Istio in Action
Christian E. Posta and Rinor Maloku
  • MEAP began September 2018
  • Publication in Spring 2021 (estimated)
  • ISBN 9781617295829
  • 375 pages (estimated)
  • printed in black & white

The definitive guide to understand Istio and when it's worth using it.

Andrea Cosentino
Many enterprise applications intertwine code that defines an app’s behavior with code that defines its network communication and other non-functional concerns. The “service mesh” pattern, implemented by platforms like Istio, helps you push operational issues into the infrastructure so the application code is easier to understand, maintain, and adapt. Istio in Action teaches you how to implement a full-featured Istio-based service mesh to manage a microservices application. With the skills you learn in this comprehensive tutorial, you’ll be able to delegate the complex infrastructure of your cloud-native applications to Istio!

About the Technology

Cloud-native applications can include thousands of clustered containers, distributed components, and complex interactions. To build them effectively, developers need a new approach to infrastructural concerns like monitoring, storage, scaling, orchestration, and security. The Istio platform offers a configurable infrastructure layer called a service mesh that reliably and efficiently manages day-to-day concerns like service discovery, load balancing, encryption, authentication and authorization, circuit breakers, and more. Open source and cloud-ready, Istio is a welcome upgrade from manually managed microservices infrastructure.

About the book

Istio in Action is a comprehensive guide to handling authentication, routing, retrying, load balancing, collecting data, security, and other common network-related tasks using the Istio service mesh platform. With author Christian Posta’s expert guidance, you’ll experiment with a basic service mesh as you explore the features of Envoy, Istio’s service proxy. With helpful diagrams and hands-on examples, you’ll learn how to use this open-source service mesh to control routing, secure container applications, and monitor network traffic. You’ll also bring Istio to legacy systems without changes to your applications and discover how to use Istio in a multi-cloud world with the data layer deployed on a cluster like Kubernetes.
Table of Contents detailed table of contents

