Today, we were excited to be part of the launch of a new Kubernetes networking project, Istio. Together with Google, IBM and Lyft, we on the Project Calico team at Tigera are contributing to the development of an emerging layer in the cloud-native networking stack: the service mesh.
Built using the battle-tested Envoy proxy from Lyft, Istio is an open source project that provides a uniform way to connect, secure, manage and monitor microservices. Think of it as a layer of infrastructure between the application and the network (such as that provided by Calico) – a load-balancing proxy that is also capable of advanced, policy-driven traffic management for A/B testing, canary deployments, and more. Istio also enforces end-to-end service authentication and encryption via mutual TLS, and mitigates network reliability issues with automatic handling of connection retries, load balancing and circuit breakers. Further, the fact that Istio/Envoy sit in the path of the API traffic between microservices means that it can provide exceptional visibility into application performance.
If it isn’t obvious by now, we at Tigera / Project Calico think Istio (and Envoy, which it is built on) are set to be a Big Deal in Kubernetes networking. Which is why we are excited to be collaborating with the cloud-native networking community on these projects. For example, we are collaborating to define how Istio’s application layer policies interact with the network-layer policies as used by Project Calico and Kubernetes Network Policy API.
What our friends at Google and IBM are saying:
“Google is thrilled to see Tigera bring their expertise in cloud native networking to the Istio project. We look forward to evolving networking policy work with them,” said Mark Carter, group product manager, Google Cloud.
“Our collaboration with the cloud native networking experts at Tigera is key to our strategy of building an open container environment around Kubernetes with Calico, Istio and Envoy as the network building blocks,” said Jason McGee, IBM Fellow, VP & CTO, IBM Cloud Platform. “Today, the IBM Bluemix Container Service’s policy-driven Layer 3 network is powered by Calico and we look forward to working with Tigera to extend those policy controls to include Istio’s flexible application layer capabilities.”
A Glimpse into the Future: Integrating Istio and Kubernetes Network Policy using Project Calico
For a glimpse into what the interoperability between Calico and Istio/Envoy might look like when fully completed, check out this video. In this demo, Tigera engineer Saurabh Mohan demonstrates how microservices connected via Istio in a Kubernetes cluster with Calico for networking can be secured to ensure that the right set of microservices can communicate at Layer 3/4 but, more importantly, ensure that no illegitimate access to the microservices is permitted.
Check out Saurabh’s blog post for more details on how this works, steps to manually configure complementary Calico and Istio policies, and pointers to areas of future technical work.