From b7c9e756297545b8b9cc9b3a1218ab6e982a3e66 Mon Sep 17 00:00:00 2001 From: kenna Date: Tue, 27 Apr 2021 11:01:27 -0400 Subject: [PATCH 1/9] initial push --- monitoring.md | 0 overview.md | 19 +++++++++++++++++++ security.md | 0 troubleshooting.md | 0 4 files changed, 19 insertions(+) create mode 100644 monitoring.md create mode 100644 overview.md create mode 100644 security.md create mode 100644 troubleshooting.md diff --git a/monitoring.md b/monitoring.md new file mode 100644 index 0000000..e69de29 diff --git a/overview.md b/overview.md new file mode 100644 index 0000000..315139b --- /dev/null +++ b/overview.md @@ -0,0 +1,19 @@ +# Service Meshes and Istio + +A service mesh is a dedicated infrastructure layer for making service-to-service communication safe, fast, and reliable, at times relying on a container orchestrator or integration with another service discovery system. Service meshes might deploy as a separate layer atop container orchestrators, but don’t require them, as control and data-plane components might be deployed independent of containerized infrastructure. Istio is able to do this using the envoy sidecar proxy which it auto injects into every application pod. + + +# Benefits of Istio + +* **Observability + * Integrated Jaeger deployment for tracing. + * Integrated Kiali deployment for service to service traffic visibility. + * Integrated Prometheus deployment to scrape metrics. +* **Traffic control** + * Circuit breaking and retry logic. + * Canary and Dark releases. +* Security + * More granular fine grained security applied on service to service interaction. + * Mutual TLS can be applied at a cluster or namespace level. + * Programming intelligence/security into applications without intrusive instrumentation using sidecar proxy. + * Policy Standardization across the enterprise. \ No newline at end of file diff --git a/security.md b/security.md new file mode 100644 index 0000000..e69de29 diff --git a/troubleshooting.md b/troubleshooting.md new file mode 100644 index 0000000..e69de29 -- GitLab From 97170068c419ac25d93343fc02f656b134a79ea2 Mon Sep 17 00:00:00 2001 From: kenna Date: Tue, 27 Apr 2021 11:07:15 -0400 Subject: [PATCH 2/9] adding file to docs dir --- monitoring.md => docs/monitoring.md | 0 overview.md => docs/overview.md | 4 ++-- security.md => docs/security.md | 0 troubleshooting.md => docs/troubleshooting.md | 0 4 files changed, 2 insertions(+), 2 deletions(-) rename monitoring.md => docs/monitoring.md (100%) rename overview.md => docs/overview.md (92%) rename security.md => docs/security.md (100%) rename troubleshooting.md => docs/troubleshooting.md (100%) diff --git a/monitoring.md b/docs/monitoring.md similarity index 100% rename from monitoring.md rename to docs/monitoring.md diff --git a/overview.md b/docs/overview.md similarity index 92% rename from overview.md rename to docs/overview.md index 315139b..de5dd1a 100644 --- a/overview.md +++ b/docs/overview.md @@ -5,14 +5,14 @@ A service mesh is a dedicated infrastructure layer for making service-to-service # Benefits of Istio -* **Observability +* **Observability** * Integrated Jaeger deployment for tracing. * Integrated Kiali deployment for service to service traffic visibility. * Integrated Prometheus deployment to scrape metrics. * **Traffic control** * Circuit breaking and retry logic. * Canary and Dark releases. -* Security +* **Security** * More granular fine grained security applied on service to service interaction. * Mutual TLS can be applied at a cluster or namespace level. * Programming intelligence/security into applications without intrusive instrumentation using sidecar proxy. diff --git a/security.md b/docs/security.md similarity index 100% rename from security.md rename to docs/security.md diff --git a/troubleshooting.md b/docs/troubleshooting.md similarity index 100% rename from troubleshooting.md rename to docs/troubleshooting.md -- GitLab From 74d42b0f92b8ba0608add9983d27af7f73015e69 Mon Sep 17 00:00:00 2001 From: kenna Date: Tue, 27 Apr 2021 13:21:51 -0400 Subject: [PATCH 3/9] adding overview.md --- docs/overview.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/overview.md b/docs/overview.md index de5dd1a..db19e02 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -1,4 +1,4 @@ -# Service Meshes and Istio +# Service Mesh and Istio A service mesh is a dedicated infrastructure layer for making service-to-service communication safe, fast, and reliable, at times relying on a container orchestrator or integration with another service discovery system. Service meshes might deploy as a separate layer atop container orchestrators, but don’t require them, as control and data-plane components might be deployed independent of containerized infrastructure. Istio is able to do this using the envoy sidecar proxy which it auto injects into every application pod. @@ -16,4 +16,13 @@ A service mesh is a dedicated infrastructure layer for making service-to-service * More granular fine grained security applied on service to service interaction. * Mutual TLS can be applied at a cluster or namespace level. * Programming intelligence/security into applications without intrusive instrumentation using sidecar proxy. - * Policy Standardization across the enterprise. \ No newline at end of file + * Policy Standardization across the enterprise. + + +# Additional resources + +The following links provide more insight into the architecture and operations of Istio + +* [Let me sketch a mesh for you](https://www.youtube.com/watch?v=U0uoPKzZDEQ&list=PL7wB27eZmdffS-g_xh7X-b0echc_XZMKV&index=4) +* [istio explained in 15 mins](https://www.youtube.com/watch?v=16fgzklcF7Y) +* [what is istio](https://istio.io/v1.8/docs/concepts/what-is-istio/) \ No newline at end of file -- GitLab From 182d6eb65b07d35aaf937e0bca6b2e54772f5d76 Mon Sep 17 00:00:00 2001 From: kenna Date: Wed, 28 Apr 2021 15:29:03 -0400 Subject: [PATCH 4/9] adding troubleshooting.md --- docs/troubleshooting.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e69de29..d67794c 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -0,0 +1,21 @@ +# Common Problems + +While working with istio there are a few problems that can be encountered ranging from TLS configuration mistakes to routing rules not affecting traffic flow and a host of other issues. + +Some of the common issies are documented below + +* [Traffic Management Problems](https://istio.io/latest/docs/ops/common-problems/network-issues/) +* [Security Problems](https://istio.io/latest/docs/ops/common-problems/security-issues/) +* [Sidecar injection problems](https://istio.io/latest/docs/ops/common-problems/injection/) +* [Configuration Validation problems](https://istio.io/latest/docs/ops/common-problems/validation/) + +In addition to the common problems , the istio documentation provides a [diagnostics too](https://istio.io/latest/docs/ops/diagnostic-tools/) page, which provides various command line tools and techniques for debugging your istio mesh. + +The following are also some additional external links that can help in debugging. + +# Additional links + +* [Istio Debugging](https://www.youtube.com/watch?v=QLuQB_JdzvU) +* [Debugging Istio within the Department of Defense](https://www.youtube.com/watch?v=bZO9iRW-V74) +* [How to debug your Istio networking configuration](https://www.tetrate.io/blog/debugging-your-istio-networking-configuration/) +* [What to do when your service mesh goes down in production](https://www.youtube.com/watch?v=XAKY24b7XjQ) \ No newline at end of file -- GitLab From 604fefbfc7f0c2b378788926321d5d40800855eb Mon Sep 17 00:00:00 2001 From: kenna Date: Wed, 28 Apr 2021 17:54:32 -0400 Subject: [PATCH 5/9] typo --- docs/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index d67794c..773cafd 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -9,7 +9,7 @@ Some of the common issies are documented below * [Sidecar injection problems](https://istio.io/latest/docs/ops/common-problems/injection/) * [Configuration Validation problems](https://istio.io/latest/docs/ops/common-problems/validation/) -In addition to the common problems , the istio documentation provides a [diagnostics too](https://istio.io/latest/docs/ops/diagnostic-tools/) page, which provides various command line tools and techniques for debugging your istio mesh. +In addition to the common problems , the istio documentation provides a [diagnostics tool](https://istio.io/latest/docs/ops/diagnostic-tools/) page, which provides various command line tools and techniques for debugging your istio mesh. The following are also some additional external links that can help in debugging. -- GitLab From fda34d3b134bedd10db46b8a93d69bdac5e83408 Mon Sep 17 00:00:00 2001 From: kenna Date: Sun, 2 May 2021 16:45:54 -0400 Subject: [PATCH 6/9] adding security section --- docs/security.md | 27 +++++++++++++++++++++++++++ docs/traffic-management.md | 0 2 files changed, 27 insertions(+) create mode 100644 docs/traffic-management.md diff --git a/docs/security.md b/docs/security.md index e69de29..8b197c1 100644 --- a/docs/security.md +++ b/docs/security.md @@ -0,0 +1,27 @@ +# Istio Security + +One of the main features of Istio is its baked in security features which applications are able to utilize without any additional instrumentation. This enables application developers to focus more on application features and offload security to Istio. + +Security implementation is made possible using the envoy sidecar proxy and the implemenation is done both at the edge of the mesh ( using the ingress gateway), or at the service layer within the cluster. + +# Authentication + +Istio has two main types of authentication it implements. +* [Peer authentication](https://istio.io/latest/docs/concepts/security/#peer-authentication) which