Istio Service Mesh

📋 Daftar Isi

Konsep Service Mesh
Instalasi Istio
Sidecar Injection
VirtualService
DestinationRule
Traffic Management
mTLS & Security
Observability
Quiz Pemahaman

1. Konsep Service Mesh

Service Mesh adalah layer infrastruktur yang menangani komunikasi antar microservice. Istio menggunakan arsitektur sidecar proxy (Envoy) yang di-inject ke setiap pod, menyediakan traffic management, security, dan observability tanpa mengubah kode aplikasi.

Arsitektur Istio Service Mesh

🎛️
Control Plane
istiod
Config, CA, Service Discovery

→ xDS API →

🔀

Envoy Proxy (Sidecar)

L7 proxy per pod
Traffic routing, mTLS,
Telemetry collection

↔ Traffic ↔

📦

Application Container

App tidak perlu
sadari service mesh
Zero-code changes

↔ →

📊

Observability

Kiali, Grafana,
Jaeger, Prometheus

1.1 Komponen Istio

Komponen	Fungsi	Detail
`istiod`	Control plane	Service discovery, config, certificate authority
`Envoy`	Data plane	L7 proxy, sidecar di setiap pod
`Ingress Gateway`	Gateway masuk	Menggantikan Ingress controller standar
`Egress Gateway`	Gateway keluar	Kontrol traffic ke external services

2. Instalasi Istio

Terminal — Install Istio

# Download Istioctl
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH

# Install dengan profile default (includes Ingress Gateway)
istioctl install --set profile=default -y

# Verifikasi instalasi
istioctl verify-install
kubectl get pods -n istio-system

# Cek Istio version
istioctl version

# Install demo profile untuk testing (includes semua addons)
istioctl install --set profile=demo -y

# Install addons (Kiali, Grafana, Jaeger, Prometheus)
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/kiali.yaml

# Akses Kiali dashboard
istioctl dashboard kiali

3. Sidecar Injection

Sidecar injection menambahkan container Envoy proxy ke setiap pod secara otomatis atau manual. Ini adalah langkah pertama untuk mengaktifkan service mesh pada workload Anda.

Sidecar injection methods

# === METHOD 1: Namespace-level automatic injection ===
# Label namespace untuk inject otomatis semua pod baru
kubectl label namespace default istio-injection=enabled

# Verifikasi label
kubectl get namespace -L istio-injection

# Deploy aplikasi — sidecar akan di-inject otomatis
kubectl apply -f - <<'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: nginx:alpine
          ports:
            - containerPort: 80
          resources:
            limits:
              cpu: 200m
              memory: 256Mi
EOF

# Verifikasi sidecar ter-inject
kubectl get pod -l app=my-app -o jsonpath='{.items[0].spec.containers[*].name}'
# Output: my-app istio-proxy

# === METHOD 2: Pod-level injection ===
# Tambahkan annotation pada pod template
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
    spec:
      containers:
        - name: my-app
          image: nginx:alpine

# === METHOD 3: Manual injection ===
# Inject sidecar ke manifest yang sudah ada
kubectl apply -f <(istioctl kube-inject -f deployment.yaml)

# Atau gunakan istioctl analyze untuk validasi
istioctl analyze -n default

3.1 Sidecar Resource Configuration

Custom sidecar resources

# Konfigurasi resource limits untuk sidecar
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    metadata:
      annotations:
        # Sidecar CPU dan memory limits
        sidecar.istio.io/proxyCPU: "100m"
        sidecar.istio.io/proxyMemory: "128Mi"
        sidecar.istio.io/proxyCPULimit: "500m"
        sidecar.istio.io/proxyMemoryLimit: "512Mi"
        # Intercept mode
        traffic.sidecar.istio.io/includeOutboundIPRanges: "10.0.0.0/8"
        traffic.sidecar.istio.io/excludeInboundPorts: "5432,6379"
    spec:
      containers:
        - name: my-app
          image: my-app:latest

