Some best practices for running Istio in production

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: transaction-log
namespace: seller
spec:
gateways:
- istio-system/secure-gateway
hosts:
- selleradstransactionlogapi.trendyol.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: transaction-log
timeout: 1.000s
exportTo:
- "."
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: cluster-idletimeout
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': >-
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 10s
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: ratelimit
spec:
egress:
- hosts:
- ratelimit/*
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: api
namespace: browsing
spec:
egress:
- hosts:
- '*/servicename.namespace.svc.cluster.local'
- ./service.browsing.svc.cluster.local
workloadSelector:
labels:
app: api
https://github.com/Hitachi/istio-bench
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: application-gzip
namespace: istio-system
spec:
workloadSelector:
labels:
app: workload-app
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.compressor
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
compressor_library:
name: text_optimized
typed_config:
'@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip
remove_accept_encoding_header: true
  • x-envoy-peer-metadata
  • x-envoy-peer-metadata-id
  • x-envoy-decorator-operation

INSTANCE_IPS
100.96.50.107

LABELS*

app
wantedly

pod-template-hash  dfc5f9699
roleweb
$
security.istio.io/tlsModeistio
-
service.istio.io/canonical-name
wantedly
/
#service.istio.io/canonical-revisionlatest

MESH_ID
cluster.local
"
NAMEwantedly-dfc5f9699-fmbjj

NAMESPACE
wantedly
M
OWNERDBkubernetes://apis/apps/v1/namespaces/wantedly/deployments/wantedly

SERVICE_ACCOUNT default

WORKLOAD_NAME
wantedly

Conclusion

Be careful about your resource consumption in production. Move some network-level process application layer to Istio. Use Istio metrics to define alerts rule. We will continue to share production experience with any mesh tool.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store