applies to workloads (services) and manages MTLS settings. + + +* [Request authentication](https://istio.io/latest/docs/concepts/security/#request-authentication) which applies to JWTs. + +To get more information on how to configure them , refer to this [link](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/). + +# Authorization + Istio is able to provide various levels of access control within the mesh. The levels include mesh wide , namespace wide and a more targeted workload policy. It is able to do this using an [Authorization Policy](https://istio.io/latest/docs/reference/config/security/authorization-policy/). + + More information on how to feaures and configuration of authorization policies is located [here](https://istio.io/latest/docs/tasks/security/authorization/). + + + # Additional resources + The following are addtional resources for learning about istio security. + + * [Improving security with Istio](https://www.youtube.com/watch?v=E0h1rS2D86k) + * [Istio Auto mTLS and JWT](https://www.youtube.com/watch?v=7_O58efytvM&t=422s) \ No newline at end of file diff --git a/docs/traffic-management.md b/docs/traffic-management.md new file mode 100644 index 0000000..e69de29 -- GitLab From 3ffe37df157254511e1250e73a14158a4d74c8f4 Mon Sep 17 00:00:00 2001 From: kenna Date: Sun, 2 May 2021 16:50:17 -0400 Subject: [PATCH 7/9] del traffic --- docs/traffic-management.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 docs/traffic-management.md diff --git a/docs/traffic-management.md b/docs/traffic-management.md deleted file mode 100644 index e69de29..0000000 -- GitLab From d3c0fb6d7ab4fd55bff0ab28c6a3fafe993e49f9 Mon Sep 17 00:00:00 2001 From: kenna Date: Sun, 2 May 2021 20:01:01 -0400 Subject: [PATCH 8/9] add traffic --- docs/traffic-management.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 docs/traffic-management.md diff --git a/docs/traffic-management.md b/docs/traffic-management.md new file mode 100644 index 0000000..1b38232 --- /dev/null +++ b/docs/traffic-management.md @@ -0,0 +1,31 @@ +Istio traffic management revolves around handling north-south traffic ( traffic in and out of the mesh ) and east-west traffic ( traffic between services the mesh ). Istio is able to auto detect services endpoints in a cluster and in turn , populates a service registry. + + + +The following API resources enable the configuration and adoption of Istio’s traffic management + + + +* [Virtual services ](https://istio.io/latest/docs/reference/config/networking/virtual-service/) which provides routing configuration to services within the mesh. +* [Destination rules](https://istio.io/latest/docs/reference/config/networking/destination-rule/) which allows you to provide routing to a subset of services and are paired with virtualservices. +* [Gateways](https://istio.io/latest/docs/reference/config/networking/gateway/) which are used to manage traffic entering or leaving the service mesh. +* [Service Entry](https://istio.io/latest/docs/reference/config/networking/service-entry/) which is used to add entries into the internal service registry. + + +Istio also have some advanced traffic management strategies like circuit breaking , mirroring and fault injection. Examples and walkthroughs can be found [here](https://istio.io/latest/docs/tasks/traffic-management/). + + + + + +# Additional resources + + + +The following additional resources are helpful in understanding traffic management. + + + +* [Istio in production - Traffic routing](https://www.youtube.com/watch?v=7cINRP0BFY8) +* [Istio traffic routing and resiliency ](https://www.youtube.com/watch?v=iLslUy2kTlw) +* [Istio ingress gateway](https://www.youtube.com/watch?v=ssqDgcEvdZ0&t=8s) -- GitLab From 2bad316e169cb7887ae66144856adfb5e6940dc3 Mon Sep 17 00:00:00 2001 From: kenna Date: Sun, 2 May 2021 21:33:42 -0400 Subject: [PATCH 9/9] adding monitoring --- docs/README.md | 0 docs/monitoring.md | 11 +++++++++++ 2 files changed, 11 insertions(+) delete mode 100644 docs/README.md diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/monitoring.md b/docs/monitoring.md index e69de29..f0b71ab 100644 --- a/docs/monitoring.md +++ b/docs/monitoring.md @@ -0,0 +1,11 @@ +# Monitoring + +The following links provide information on the various aspects of the monitoring and observability. +* [Monitoring with prometheus](https://istio.io/latest/docs/tasks/observability/metrics/). +* [Visualizing with Kiali](https://istio.io/latest/docs/tasks/observability/kiali/). +* [Distributed Tracing](https://istio.io/latest/docs/tasks/observability/distributed-tracing/jaeger/). + + +# Additional resources +* [Istio WorkShop - Observability](https://www.youtube.com/watch?v=7IXTiAkmt_Y&list=PLM4Db0UWu45LpokqVBFjfFYqQljPsqsd6&index=8&t=1515s) +* [Istio Observability](https://www.youtube.com/watch?v=nuyDNiAdeKM) -- GitLab