---
# Sidecar resource — kontrol visibility per namespace
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: my-app-sidecar
  namespace: default
spec:
  workloadSelector:
    labels:
      app: my-app
  # Hanya import service yang dibutuhkan
  ingress:
    - port:
        number: 8080
        protocol: HTTP
        name: http
  egress:
    - hosts:
        - "default/*"           # Services di namespace default
        - "istio-system/*"      # Istio control plane
        - "database.svc.cluster.local"  # Specific service
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY  # Block traffic ke unknown hosts

4. VirtualService

VirtualService mendefinisikan aturan routing traffic ke satu atau lebih destination. Ini adalah sumber daya paling penting di Istio untuk traffic management.

virtualservice-basic.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-app-vs
  namespace: default
spec:
  hosts:
    - my-app.example.com    # External hostname
    - my-app                # Internal service name
  gateways:
    - istio-ingressgateway  # External traffic
    - mesh                  # Internal mesh traffic
  http:
    # Route rules
    - match:
        - uri:
            prefix: /api/v2
          headers:
            x-user-type:
              exact: premium
      route:
        - destination:
            host: my-app
            subset: v2
            port:
              number: 8080
          weight: 100

    # Default route ke v1
    - route:
        - destination:
            host: my-app
            subset: v1
            port:
              number: 8080
          weight: 90
        - destination:
            host: my-app
            subset: v2
            port:
              number: 8080
          weight: 10
      timeout: 10s
      retries:
        attempts: 3
        perTryTimeout: 3s
        retryOn: "5xx,reset,connect-failure"

5. DestinationRule

DestinationRule mendefinisikan kebijakan yang berlaku setelah traffic di-route ke destination — termasuk load balancing, connection pool, outlier detection, dan subset definitions.

destinationrule.yaml

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-app-dr
  namespace: default
spec:
  host: my-app.default.svc.cluster.local
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
        connectTimeout: 5s
      http:
        h2UpgradePolicy: DEFAULT
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000
        maxRequestsPerConnection: 10
        maxRetries: 3
    loadBalancer:
      simple: LEAST_REQUEST  # ROUND_ROBIN, LEAST_CONN, RANDOM, PASSTHROUGH
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
      maxEjectionPercent: 50
      minHealthPercent: 30
  subsets:
    - name: v1
      labels:
        version: v1
      trafficPolicy:
        connectionPool:
          http:
            http2MaxRequests: 500
    - name: v2
      labels:
        version: v2
      trafficPolicy:
        connectionPool:
          http:
            http2MaxRequests: 200

6. Traffic Management

6.1 Canary Deployment

canary-deployment.yaml

# Canary: 90% v1, 10% v2
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: canary-vs
spec:
  hosts:
    - my-app
  http:
    - route:
        - destination:
            host: my-app
            subset: v1
          weight: 90
        - destination:
            host: my-app
            subset: v2
          weight: 10

---
# Circuit breaker pattern
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-app-cb
spec:
  host: my-app
  trafficPolicy:
    outlierDetection:
      consecutive5xxErrors: 3     # Setelah 3 error berturut-turut
      interval: 10s               # Check setiap 10 detik
      baseEjectionTime: 30s       # Eject minimal 30 detik
      maxEjectionPercent: 100     # Bisa eject semua instances

6.2 Fault Injection

fault-injection.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: fault-test
spec:
  hosts:
    - my-app
  http:
    # Inject delay untuk testing resilience
    - match:
        - headers:
            x-test-scenario:
              exact: delay
      fault:
        delay:
          percentage:
            value: 50.0
          fixedDelay: 5s
      route:
        - destination:
            host: my-app

    # Inject HTTP error
    - match:
        - headers:
            x-test-scenario:
              exact: error
      fault:
        abort:
          percentage:
            value: 30.0
          httpStatus: 503
      route:
        - destination:
            host: my-app

    # Normal traffic
    - route:
        - destination:
            host: my-app

# Timeout configuration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: timeout-config
spec:
  hosts:
    - my-app
  http:
    - route:
        - destination:
            host: my-app
      timeout: 10s
      retries:
        attempts: 3
        perTryTimeout: 3s
        retryOn: "5xx,reset,connect-failure,retriable-4xx"

💡 Fault Injection untuk Testing

Fault injection sangat berguna untuk chaos engineering. Anda bisa menguji bagaimana aplikasi merespons delay dan error tanpa mengubah kode. Gunakan header x-test-scenario untuk mengaktifkan fault hanya untuk request testing.

