Mitigate the Security Challenges of Telecom 5G IoT Microservice Pods Architecture Using Istio
Discover the essential features of Istio Service Mesh Architecture and master the configuration of Istio for cellular IoT Microservices pods.
Join the DZone community and get the full member experience.
Join For FreeDeploying microservices in a Kubernetes cluster is critical in 5G Telecom. However, it also introduces significant security risks. While firewall rules and proxies provide initial security, the default communication mechanisms within Kubernetes, such as unencrypted network traffic and lack of access control, are inherently insecure. This insecurity could compromise sensitive data. Therefore, implementing additional security measures within each microservice pod is not just a recommendation but a crucial step to ensure secure communication within the cluster. So, additional configuration inside each application is needed.
Istio provides a robust solution to these challenges by effectively managing communication between individual 5G telecom microservice pods. With its control plane, Istio automatically injects a sidecar proxy into individual microservices pods, ensuring secure and efficient communication.
Let's dive deep.
What Is Istio?
Istio is a crucial open-source service mesh that seamlessly integrates with microservices-based applications, simplifying monitoring, management, and enforcing performance and security policies. It prevents overload, restricts unauthorized access, and secures data in transit. Its support system unifies and ensures smooth operations for microservices, significantly streamlining their management and ensuring performance and security requirements are met effortlessly.
What Is a Sidecar Proxy?
A sidecar proxy is a separate container that runs alongside a Kubernetes microservice pod. It is responsible for offloading functions required by all applications within Istio. The sidecar proxy, a powerful component of Istio Architecture, intercepts the application's incoming and outgoing network traffic. It enables telecom operators to apply policies and utilize the mentioned resiliency features, and it empowers operators to perform advanced functions at the interface point with the outside world, showcasing the capabilities of Istio Architecture.
Architecture
The backbone of Istio's architecture is significantly shaped by two crucial components, each playing a pivotal role in its functionality:
- The data plane, a pivotal part of Istio's architecture, comprises a set of proxies (deployed using Envoy, an open-source proxy for distributed applications) that run alongside microservices as sidecar containers.
- The control plane, a decisive element in Istio's architecture, manages the proxies and dictates their actions. Let's look at each component in more detail. It includes the following components:
- Pilot: Manages service discovery and traffic.
- Citadel: Manages security and enables secure communication.
- Galley: Validates and distributes configuration resources.
- Mixer: Handles policy enforcement and telemetry collection.
- Sidecar Injector: Automatically injects Envoy sidecar proxies into Kubernetes pods for easy integration.
To explain how Istio Architecture works, we’ll use the example based on the above architecture diagram, the sidecar proxy deployed with Microservice-A and Microservice-B ensures seamless and efficient communication. The sidecar proxy intercepts network traffic, empowering the application to implement and enforce policies, utilize resiliency features, and enable advanced functions.
When Microservice-A sends a request to Microservice-B, the sidecar proxy identifies the destination, forwards the request, and checks the service-to-service communication policy to determine if the call should go through based on security, performance, and reliability. This process of intercepting, forwarding, and checking ensures that the request is handled appropriately. If the request goes through, Microservice-B processes the request, prepares the response, and sends it back over the network, which is intercepted and forwarded by the sidecar proxy to the client and then to the destination application, Microservice A.
Understanding the Importance of Istio Service Mesh for Kubernetes Microservices
The Istio service mesh is essential in Kubernetes. While Kubernetes manages microservices, it doesn't handle traffic flow management, access policies, or telemetry data collection. Istio provides these capabilities without requiring changes to application code, making it an attractive solution for managing microservices in Kubernetes using sidecar containers. It can run in any distributed environment, providing a secure solution for cloud or on-premises applications.
Istio supports Kubernetes distributions, including managed services like EKS and self-managed clusters. It also works with different application orchestration platforms and all microservices applications, including serverless architectures.
Advantages of Istio
Istio offers several critical benefits for Kubernetes and Istio-compatible platforms:
- Security: Enforces strong authentication and authorization requirements between microservices.
- Application performance: Efficiently routes traffic between microservices and handles retries and failovers.
- Observability: Collects telemetry data from individual microservices for detailed visibility into health and performance.
- Troubleshooting: Monitors each microservice individually to identify and address performance and security issues.
Overall, Istio simplifies management for admins of modern, microservices-based applications.
Configuration YAMLs (Yet Another Markup Language)
The Service Mesh Control Plane manages proxies to route traffic, provides policy and configuration for data planes, and empowers administrators to define and configure various services. Once configured, the SMCP distributes necessary information to the service mesh's data plane, allowing proxies to dynamically adapt their behavior.
Telecom Operators can install and run SMCP (Service Mesh Control Plane) using the configuration below:
SMCP YAML
apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
name: full-install
namespace: istio-system
spec:
version: v2.1
techPreview:
meshConfig:
defaultConfig:
concurrency: 8 # Adjust according to the need
proxy:
runtime:
container:
resources:
requests:
cpu: 500m
memory: 256Mi
limits: # Adjust according to the need
cpu: "1"
memory: 1Gi
tracing:
sampling: 10000 # 0.01% increments. 10000 samples 100% of traces
type: Jaeger
gateways:
ingress: # istio-ingressgateway
service:
type: ClusterIP
ports:
- name: status-port
port: 15020
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
meshExpansionPorts: []
egress: # istio-egressgateway
service:
type: ClusterIP
ports:
- name: status-port
port: 15020
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
additionalIngress:
some-other-ingress-gateway: {}
additionalEgress:
some-other-egress-gateway: {}
policy:
type: Istiod
telemetry:
type: Istiod
addons:
grafana:
enabled: true
kiali:
name: kiali
enabled: true
install: # install kiali CR if not available
dashboard:
viewOnly: false
enableGrafana: true
enableTracing: true
enablePrometheus: true
jaeger:
name: jaeger-production
install:
storage:
type: Elasticsearch
elasticsearch:
nodeCount: 3
redundancyPolicy: SingleRedundancy
indexCleaner:
enabled: true
numberOfDays: 7
schedule: 55 23 * * *
ingress:
enabled: true
runtime:
components:
tracing.jaeger.elasticsearch: # only supports resources and image name
container:
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 500m
memory: 1Gi
pilot:
deployment:
autoScaling:
enabled: true
minReplicas: 2
maxReplicas: 2
targetCPUUtilizationPercentage: 85
pod:
tolerations:
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 60
affinity:
podAntiAffinity:
requiredDuringScheduling:
- key: istio
topologyKey: kubernetes.io/hostname
operator: In
values:
- pilot
container:
resources:
limits: # Adjust according to the need
cpu: "1"
memory: 1GiThe Service Mesh Member Roll unequivocally identifies the projects associated with the Service Mesh control plane. Solely, projects enlisted on the roll are impacted by the control plane. Adding a project to the member roll links it to a specific control plane deployment.
Telecom Operators can install and run SMMR (Service Mesh Member Roll) using the configuration below:
SMMR YAML
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
name: default
namespace: istio-system
spec:
members:
- <Micro services pods namespace> # namespace that needs be istio injected.Installation
1. Install the SMCP (Service Mesh Control Plane) as below.
2. Install the SMMR (Service Mesh Member Roll) as below.
Conclusion
Istio simplifies communication between 5G telecom microservices pods in a Kubernetes environment and enables seamless connectivity, control, monitoring, and security of microservice architectures across different platforms. It supports workloads in containers and virtual machines.
With Istio, the future of Telecom IoT microservice pod architecture looks promising, with improved efficiency, security, and scalability.
Opinions expressed by DZone contributors are their own.
Comments