Istio principle introduction

leading

The architecture of ISTIO has changed greatly since version 1.5. The control surface has changed from multi-component to single ISTIOD component. Therefore, the architecture before 1.5 and after 1.5 will be introduced in the following sections.

Architecture prior to ISTIO 1.5

The architecture of Istio is divided into a control plane and a data plane

• Data plane: Deployed in Sidecar mode by a set of intelligent agents (envoys) that coordinate and control network traffic between all services.

• Control plane: Responsible for managing and configuring proxy routing traffic and enforcing policies at run time.

As you can see, there are a lot of control plane components. Here are the components included in version 1.1:

How ISTIO works

Let’s start with the architecture description prior to version 1.5

Sidecars injection (envoy)

Detailed injection process can reference: blog. Yingchi. IO/posts / 2020 /…

Connect (Pilot)

Control && Observation (Mixer Telemetry, Mixer Policy)

Protection (Citadel)

configuration

Galley was originally only responsible for configuration verification. After 1.1, Galley was upgraded to the configuration management center of the entire control plane. In addition to providing configuration verification function, Galley was also responsible for configuration management and distribution. Galley uses the Mesh Configuration Protocol to interact with other components for Configuration.

Provides configuration management services in istio to verify the validity of CRD resources in IStio

Functions and functions of ISTIO components

• Istio-polit: discovers services and delivers rules to data planes, including traffic governance rules such as VirtualService, DestinationRule, Gateway, and ServicEntry, as well as security rules such as authentication and authorization.

• Istio-telemetry: Mixer service component that specializes in collecting telemetry data.

• Istio-policy: Another Mixer service that interconnects different control backends, such as quotas, authorization, and whitelist, to control access between services.

• Istio-citadel: core security component that provides automatic generation, distribution, rotation, and revocation of keys and certificates.

• Istio-galley: Component for configuration management that verifies the format and content of configuration information and provides this configuration information for use by the Pilot and Mixer on the management plane.

• Istio-sidecar-injector: the component responsible for automatic injection.

• Istio-proxy: lightweight proxy on the data plane.

• Istio-ingressgateway: indicates the gateway at the entrance.

Architecture after ISTIO 1.5

Previous versions of ISTIO decoupled components from each other so that they could do their job, which of course caused the problem of having too many components. You can see that the new version wraps many components together called ISTIOD

So the new version of ISTIO has just one core component: ISTIOD

reference

• www.infoq.cn/article/dtf…

• Blog. Yingchi. IO/posts / 2020 /…

• istio.io/