Welcoming Istio to the Kubernetes networking community

Welcoming Istio to the Kubernetes networking community

Today, we were excited to be part of the launch of a new Kubernetes networking project, Istio.  Together with Google, IBM and Lyft, we on the Project Calico team at Tigera are contributing to the development of an emerging layer in the cloud-native networking stack: the service mesh.

Built using the battle-tested Envoy proxy from Lyft, Istio is an open source project that provides a uniform way to connect, secure, manage and monitor microservices. Think of it as a layer of infrastructure between the application and the network (such as that provided by Calico) – a load-balancing proxy that is also capable of advanced, policy-driven traffic management for A/B testing, canary deployments, and more. Istio also enforces end-to-end service authentication and encryption via mutual TLS, and mitigates network reliability issues with automatic handling of connection retries, load balancing and circuit breakers. Further, the fact that Istio/Envoy sit in the path of the API traffic between microservices means that it can provide exceptional visibility into application performance.

If it isn’t obvious by now, we at Tigera / Project Calico think Istio (and Envoy, which it is built on) are set to be a Big Deal in Kubernetes networking. Which is why we are excited to be collaborating with the cloud-native networking community on these projects. For example, we are collaborating to define how Istio’s application layer policies interact with the network-layer policies as used by Project Calico and Kubernetes Network Policy API.

What our friends at Google and IBM are saying:

“Google is thrilled to see Tigera bring their expertise in cloud native networking to the Istio project. We look forward to evolving networking policy work with them,” said Mark Carter, group product manager, Google Cloud.

“Our collaboration with the cloud native networking experts at Tigera is key to our strategy of building an open container environment around Kubernetes with Calico, Istio and Envoy as the network building blocks,” said Jason McGee, IBM Fellow, VP & CTO, IBM Cloud Platform. “Today, the IBM Bluemix Container Service’s policy-driven Layer 3 network is powered by Calico and we look forward to working with Tigera to extend those policy controls to include Istio’s flexible application layer capabilities.”

A Glimpse into the Future: Integrating Istio and Kubernetes Network Policy using Project Calico

For a glimpse into what the interoperability between Calico and Istio/Envoy might look like when fully completed, check out this video. In this demo, Tigera engineer Saurabh Mohan demonstrates how microservices connected via Istio in a Kubernetes cluster with Calico for networking can be secured to ensure that the right set of microservices can communicate at Layer 3/4 but, more importantly, ensure that no illegitimate access to the microservices is permitted.

Check out Saurabh’s blog post for more details on how this works, steps to manually configure complementary Calico and Istio policies, and pointers to areas of future technical work.

If you’re interested in collaborating and contributing to this work, we encourage you to check out the Istio project at istio.io, and join the online Calico community at slack.projectcalico.org!

 

Having cycled through various roles from software engineering to marketing ("fear leads to the dark side" - Yoda), I ended up in management, and am affectionately known by my teammates as the "PHB of Project Calico" (I must look up that acronym sometime). I am grateful to be able to live in beautiful Berkeley, California, where I enjoy the proximity to world-class sailing, skiing and wine - and spending time with my family (wife, 2 kids, 2 cats - neither of them calicos, and 2 turtles).