- 21 Aug 2024
- 5 Minutes to read
- Print
- PDF
Istio
- Updated on 21 Aug 2024
- 5 Minutes to read
- Print
- PDF
Istio is an open-source service mesh that integrates with existing distributed applications. It also works as a platform with APIs to integrate into logging and telemetry systems. Traceable provides an agent that integrates with Istio to monitor your system and detect anomalies and attacks. Traceable can also block attacks on your system based on the configurations that you do on the platform. For more information on blocking, see Detection and Custom policies. The following is a high-level deployment diagram for Traceable's Istio solution. Note that Traceable attaches to only the Istio ingress gateway.
The deployment steps assume that a stock deployment of Istio is already available.
Traceable module extension (TME)
Traceable module extension (TME) is a type of sidecar container that a Traceable Platform agent can inject into the application pod. It can be considered a miniature Traceable Platform agent.
TME has ext_cap
as a component. This synchronously receives requests from applications, such as a gateway. The traceable module extension also houses libtraceable, which has the request-blocking logic. TME is used when native instrumentation or a native plugin is unavailable. In such cases, TME captures data inline and sends it to the Traceable Platform agent asynchronously. TME also blocks the requests inline.
Before you begin
Before you begin deploying Traceable's tracing agent, note that The deployment assumes a stock deployment of Istio is already available.
Support matrix
Component | Version |
---|---|
Istio | 1.10.0 and above. |
Traceable Platform agent | 1.36.2 and above. |
Verify your Istio deployment. It is a good practice to have your Istio's deployment diagram with you for reference. If you are installing for a demo environment, the control and ingress are in the Istio-system namespace; however, the namespace may vary. Verify where the control plane and ingress are installed by entering the following command:
ActionScript
kubectl get svc -n istio-system
Other notable points
Modify the Istio networking configuration to use Envoy Filter for authorization
Make sure that Traceable's platform agent is already installed. For more information on installing, see Platform agent.
Use the sidecar injector to deploy the Traceable module extension (
tme
). For more information on the Traceable module extension, see Annotations and Labels. Thetme
receives data from the Istio module and reports it to traceable-agent.Point the Envoy filter to the
tme
.Ensure that port 5442 is available for Traceable module extension (
tme
).
Tracing agent at Istio ingress gateway
Configuring the Traceable agent for the Istio ingress gateway consists of the following four steps:
Adding a label to the namespace
Adding an annotation to the spec in your deployment
Enabling Envoy filter
Restart Ingress controller
Step 1 - Add Label
Add traceableai-inject-tme=enabled
label to the istio-system namespace.
kubectl label ns istio-system traceableai-inject-tme=enabled
Step 2 - Add Annotation
Add "tme.traceable.ai/inject:" "true"
annotation to the Istio ingress gateway deployment. Enter the following command:
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"annotations": {"tme.traceable.ai/inject": "true"}}}}}' -n istio-system
Verification of TME Injection:
After injecting the TME, check the
istio-ingressgateway
pod status. If the TME has been successfully injected, the status should change from1/1
to2/2
.You can further confirm this by running
kubectl describe pod <istio-ingressgateway-POD_ID>
and verifying that the second container listed is indeed the TME.
To get the POD_ID
for a specific pod like istio-ingressgateway
, you can use the following kubectl
command:
kubectl get pods -n <namespace>
For example,
kubectl get pods -n istio-system
Look for a pod with a name similar to istio-ingressgateway-<unique_ID>
. The <unique_ID>
at the end is the POD_ID
you are looking for.
Example output:
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-7f6bb877-6qhzz 2/2 Running 0 53s
In this case, the POD_ID
is istio-ingressgateway-7f6bb877-6qhzz
.
You can now use this POD_ID
to run commands like kubectl describe pod istio-ingressgateway-7f6bb877-6qhzz -n istio-system
.
Step 3 - Enable Envoy Filter
Add traceableai-istio=enabled
label to the Istio ingress gateway deployment.
If everything has default names, the following command will add the above label to the Istio ingress in istio-system namespace:
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"labels": {"traceableai-istio": "enabled"}}}}}' -n istio-system
Step 4 - Restart the Ingress controller
Restart the Ingress controller for the tme
to attach. Enter the following command:
kubectl rollout restart deployment istio-ingressgateway -n istio-system
Verify the deployment
Enter the following command to verify the deployment.
kubectl get pods -n istio-system
Example output
NAME READY STATUS RESTARTS AGE
istio-egressgateway-96cf6b468-87bkf 1/1 Running 0 13m
istio-ingressgateway-7f6bb877-6qhzz 2/2 Running 0 53s
istiod-58c5fdd87b-k9j29 1/1 Running 0 13m
Install Traceable Istio helm chart
Enter the following command to install the Traceable Istio helm chart:
helm install traceableai-istio traceableai/traceableai-istio --namespace istio-system
The above command creates an Envoy Filter object in the Ingress controller.
Helm values
The following table details the various Helm values.
Value | Default value | Description |
---|---|---|
| 131072 | Defines the maximum payload size in bytes to capture. |
|
| When set to |
| 5441 | Traceable Module Extension ( |
| 5442 | Traceable Module Extension ( |
| 127.0.0.1 | Traceable Module Extension ( |
|
| Labels to add to pods in the mesh to enable Traceable Istio module. |
|
| Capture response bodies whose content-type header contains one of the configured substrings. |
|
| The service name for spans that are captured by the Traceable Istio module. |
| 50ms | Timeout to connect to Traceable Module Extension ( |
| 0.2s | Timeout to the |
| 50 | Timeout to the envoy response handler in milliseconds. |
|
| Webhook must only be enabled if traceable-agent is running outside the Istio cluster. This Webhook will be used to call into the external traceable-agent to inject the |
| - | External traceable-agent URL. It must be HTTPS. |
| - | A base64 PEM encoded CA bundle that will be used to validate the external traceable-agent’s (which is Webhook's server) certificate. |
| ignore | Defines how to handle webhook failures. |
|
| Use namespace selector match labels to inject the |
|
| Use namespace selector match labels to inject the Java sidecar. |
Restart Ingress gateway
Restart the ingress gateway so the changes take effect. Enter the following command:
kubectl rollout restart deployment istio-ingressgateway -n istio-system
Verify the deployment
Enter the following command to verify the deployment:
kubectl get envoyfilters.networking.istio.io -n istio-system
Example output:
traceableai-istio 104s
(Optional) Custom error message
You can optionally configure a custom error code and message for the blocking function by editing the Traceable Platform agent configuration, as shown below. Configure this inside the injector
section.
ext_cap:
blocking_config:
response_status_code: 403
response_message: "Access Forbidden"
injector:
blocking_config:
response_status_code: 403
response_message: "Access Forbidden"
If you are using Helm in values.yaml
, then you would need to set:
blockingStatusCode:
blockingMessage:
injector:
blockingConfig:
blockingStatusCode:
blockingMessage:
Make sure that the status code is set between 400 and 499. If you add values outside the 4xx range, then 403 (the default status code) is displayed in the Traceable Platform.