Now a graduated CNCF project, Istio contests complexity rep

Three months after Istio service mesh reached graduation status within the Cloud Native Computing Foundation, its backers are seeking to dispel the image of daunting complexity it earned in its early days, as cloud-native networking takes hold in mainstream enterprise IT.

The project, founded in 2017 by Google and IBM, is one of several approaches on the market to service mesh, a network architecture that shifts management tasks from applications to a distributed set of software components called sidecar proxies. This has the advantage of shielding application developers from the complexity of microservices connectivity.

But in the early days of Istio's adoption by enterprise IT organizations, the burden of complexity fell heavily on IT ops pros. Then in 2020, the project went through a major architecture redesign, which required disruptive upgrades. That year, the project also established a more systematic approach to development stages for new features.

By 2022, Istio maintainers could point to a smoother operational experience for the service mesh, from a single-command install for the Istio control plane utility to re-emerging support for Helm charts. Istio also fulfilled a longstanding wish list item for many enterprise users when it was donated to the Cloud Native Computing Foundation (CNCF) after years of holding out by Google. Following Istio's acceptance into the CNCF in July, more large companies began to contribute to the project, including Microsoft, which had previously established its own Open Service Mesh project, in part as a critique of Google's reluctance to donate Istio to a foundation.

Christian Posta

"You see a lot more vendors now willing to dive in and participate," said Christian Posta, vice president and global field CTO at cloud-native networking vendor Solo.io, in a keynote presentation during the virtual IstioCon conference this week. "You see Microsoft jumping in, which I didn't think that would ever happen … [CNCF graduation] really lowered the barrier for more people -- and not necessarily end users."

Within the 18 months since Istio's initial donation to CNCF as an incubating project, it's made significant progress on sought-after features such as stable support for Helm charts, which had been deprecated in early 2020, then reinstated in 2021. Istio installation using Helm charts reached beta with Istio 1.17 in February, which was stable enough to bring some relief to one enterprise user who had struggled without it.

"Last year … in-place [Istio] upgrades were impossible, requiring us to do blue/green cluster updates for an Istio upgrade, no matter how minor," said Ben Snyder, senior DevOps engineer for the software monetization division of global IT services and consulting firm Thales. "Helm enables us to perform in-place upgrades, to the point that we're getting it added into our CI/CD pipeline."

Kubernetes maturity tide lifts service mesh boat

Istio did earn a reputation for operational issues in its early years, when features would break from release to release and the API architecture was still undergoing revisions, Posta said. But since then, a lot of work has gone into making its "first touch experience" more user-friendly, including the one-command installation process and a built-in analyzer that helps troubleshoot installation errors.

Moreover, Posta maintained, too much simplicity in the inherently complex world of cloud-native networking wouldn't have served a large enterprise user base, either. Issues such as ingress control still need to be addressed for Kubernetes clusters, which Istio has always had built in, along with support for fine-grained application security policies and, for several years, multi-cluster management.

Enterprise IT pros who presented at this year's IstioCon said service mesh is the most effective way to achieve the precise service-level objectives (SLOs) necessary in a customer-facing cloud-native infrastructure made up of potentially thousands of interdependent microservices. Advances in platform engineering and deployment automation techniques such as GitOps that have coincided with Kubernetes adoption have also eased the operational burdens of service mesh. Platform services such as Kiali, Prometheus and Jaeger that tie in to Istio also make it relatively easy for SREs to understand the complex relationships between parts of production services, according to IstioCon presenters.

"With Istio, we have a way of being able to provide [data about] traffic flows and user journeys to help define SLOs without too much intrusion [into the application]," said Chris Dutra, markets SRE leader at financial services giant JPMorgan Chase & Co., during a presentation this week.

It's also possible to approach service mesh deployments iteratively, the same way enterprises approached Agile and DevOps transformations, said John Keates, cloud engineer at ecommerce company Wehkamp Retail Group, during another presentation.

In fact, some of those transformation projects may have imparted knowledge on containers and Linux systems that IT ops pros can use to grasp service mesh, Keates said.

"For us, we already had some platform experience that was relatively relatable to Istio, including scheduling and orchestration for containers and generating YAML … and getting metrics through Prometheus, which helps a lot," Keates said.

This familiarity and maturity in enterprise Kubernetes environments has become commonplace by now among mainstream companies, said Vijay Bhagavath, an analyst at IDC. These trends mean service mesh will likely become a similarly familiar concept for the bulk of the enterprise IT market over the next 12 months.

"Kubernetes is not a novelty anymore. Containers are not a novelty anymore," Bhagavath said in an interview this week. "Heading into 2024, service mesh will go from a science project to a common operational service."

Maintainers aim for stable Ambient Mesh in 2024

To coincide with this expected surge in mainstream service mesh adoption, the Istio project is preparing a sidecarless architecture called Ambient Mesh.

Ambient Mesh replaces the original service mesh architecture of one sidecar container per Kubernetes pod to a condensed waypoint proxy that must be installed only once per node, which connects to containers via a secure interface called a Ztunnel. This approach further simplifies service mesh management for applications that don't require the most fine-grained Layer 7 zero-trust security, and could potentially yield significant cost savings by reducing required infrastructure resources.

Ambient Mesh, first introduced in September 2022 as an experimental feature, was promoted to alpha in Istio 1.18 in June. A beta release is being planned for the next Istio version, 1.20. No release date has been publicized for that version, but version 1.19 was released earlier this month, and Istio typically gets quarterly release updates.

While vendors such as Solo.io support workable versions of Ambient Mesh already, an IstioCon roadmap presentation detailed ongoing work in the upstream version to develop stable APIs, support for Kubernetes multi-cluster environments and integration with Kubernetes Container Network Interface plugins. Ongoing work to replace Istio's traffic API with the Kubernetes Gateway API, which is also expected to simplify service mesh management, must be replicated with Ambient Mesh, according to another IstioCon presentation. Maintainers are also still working on supporting a mix of Ambient Mesh and sidecar-based architectures in the same cluster. However, Ambient Mesh is likely to reach a stable, production-ready release over the next 12 months, maintainers said in an IstioCon roadmap presentation.

While it's still early for Ambient Mesh, Istio users said this week that they're excited about its potential.

"Ambient seems to promise even simpler management, as well as eliminating sidecar overhead," Thales' Synder said. "Whether it's worth the effort to move remains to be seen, but so far it looks promising."

Existing users might find Ambient Mesh appealing, but it's to boost Istio's appeal to a new audience as well, according to Istio technical oversight committee presenters in a Q&A presentation at IstioCon.

"One of the goals of Ambient [Mesh] is to extend the reach of Istio, so that we can target users that historically haven't used Istio for various reasons, from cost and complexity to compatibility," said John Howard, staff software engineer at Google.

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.