Shulou(Shulou.com)06/03 Report--

Istio v1.1 was released on March 20, 2019, Beijing time. After Istio continues version 1. 0, six patches have been released to expand and improve related features. After 8 months of hard work and countless test iterations, version 1.1 finally came out and caused a lot of discussion.

Before we take a comprehensive look at Istio 1.1, let's review the original design intention of Istio. At the beginning of Istio design, it is expected to simplify the development and deployment of applications, and separate the peripheral support systems needed for application launch from business applications, so as to reduce the pressure on the development team and improve development efficiency. At the same time, the implementation scheme of Istio based on network agent provides powerful support for flow control, security policy and real-time monitoring of operation state. To some extent, these functions are equivalent to lightening the burden on the business system, so that services can be built, migrated and published more quickly and easily.

The new theme of Istio 1.1 official announcement is enterprise-ready (Enterprise Application level). From the Release Notes analysis given in the official documents, version 1.1 focuses on optimization based on the performance problems criticized by previous versions of Istio, and further enhances isolation, security, multi-cluster and scalability to meet user support for multi-scenarios.

The latest architecture of Istio is shown in the figure:

Performance optimization

The most significant performance change brought about by Istio 1.1 is the improvement in the execution efficiency of the data plane and control plane. According to the official test data (which needs to be further verified in the local environment), the newly released istio-proxy (sidecar) needs only half a vCPU to support 1000 RPS, while a single Pilot instance needs only 1.5 vCPU and 2 GB RAM to support 1000 applications (2000 pod). Istio-proxy increases 5ms latency only in half of the cases and 10ms latency in 99% of cases. Thus, the disadvantages of excessive consumption of Pilot resources and large istio-proxy delay can be preliminarily solved.

Isolation

Istio 1.1 provides a new type of sidecar resources, which allows users to increase the boundary control of sidecar objects based on namespace, so as to reduce the burden of proxy computing. At the same time, add the exportTo field to specify the effective scope of network resources in namespace.

Security.

Istio 1.1 has also made great improvements in security, including updating serviceEntity resources so that HTTPS services no longer need additional VirtualService to enable SNI routing; supporting Readiness,Liveness health check policy in the scenario of starting two-way TLS; updating the permission configuration of cluster RBAC, using ClusterRbacConfig objects instead of the original RbacConfig, to extend the access control of cluster-wide RBAC Integrate Vault PKI, dynamically load and replace external certificates, TCP service authorization, plug-in credential protection and SDS authentication. The security features of Isito have been added on a large scale.

Multi-cluster

Istio 1.1 improves the default configuration of flow control and policies, and introduces new components of Galley to verify the standardization and legitimacy of YAML files, so as to reduce the probability of configuration errors. At the same time, Galley can play a powerful role in the cluster to collect service discovery information from multiple kubernetes clusters. At the same time, it supports the realization of a single control plane and multiple synchronous control planes without a flat network.

Deployment and installation

Istio 1.1 modifies Helm chart, turns off Egressgateway, turns off Mixer Policy by default and allows all egress traffic, while allowing custom CRD to be separated from istio chart to provide data continuity.

Istio 1.1 also provides other updates, such as link tracking optimization, external Adapter, etc.

New version specific update document address: https://istio.io/docs/

New version of Release code download address: https://github.com/istio/istio

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.