Istio
  • 14 Feb 2024
  • 3 Minutes to read
  • PDF

Istio

  • PDF

Article Summary

Istio is an open-source service mesh that integrates with existing distributed applications. It also works as a platform with APIs to integrate into logging and telemetry systems. Traceable provides an agent to integrate with Istio to monitor your system and detect anomalies and attacks. Traceable can also block attacks on your system based on the configurations that you do on the platform. For more information on blocking, see Detection and Custom policies. The following is a high-level deployment diagram for Traceable's Istio solution. Note that Traceable attaches to only the Istio ingress gateway.

The deployment steps assume that a stock deployment of Istio is already available. 

Traceable module extension (TME)

Traceable module extension (TME) is a type of sidecar container that a Traceable Platform agent can inject into the application pod. It can be considered a miniature Traceable Platform agent. 

TME has ext_cap as a component. This synchronously receives requests from the applications, for example, a gateway. The traceable module extension also houses libtraceable, which has the request blocking logic. TME is used when native instrumentation or a native plugin is unavailable. In such cases, TME captures data inline and asynchronously sends the data to the Traceable Platform agent. TME also blocks the requests inline.


Before you begin

Before you begin deploying Traceable's tracing agent, make a note of the following. The deployment assumes a stock deployment of Istio is already available. 

Note:

The deployment is supported for Istio 1.8 and later.

Verify your Istio deployment. It is a good practice to have your Istio's deployment diagram with you for reference. If you are installing for a demo environment, the control and ingress are in the Istio-system namespace; however, the namespace may vary. Verify where the control plane and ingress are installed by entering the following command: 

ActionScript

kubectl get svc -n istio-system
  • Modify the Istio networking configuration to use Envoy Filter for authorization

  • Make sure that Traceable's platform agent is already installed. For more information on installing, see Platform agent.

  • Use the sidecar injector to deploy the traceable module extension (tme). For more information on the Traceable module extension, see Annotations and Labels. The tme receives data from the Istio module and reports it to traceable-agent.

  • Point the Envoy filter to the tme.

  • Make sure that port number 5442 is available for Traceable module extension (tme).


Tracing agent at Istio ingress gateway

Configuring the Traceable agent for the Istio ingress gateway consists of the following four steps:

  1. Adding a label to the namespace

  2. Adding an annotation to the spec in your deployment

  3. Enabling Envoy filter

  4. Restart Ingress controller

Step 1 - Add Label

Add traceableai-inject-tme=enabled label to the istio-system namespace. 

kubectl label ns istio-system traceableai-inject-tme=enabled

 Step 2 - Add Annotation

Add "tme.traceable.ai/inject:" "true" annotation to the Istio ingress gateway deployment. Enter the following command:

kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"annotations": {"tme.traceable.ai/inject": "true"}}}}}' -n istio-system

 Step 3 - Enable Envoy Filter

Add traceableai-istio=enabled label to the Istio ingress gateway deployment.

If everything has default names, the following command will add the above label to the Istio ingress in istio-system namespace:

kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"labels": {"traceableai-istio": "enabled"}}}}}' -n istio-system

Step 4 - Restart the Ingress controller

Restart the Ingress controller for the tme to attach. Enter the following command:

kubectl rollout restart deployment istio-ingressgateway -n istio-system

Verify the deployment

Enter the following command to verify the deployment. 

kubectl get pods -n istio-system

  Example output

NAME                                  READY   STATUS    RESTARTS   AGE
istio-egressgateway-96cf6b468-87bkf   1/1     Running   0          13m
istio-ingressgateway-7f6bb877-6qhzz   2/2     Running   0          53s
istiod-58c5fdd87b-k9j29               1/1     Running   0          13m

Install Traceable Istio helm chart

Enter the following command to install the Traceable Istio helm chart:

helm install traceableai-istio traceableai/traceableai-istio --namespace istio-system

 The above command creates an Envoy Filter object in the Ingress controller.


Restart Ingress gateway

Restart the ingress gateway for the changes to take effect. Enter the following command:

kubectl rollout restart deployment istio-ingressgateway -n istio-system

Verify the deployment

Enter the following command to verify the deployment:

kubectl get envoyfilters.networking.istio.io -n istio-system                         

Example output:

traceableai-istio           104s

(Optional) Custom error message

You can optionally configure a custom error code and message for the blocking function by editing the Traceable Platform agent configuration, as shown below. Configure this inside the injector section.

ext_cap:
  blocking_config:
    response_status_code: 403
    response_message: "Access Forbidden"
injector:
  blocking_config:
    response_status_code: 403
    response_message: "Access Forbidden"

If you are using Helm in values.yaml, then you would need to set:

blockingStatusCode: 
blockingMessage:
injector:
  blockingConfig:
    blockingStatusCode: 
    blockingMessage:

Make sure that the status code is set between 400 and 499. If you add values outside the 4xx range, then 403 (the default status code) is displayed in the Traceable Platform.


Was this article helpful?