Part 1

1 Introducing Istio Service Mesh

1.1 Optimize to go faster, safely

1.1.1 Microservices and APIs to build large systems

1.1.2 Automated testing

1.1.3 Containers

1.1.4 Continuous integration and Continuous Delivery

1.2 Challenges of going faster

1.2.1 Our cloud infrastructure is not reliable

1.2.2 Making service interaction resilient

1.2.3 Understanding what’s happening in real time

1.3 Solving these challenges with application libraries

1.3.1 Drawbacks to application-specific libraries

1.4 Pushing these concerns to the infrastructure

1.4.1 Don’t we already have this in our container platforms?

1.4.2 The application-aware service proxy

1.4.3 Meet Envoy proxy

1.5 What’s a service mesh?

1.6 Introducing Istio service mesh

1.6.1 How service mesh relates to Enterprise Service Bus

1.6.2 How service mesh relates to API gateway

1.6.3 Can I use Istio for non-microservices deployments?

1.6.4 What problems does service mesh NOT solve?

1.7 Summary

2 First steps with Istio

2.1 Deploying Istio on Kubernetes

2.1.1 Using Docker for Desktop for our samples

2.1.2 Getting the Istio distribution

2.1.3 Installing the Istio components into Kubernetes

2.2 Getting to know the Istio control plane

2.2.1 Istiod

2.2.2 Ingress and Egress gateway

2.3 Deploy your first application in the service mesh

2.4 Exploring the power of Istio with resilience, observability, and traffic control

2.4.1 Istio observability

2.4.2 Istio for resiliency

2.4.3 Istio for traffic routing

2.4.4 Clean up and prepare Istio for rest of the book

2.5 Summary

3 Istio’s data plane: Envoy Proxy

3.1 What is Envoy Proxy

3.1.1 Envoy’s core features

3.1.2 Envoy compared to other proxies

3.2 Configuring Envoy

3.2.1 Static configuration

3.2.2 Dynamic configuration

3.3 Envoy in action

3.3.1 Envoy’s Admin API

3.3.2 Envoy request retries

3.4 How Envoy fits with Istio

3.5 Summary

Part 2

4 Istio Gateway: getting traffic into your cluster

4.1 Traffic ingress concepts

4.1.1 Virtual IPs: simplifying service access

4.1.2 Virtual Hosting: multiple services from a single access point

4.2 Istio Gateway

4.2.1 Specifying Gateway resources

4.2.2 Gateway routing with Virtual Services

4.2.3 Overall view of traffic flow

4.2.4 Istio Gateway vs Kubernetes Ingress

4.3 Securing Gateway traffic

4.3.1 HTTP traffic with TLS

4.3.2 HTTP redirect to HTTPS

4.3.3 HTTP traffic with mutual TLS

4.3.4 Serving multiple virtual hosts with TLS

4.4 TCP traffic

4.4.1 Exposing TCP ports on the Istio Gateway

4.4.2 Traffic routing with SNI Passthrough

4.5 Summary

5 Traffic control: fine-grained traffic routing

5.1 Reducing the risk of deploying new code

5.1.1 Deployment vs Release

5.2 Routing requests with Istio

5.2.1 Clean up our workspace

5.2.2 Deploy v1 of catalog service

5.2.3 Deploy v2 of catalog service

5.2.4 Route all traffic to v1 of catalog

5.2.5 Route specific requests to v2

5.3 Traffic shifting

5.4 Lowering risk even further: Traffic mirroring

5.5 Routing to services outside your cluster by using Istio’s service discovery

5.6 Summary

6 Resilience: Solving application-networking challenges

7 Observability with Istio: understanding the behavior of your services

7.1 What is observability?

7.1.1 Observability vs Monitoring

7.1.2 How Istio helps with observability

7.2 Collecting metrics from Istio data plane

7.2.1 Pushing Istio metrics into statsD

7.2.2 Pulling Istio Metrics into Prometheus

7.2.3 Visualize Istio metrics with Grafana

7.3 Creating new metrics to send to Prometheus through Istio-telemetry

7.4 Distributed tracing with OpenTracing

7.4.1 How does it work

7.4.2 Configuring Istio to perform distributed tracing

7.4.3 Viewing distributed tracing data

7.4.4 Limiting tracing apeture

7.5 Visualization with Kiali

7.6 Summary

8 Istio Security: Effortlessly secure

8.1 Application Security refresher

8.1.1 Traffic encryption via TLS and End-user authentication

8.1.2 Service to service authentication

8.1.3 Authorization

8.1.4 Comparison of security in Monoliths and Microservices

8.2 SPIFFE - Secure Production Identity Framework for Everyone

8.2.1 SPIFFE ID - Workload Identity

8.2.2 Workload API

8.2.3 Workload Endpoint

8.2.4 SPIFFE Verifiable Identity Document

8.2.5 How Istio implements SPIFFE

8.2.6 Step by step bootstrapping of Workload Identity

8.3 Auto mTLS in Action

8.3.1 Reset our workspace

8.3.2 Setting up the environment

8.3.3 Understanding Istio’s Peer Authentication resource

8.4 Authorizing Service to service traffic

8.4.1 Understanding Authorization in Istio

8.4.2 Setting up the workspace

8.4.3 Behavioral differences when an Authorization Policy is applied to a workload

8.4.4 Denying all requests by default with a Catch all policy

8.4.5 Allowing requests originating from a single namespace

8.4.6 Allowing requests from non-authenticated legacy workloads

8.4.7 Allowing requests from a single principal

8.4.8 Conditional matching of policies

8.4.9 Understanding value match expressions

8.4.10 Understanding the order in which Authorization Policies are evaluated

8.5 End-User authentication and authorization

8.5.1 What is a JSON Web Token?

8.5.2 End-user authentication and authorization at the Ingress Gateway

8.5.3 Validating JWT Tokens with RequestAuthentication

8.6 What is a request identity anyway?

8.6.1 Checking out Request Authentication collected metadata

8.6.2 Checking out Peer Authentication collected data

8.6.3 Overview of the flow of one request

8.7 Summary

9 Policy and telemetry aggregation

Part 3

10 Debugging the service mesh

11 Scaling Istio in your organization

12 Using gateways across teams

13 Non-Kubernetes deployments

14 Control-plane availability patterns

15 Customizing security infra


Appendix A: Installation options

Appendix B: Sidecar injection options

Appendix C: Control-plane lifecyle management

Appendix D: Istio compared to other service meshes

What's inside

  • Using Istio Pilot to configure service proxies
  • Features of the Envoy service proxy
  • Monitoring network traffic with Prometheus and Grafana
  • Applying Istio to legacy systems with no application changes
  • Using Istio with the data plane deployed on a cluster like Kubernetes

About the reader

For enterprise programmers familiar with containers, microservices, cloud deployment platforms, and text markup languages.

About the authors

Christian Posta is a Chief Architect of cloud applications at Red Hat, an author, a blogger, a speaker, and an open-source enthusiast and committer. He also puts his expertise to good use helping companies deploy their enterprise systems and microservices.

Rinor Maloku is a software and DevOps engineer working at Red Hat. As a member of the Platform-as-a-Service team, he builds middleware software ensuring the high-availability, resiliency, and scalability of customer-facing apps. Prior to that, he consulted multiple DAX 30 member companies in their endeavour to utilise the full potential of cloud computing and the Cloud Native Computing Foundation technologies.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $34.99 $49.99 pBook + eBook + liveBook
Additional shipping charges may apply
Istio in Action (print book) added to cart
continue shopping
go to cart

eBook $27.99 $39.99 3 formats + liveBook
Istio in Action (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks