now. I already showcased Jaeger in APIDays of Helsinki in 2019. Since then, OpenTelemetry project has been doing a lot of things in that area. 

Applications onboarded to Istio benefit from its telemetry services, allowing for easy tracking, visualization, and auditing of traffic. Below is an example of an Istio access log entry:

[2024-05-24T12:34:56.789Z] "GET /allowed-path/resource HTTP/1.1" 200 - "-" "-" 0 1234 56 55 "10.0.0.1" "Mozilla/5.0" "12345-abcde-67890-fghij" "my-app.service" "10.0.0.2:8080" outbound|8080||target-app-namespace.svc.cluster.local - 10.0.0.3:80 10.0.0.1:12345 my-app

Istio can even replace the access logging of an application as it understands who is calling the service and from where, something that is hard to archive without service mesh. Everyone who has worked on application operations knows how valuable this information can be.

Extending Istio

Moreover, Istio's extensibility allows developers to deploy additional security measures, like Web Application Firewalls, to filter harmful traffic at the edge. By filtering out malicious traffic at the edge, not only is the security posture of the application improved, but network efficiency is also enhanced, as unwanted traffic is blocked early in the pipeline.

By embracing Istio, developers can leverage advanced security, comprehensive telemetry, and greater control over service communications, leading to more resilient and secure applications. In my customer case, we are still rolling out Istio to the environment but hopefully, we can do a public presentation soon about using Istio in a real production environment. Stay tuned for more experiences using Istio!