istio.io
istio.io copied to clipboard
istio
A blog to introduce a light-weighted way to achieve layer 7 load balancing functions without per-pod sidecars.
We would like to introduce a light-weighted way to achieve layer 7 load balancing functions without per-pod sidecars. The work is
Please provide a description for what this PR is for.
- [ ] Configuration Infrastructure
- [X ] Docs
- [ ] Installation
- [ ] Networking
- [ ] Performance and Scalability
- [ ] Policies and Telemetry
- [ ] Security
- [ ] Test and Release
- [ ] User Experience
- [ ] Developer Infrastructure
😊 Welcome! This is either your first contribution to the Istio documentation repo, or it's been awhile since you've been here. A few things you should know:
-
You can learn about how we write and maintain documentation, about our style guidelines, and about all the available web site features by visiting Contributing to the Docs.
-
In the next few minutes, an automatic preview of your change will be built as a full copy of the istio.io website. You can find this preview by clicking on the Details link next to the
deploy/netlifyentry in the Status section of this page. -
We care about quality, so we've put in place a number of checks to ensure our documentation is top notch. We do spell checking, we sanitize the markdown, we ensure all hyperlinks point to valid location, and more. If your PR doesn't pass one of these checks, you'll see a red X in the status section of the page. Click on the Details link to get a list of the problems with your PR. Fix those problems and push an update to your PR. This will automatically rerun the tests and hopefully this time everything will be perfect.
-
Once your changes are accepted and merged into the repository, they will initially show up on https://preliminary.istio.io. The changes will be published to https://istio.io the next time we do a major release (which typically happens every 3 months or so).
Thanks for contributing!
Courtesy of your friendly welcome wagon.
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @soya3129. Thanks for your PR.
I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@soya3129: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| lint_istio.io | 37fe93e34aa845dce8a5f2acc32bb53ec27c50f7 | link | true | /test lint |
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
Looks like the originator has a number of spelling errors that need to be resolved; misspelled words, some need backticks per the guidelines, etc. You can click on the details of the lint test and look at the build log. Not that the build log is blank and white so it might be hard to identify the misspelled word on each line. If you can run make lint, requires Docker and make be installed, the output will take a bit but you'll see highlighted words for the misspellings.
I'm worried about the positioning message of this blog. In particular its positioning itself vs. the other mesh solutions when it is not really comparable as this solution loses isolation, identity (mTLS) and its related authorization capabilities which are viewed as intrinsic features of a mesh.
I'd much rather see this positioned as "How to use Istio's Gateway support to implement the 'internal L7 LB nexus' strategy" without trying to make it appear to compete with 'mesh' as a solution.
Its also likely that the resources savings relative to ambient may be marginal and so the loss of security properties for a limited benefit would not represent a useful tradeoff for the majority of users.
A message like
"If you're not ready to adopt mesh but you want some of Istio's power then you can use it as follows to implement the traditional internal L7 LB pattern. Its important to note that this solution does not provide any of the security or isolation guarantees that mesh solutions provide ..."
might be workable
@howardjohn @ZackButcher @linsun
wdyt?
+1 @louiscryan I am worried about the messaging of the blog as well. What is proposed in the blog is pretty much expanding Istio ingress gateway from edge to inter-services communication. While it may sound attractive, it is not a full mesh solution, and quite limited as having your service (no sidecar) connected to Istio ingress gateway at the edge today.
@soya3129 I noticed you are using a gateway resource that is different from Istio's or K8s's - is this open source code? I think users would be more interested in how to do this with a released version of Istio without any proprietary code or config.
At present, the code of this idea has been completed.Based on version 1.15, In the deployment method of istio, a new acmg.profile is created. If you choose acmg deployment, acmg controller will be installed in the cluster (using coredns to hijack traffic). In addition, the lack of capabilities in tracing and tls must be resolved, and we are also considering how to solve these problems.
acmg profile source code: https://github.com/yuri-lcy/istio https://github.com/yuri-lcy/api
The pull request of the code is here: https://github.com/istio/istio/pull/42360
@soya3129 @louiscryan @linsun @howardjohn @ZackButcher
@yuri-lcy your goals seem to be aligned with Ambient mesh. Do you have any interest in collaborating there? We have an #ambient mesh channel on slack I am happy to discuss more on.
@howardjohn of course, we are interested in cooperation. We have learned a lot about ambient, and some ideas on L4 and L7 are very consistent with ours. We also want to solve security and tracing problems at the L4 layer, but in terms of L7 agents, ambient tends to Service account granularity, our idea is cluster granularity.
How to join the #ambient mesh channel, do I need an invitation? My email address is [email protected]
This can be seen as a practice using istio.
Not new except by hijacking a DNS resolution. IIUC the use case is limited to access only HTTP service by domain
Yes, we extended it as a deployment mode of istio. https://github.com/istio/istio/pull/42360
Hi @yuri-lcy and @soya3129,
Is this blog post still relevant in May 2023? Let's close it if not.
Hi @yuri-lcy and @soya3129,
Is this blog post still relevant in May 2023? Let's close it if not.
Hi @yuri-lcy and @soya3129,
Is this blog post still relevant in May 2023? Let's close it if not.
ok, close it, we will continue to communicate if there is any relevant progress.