Series:
Index List: nine analyze with you easily complete explosion istio Service Grid Tutorial Series
table of Contents
1 Introduction
2 offer
3 Architecture Overview
4 Traffic Overview
5 Components Introduction
5.1 Envoy
5.2 Pilot
5.3 Citadel
5.4 Galley
1 Introduction
If you have any questions about the blog, please let me know.
2 offer
You can search from the station b "Nine Analysis" to get a free, more vivid video material:
3 Architecture Overview
istio the service data and control grid is logically divided into two plane.
Data plane: by a group of the intelligent agent (Envoy), all of the communication network between these agents not only micro service control and coordination, and is also responsible for reporting the telemetry collector grid.
Control plane: the development, application routing policy control network traffic.
The following figure shows istio architecture:
4 Traffic Overview
From the above, Istio architecture consists of data and control planes, the Istio flow can be divided into a control plane traffic and data plane traffic. Data plane traffic refers to traffic flow between the micro service call, the control plane traffic flow refers to a configuration and control grid behavior between Istio components.
Istio refers specifically to traffic management in data plane traffic.
5 Components Introduction
Istio 1.5.0 cancel the original Mixer components retained Envoy, Pilot, Citadel, Galley four core components, in addition to these four components Envoy belong Istio data side, the other belongs to the control plane. The following were introduced as follows:
5.1 Envoy
Envoy is a high-performance proxy developed in C ++, Istio use is the result of the expansion over the Envoy, Envoy Istio role in mediation ingress and egress traffic for all services grid cells. Envoy Istio while only components that interact with the data plane traffic.
Because Envoy sidecar as sparingly deployed services, thus micro services constitute an organic whole, so functionally the Envoy naturally have features:
Dynamic service discovery
Load Balancing
TLS termination
HTTP / 2 and gRPC agent
breaker
health examination
Staged rolling update and distribute traffic based on percentage
Failed injection
Rich indicators
Such sidecar manner Istio agent can collect information as a specific network traffic indicator (such as some fields of the HTTP protocol header, destination IP, etc.), can use these indicators Istio to enforce policies, and send it to the monitoring system to report the entire grid behavior.
Sidecar proxy mode allows a user to add functionality to the existing micro Istio service, without re-configuration or rewrite code.
Envoy proxy enabled some Istio functions and tasks, including:
Flow control function: Rich routing rules using HTTP, gRPC, WebSocket and TCP traffic fine-grained flow control
Flexible Network Function: Set retry, failover, and fault injection breaker
Security and authentication: to apply security policies by way of resource deployment, access control, and rate limiting features
Based WebAssembly pluggable extension model that allows the development of custom policy and grid telemetry traffic rules
5.2 Pilot
Pilot Envoy sidecar provide service discovery, intelligent routing (such as A / B testing, Canary publishing) traffic management capabilities, network resiliency (timeouts, retry, circuit breakers, etc.).
Pilot will control the flow behavior of advanced routing rules convert Envoy specific configuration and runtime disseminate it to the sidecar. Pilot extraction service discovery mechanism specific to the platform, and synthesize it into a standard format any sidecar in line with the Envoy API can be used.
The figure below shows how the adapter platform proxy how to interact with the Envoy:
1 platform to start a new service instance, which inform its platform adapter
2 platform adapter instance is registered to Pilot Abstract Model
3 Pilot traffic rules and configuration distributed Envoy change its proxy notice
This design makes Istio Pilot run K8s, Consul and Nomad variety of environments, while maintaining the same user interface for the traffic management.
Flow control may be used Istio Pilot notification API is configured to convert Envoy to achieve a particle size of update traffic control service grid.
5.3 Citadel
Citadel achieve a strong service to service, the user-to-end authentication built-in authentication and credential management. Citadel may be used to upgrade the grid unencrypted traffic. Operation and maintenance personnel can Citadel identity-based services rather than the relatively unstable Layer 3 or Layer 4 network identifier to enforce policies.
5.4 Galley
Galley is Istio verification, extraction, processing and distribution assembly configuration. It is responsible for the remaining components of the underlying platform Istio (Example: K8S) configured by the user for details isolated.