Istio, the service mesh management platform for Kubernetes, had its first release in 2018. But, long before then, Red Hatters were already invested in Istio, helping to develop it, working with the Istio community, and releasing it for Red Hat’s Kubernetes distribution, OpenShift.
2020 is here, and Istio has gone a long way. Due to its maturity and popular demand, Istio on Openshift has changed completely as well. How exactly?
Red Hat has released a productized version of Isitio, called Red Hat OpenShift Service Mesh. This means several things:
- Full support for Red Hat OpenShift
- Integration with other products, such as 3scale Istio Adapter
- Operator distribution--greatly simplified installation and lifecycle management
- Access to Red Hat Security Advisories
- Access to Red Hat documentation
There are a number of other benefits of a project becoming a product. As Brian ‘redbeard’ Harrington said in the OpenShift Commons Briefing, OpenShift Service Mesh is now getting closer to the “boring” stage--lots of testing, incremental and predictable releases, focus on upgradeability and lifecycle… All the “boring” that one loves to see in a production-ready technology!
While you already know that operators are used to install OpenShift Service Mesh, some may not immediately realize what that means.. OpenShift Service Mesh does away with manual management of various packages. You don’t have to go to access.redhat.com to get the latest OpenShift Service Mesh--you subscribe to one operator and all the OpenShift Service Mesh APIs are installed in your OpenShift cluster!
But installing APIs isn’t the same as OpenShift Service Mesh installation, I hear you say. You’re right. You still need to deploy the control plane. How difficult is that, you ask? Another click of a button!
Your OpenShift cluster already knows the default values that make sense. Can you customize your control plane deployment? Of course you can! Can you spend hours carefully examining every possible deployment setting? Sure. Do you have to? Absolutely not!
Fine-Tuned for Security
Have you tried installing Istio on OpenShift? If you have, you’ll know that Istio uses some parts that require privileged containers. Privileged containers run on Kubernetes by default, but OpenShift restricts privileged containers, and for a good reason. So, you had to compromise security to run Istio on OpenShift.
Because in production, security comes first, OpenShift Service Mesh gets rid of a number of privileged containers. Some parts are also adjusted for multi-tenancy for similar reasons--we now don’t require cluster-wide roles but rather namespaced roles.
Red Hat has also removed BoringSSL for OpenSSL, a component that Red Hat uses in a number of other projects. Why is this good? When CVEs arise in cryptography, it is more often than not an error in implementation of the cryptographic algorithm rather than the algorithm itself. OpenSSL is ubiquitous in Red Hat’s offering, is very thoroughly tested by a number of separate projects, and CVEs are quickly fixed.
OpenShift Service Mesh is secure by default!
Start Learning Istio Today
There’s never been a better time to try Istio on OpenShift. To learn high-level information about why you’d want to use Istio, see the official What Is A Service Mesh article. For evaluating Istio and what it can bring you, Red Hat provides a cloud environment where you can install and test Istio for free.
For deep dive in Istio, Red Hat’s very own Burr Sutter and Christian Posta have released a whole book about it. For free! They walk you through installing Istio and exploring what it can offer for you in your own environment.
The idea of a services mesh may still seem abstract to you. How does service mesh affect deployment of new applications? Can a service mesh help with security challenges? Will it help me with visibility? Red Hat Training has created a new course as part of our Early Release program: DO328 - Building Resilient Microservices with Red Hat Service Mesh. This three-day course guides you through recommended practices of using OpenShift Service Mesh. We walk the users through the management of traffic flows, visualizing requests between microservices with Kiali, tracing requests through a call chain with Jaeger, handling complex security configurations, and much more. DO328 is another addition to the Microservices Developer learning path that aims at bringing developers up to speed with the newest microservice production-ready trends.