7. mTLS & Security

mTLS dan Authorization Policy

# PeerAuthentication — enforce mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default-mtls
  namespace: default
spec:
  mtls:
    mode: STRICT  # STRICT, PERMISSIVE, DISABLE

# Allow only specific service to call my-app
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-api-gateway
  namespace: default
spec:
  selector:
    matchLabels:
      app: my-app
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/api-gateway"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]

# Deny all other traffic
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: default
spec:
  {}  # Empty spec = deny all

8. Observability

Istio secara otomatis mengumpulkan metrics, logs, dan traces dari semua traffic yang melewati Envoy proxy. Anda bisa mengakses dashboard bawaan melalui istioctl.

Akses Istio dashboards

# Kiali — Service mesh visualization
istioctl dashboard kiali

# Grafana — Metrics dashboard
istioctl dashboard grafana

# Jaeger — Distributed tracing
istioctl dashboard jaeger

# Prometheus — Metrics backend
istioctl dashboard prometheus

# Zipkin — Alternatif distributed tracing
istioctl dashboard zipkin

# Port-forward manual jika diperlukan
kubectl port-forward -n istio-system svc/kiali 20001:20001
kubectl port-forward -n istio-system svc/grafana 3000:3000
kubectl port-forward -n istio-system svc/tracing 16686:80

# Custom Grafana dashboard untuk Istio metrics
# Tambahkan grafana dashboard via ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: istio-custom-dashboard
  namespace: istio-system
  labels:
    grafana_dashboard: "1"
data:
  istio-mesh.json: |
    {
      "title": "Istio Custom Mesh Dashboard",
      "panels": [
        {
          "title": "Request Rate",
          "targets": [
            {
              "expr": "sum(rate(istio_requests_total{reporter=\"destination\"}[5m])) by (destination_service)"
            }
          ]
        }
      ]
    }

⚠️ Performance Overhead

Setiap sidecar Envoy mengkonsumsi sekitar 50-100MB RAM dan 10-50m CPU. Untuk cluster besar dengan ratusan pod, ini bisa menjadi signifikan. Gunakan Sidecar resource untuk membatasi scope yang di-import, dan sesuaikan resource limits berdasarkan traffic.

9. Quiz: Uji Pemahamanmu!

Setelah membaca tutorial di atas, jawablah 5 pertanyaan berikut:

Pertanyaan 1: Apa fungsi utama sidecar proxy (Envoy) di Istio?

a) Menggantikan container utama aplikasi

b) Mencegat dan mengelola semua traffic masuk/keluar pod untuk routing, security, dan observability

c) Menyimpan data aplikasi

d) Mengompresi network traffic

Pertanyaan 2: Apa perbedaan antara VirtualService dan DestinationRule?

a) Keduanya sama

b) VirtualService mengatur routing traffic (kemana pergi), DestinationRule mengatur kebijakan traffic setelah sampai (load balancing, circuit breaker)

c) VirtualService untuk ingress, DestinationRule untuk egress

d) VirtualService hanya untuk HTTP, DestinationRule untuk TCP

Pertanyaan 3: Apa fungsi `outlierDetection` di DestinationRule?

a) Mendeteksi pod yang tidak terdaftar di Kubernetes

b) Circuit breaker — meng-eject instance yang mengembalikan banyak error dari load balancing pool

c) Monitoring resource usage

d) Mendeteksi perubahan konfigurasi

Pertanyaan 4: Apa mode `STRICT` pada PeerAuthentication?

a) Memaksa semua komunikasi menggunakan mTLS — traffic plaintext akan ditolak

b) Mengenkripsi semua data di disk

c) Membatasi jumlah request per detik

d) Mengharuskan autentikasi user

Pertanyaan 5: Mengapa menggunakan Sidecar resource di Istio?

a) Untuk mengganti image sidecar

b) Untuk membatasi service mana yang di-import oleh Envoy proxy, mengurangi resource usage dan mempercepat konvergensi

c) Untuk mengatur port sidecar

d) Untuk mengaktifkan sidecar injection