Istio

Overview

Istio is an open-source service mesh that integrates with existing distributed applications. It also works as a platform with APIs to integrate into logging and telemetry systems. Traceable provides an agent to integrate with Istio to monitor your system and detect anomalies and attacks. Traceable can also block attacks on your system based on the configurations that you do on the platform. For more information on blocking, see Policies.

The deployment steps assume that a stock deployment of Istio is already available. The deployment assumes an architecture similar to as shown below. 

 Picture source: Istio documentation - https://istio.io/latest/docs/examples/virtual-machines/

The Istio ingress gateway is running in Istio-system namespace while the other application components run in their namespace. The capture of request and response and blocking is enabled in the Istio gateway. 

Before you begin

Before you begin deploying Traceable's tracing agent, make a note of the following. The deployment assumes a stock deployment of Istio is already available. 

Verify your Istio deployment. It is a good practice to have your Istio's deployment diagram with you for reference. If you are installing for a demo environment, the control and ingress are in the Istio-system namespace, however, the namespace may vary. Verify where the control plane and ingress are installed by entering the following command: 

kubectl get svc -n istio-system

• Modify the Istio networking configuration to use Envoy Filter for authorization
• Make sure that Traceable's platform agent is already installed. For more information on installing, see Platform agent.
• Use the sidecar injector to deploy the traceable module extension (tme). For more information on Traceable module extension, see Annotations and Labels. The tme receives data from the Istio module and reports it to traceable-agent.
• Point the Envoy filter to the tme.
  

Tracing agent at Istio ingress gateway

Configuring Traceable agent for Istio ingress gateway consists of the following four steps:

1. Adding a label to the namespace
2. Adding an annotation to the spec in your deployment
3. Enabling Envoy filter
4. Restart Ingress controller

Step 1 - Add Label

Add traceableai-inject-tme=enabled label to the istio-system namespace. 

kubectl label ns istio-system traceableai-inject-tme=enabled

 Step 2 - Add Annotation

Add "tme.traceable.ai/inject:" "true" annotation to the Istio ingress gateway deployment. Enter the following command:

kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"annotations": {"tme.traceable.ai/inject": "true"}}}}}' -n istio-system

 Step 3 - Enable Envoy Filter

Add traceableai-istio=enabled label to the Istio ingress gateway deployment.

If everything has default names, the following command will add the above label to the Istio ingress in istio-system namespace:

kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"labels": {"traceableai-istio": "enabled"}}}}}' -n istio-system

Step 4 - Restart Ingress controller

Restart the Ingress controller for the tme to attach. Enter the following command:

kubectl rollout restart deployment istio-ingressgateway -n istio-system

Verify the deployment

Enter the following command to verify the deployment. 

kubectl get pods -n istio-system

  Example output

NAME                                  READY   STATUS    RESTARTS   AGE
istio-egressgateway-96cf6b468-87bkf   1/1     Running   0          13m
istio-ingressgateway-7f6bb877-6qhzz   2/2     Running   0          53s
istiod-58c5fdd87b-k9j29               1/1     Running   0          13m

Configure Traceable for Istio service mesh

 Configuring Traceable for Istio service mesh consists of two steps:

1. You can configure Traceable for Istio service mesh by configuring the Zipkin address to point to the traceable-agent. Depending on how Istio is managed, there are three options:
   • Istioctl without Operator
   • Istioctl with Operator
   • Helm
2. Install Traceable Istio Helm chart

Step 1, option 1 -  Istioctl  without Operator

If Istio has been installed using istioctl without the operator then istioctl --set or -f has to be used to modify the mesh configuration. Enter the following command to set Zipkin address using istioctl and --set flag:

istioctl install --set profile=demo -y --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 --set meshConfig.defaultConfig.tracing.zipkin.address=agent.traceableai:9411 

The above command enables tracing, sets tracing sample to 100% and configures the Zipkin address to point to traceable-agent.

Step 1, option 2 - Istioctl with Operator

You can also configure the Zipkin address using istioctl and -f flag with IstioOperator kind custom resource. The -f flags allows to specify multiple IstioOperator kinds (CRs), the precedence order is from left to right (lowest to highest).

istioctl install --set profile=demo -y -f istio-traceable.yaml

Run the cat command:

cat istio-traceable.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    enableTracing: true
    defaultConfig:
      tracing:
        sampling: 100
        zipkin:
          address: agent.traceableai:9411

Step 1, option 3 - Configure Zipkin via Helm

You can also set the Zipkin address using Helm:

helm [install|upgrade] istiod manifests/charts/istio-control/istio-discovery --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 -n istio-system

Step 2 - Install Traceable Istio helm chart

Enter the following command to install the Traceable Istio helm chart:

helm install traceableai-istio traceableai/traceableai-istio --namespace istio-system

 The above command creates an Envoy Filter object in the Ingress controller. 

Verify the deployment

Enter the following command to verify the deployment:

kubectl get envoyfilters.networking.istio.io -n istio-system                         

Example output:

traceableai-istio           104s