Service Mesh

Overview

Kyma Service Mesh is the component responsible for service-to-service communication, proxying, service discovery, traceability, and security. To deliver this functionality, Kyma Service Mesh uses Istio open platform.

The main principle of Kyma Service Mesh is to inject Pods of every service with the Envoy sidecar proxy. Envoy intercepts the communication between the services and regulates it by applying and enforcing the rules you create. Kyma Dex, which is also a part of the Service Mesh, allows you to integrate any OpenID Connect-compliant identity provider or a SAML2-based enterprise authentication server with your solution.

By default, Istio in Kyma has mutual TLS (mTLS) enabled and injects a sidecar container to every Pod. You can manage mTLS traffic in services or at a Namespace level by creating Destination Rules and Authentication Policies. If you disable sidecar injection in a service or in a Namespace, you must manage their traffic configuration by creating appropriate Destination Rules and Authentication Policies.

NOTE: The Istio Control Plane doesn't have mTLS enabled.

NOTE: For security and performance we use the distroless version of Istio images. Those images are not Debian-based and are slimmed down to reduce any potential attack surface and increase startup time.

Details

Istio setup in Kyma

Istio in Kyma is installed with the help of the istioctl tool. The tool is driven by a configuration file containing an instance of IstioControlPlane custom resource. There are two configuration files — one for local installation on Minikube and one for cluster installations. The configurations are customized for Kyma and are stored in the resources/istio directory.

Istio components

This list shows the available Istio components and the components enabled by default:

ComponentEnabled
Gateways
Sidecar Injector
Galley
Mixer
Pilot
Security
Node agent⛔️
Grafana⛔️
Prometheus⛔️
Servicegraph⛔️
Tracing⛔️
Kiali⛔️

Kyma-specific configuration

These configuration changes are applied to customize Istio for use with Kyma:

  • Only the Ingress Gateway is enabled.
  • The Secret Discovery Service is enabled in the Ingress Gateway.
  • Automatic sidecar injection is enabled by default, excluding the istio-system and kube-system Namespaces.
  • New resource limits for Istio sidecars are introduced: CPU: 100m, memory: 128Mi.
  • Mutual TLS (mTLS) is enabled cluster-wide with the exception of the Istio Control Plane.
  • Global tracing is set to use the Zipkin installation provided by Kyma.
  • Ingress Gateway is expanded to handle ports 80 and 443 for local Kyma deployments.
  • DestinationRules are created by default, which disables mTLS for the istio-ingressgateway.istio-system.svc.cluster.local service.

Istio patch

As a core component, Istio is installed with every Kyma deployment by default. The installation includes the following steps:

  1. Istio is installed using the official charts from the currently supported release. The charts reside in the resources/istio directory.

  2. A custom Istio Patch job runs and checks if the detected Istio deployment meets the following criteria:

  • A specific version of Istio is installed. The required version is defined in the values file.
  • Mutual TLS (mTLS) policy is enabled and set to strict.
  • Istio policy enforcement is enabled.
  • Automatic sidecar injection is enabled.
  • Istio policies.authentication.istio.io CustomResourceDefinition (CRD) is present in the system.

If the Istio deployment fails to meet any of these criteria, the patch fails, which results in a failed installation. In such case, get the Istio Patch logs to find out which criteria the Istio deployment didn't meet. Run:

Click to copy
kubectl logs -n istio-system -l app=istio-kyma-patch

NOTE: The Istio patch component is enabled by default, but you can disable it at any time using the instructions.

Use an existing Istio installation with Kyma

You can use an existing installation of Istio with your Kyma installation. To use it:

  • Make sure Istio is already running in the cluster.
  • Don't disable the Istio Patch component.
  • Install Kyma without Istio. Read the configuration document for more details.

Istio RBAC configuration

As a core component, Istio is installed with Kyma by default. The ClusterRbacConfig custom resource (CR), which defines the global behavior of Istio, is created as a part of the installation process.

The default Istio RBAC configuration is defined in the config.yaml file.

Override the default configuration

To override the default configuration of Istio RBAC, edit the ClusterRbacConfig CR on a running cluster. This CR is created in the kyma-system Namespace and therefore requires admin permissions to edit it.

To show the current Istio RBAC configuration in the yaml format, run:

Click to copy
kubectl get -n kyma-system clusterrbacconfig -o yaml

To edit the Istio RBAC configuration, run:

Click to copy
kubectl edit -n kyma-system clusterrbacconfig

NOTE: The ClusterRbacConfig object is a singleton, which means that only a single object of this kind can exist in a cluster. Additionally, the only valid name for the object is default. As such, the best way to customize Istio RBAC is by editing the existing ClusterRbacConfig object.

Sidecar Proxy Injection

By default, the Istio sidecar injector watches all Pod creation operations on all Namespaces and injects the newly created Pods with a sidecar proxy.

You can disable sidecar proxy injection for either an entire Namespace or a single Deployment.

  • To disable sidecar proxy injection for a Namespace, set the istio-injection label value to disabled for the Namespace in which you want to disable the sidecar proxy injection. Use this command: kubectl label namespace {YOUR_NAMESPACE} istio-injection=disabled
  • To disable sidecar proxy injection for a Deployment, add this annotation to the Deployment configuration file: sidecar.istio.io/inject: "false"

Read the Istio documentation to learn more about sidecar proxy injection.

Configuration

Service Mesh production profile

By default, every Kyma deployment is installed with the Service Mesh provider Istio, using what is considered a development profile. In this case, this means that:

  • Horizontal Pod Autoscaler (HPA) is enabled for all components, with the default number for replicas.
  • All components have severely reduced resource quotas, which is a performance factor.

This configuration is not considered production-ready. To use the Kyma Service Mesh in a production environment, configure Istio to use the production profile.

Production profile

The production profile introduces the following changes to the Istio Service Mesh:

  • Resource quotas for all Istio components are increased.
  • All Istio components have HPA enabled.
  • HPA for Istio Ingress Gateway has been customized:
    • Minimum number of replicas: 3
    • Maximum number of replicas: 10

System requirements

As the production profile is configured with increased performance it mind, the recommend system setup is different:

RequirementDevelopment setupProduction setup
vCPU48
RAM1616/32
Example machine type (GKE)n1-standard-4n1-standard-8 or c2-standard-8
Example machine type (AKS)Standard_D4_v3Standard_F8s_v2 or Standard_D8_v3
Size33-5

Use the production profile

CAUTION: Due to changes in the installation options in Istio, Helm-based configuration is now deprecated in favor of the new IstioControlPlane API. Please keep in mind that Helm overrides will be no longer supported in future Istio releases. Refer to IstioControlPlane documentation for details.

You can deploy a Kyma cluster with Istio configured to use the production profile, or configure Istio in a running cluster to use the production profile. Follow these steps:

  • Istio Control Plane API
  • Install Kyma with production-ready Istio
  • Enable production profile in a running cluster

Troubleshooting

Overview

The troubleshooting section aims to identify the most common recurring problems with the Kyma Service Mesh, as well as the most suitable solutions to these problems.

If you can't find a solution to your problem, don't hesitate to create a GitHub issue or reach out to the #service-mesh Slack channel to get direct support from the community.

Can't access Console UI or other endpoints

The 503 status code received when you try to access the Console UI or any other endpoint in Kyma can be caused by a configuration error in the Istio Ingress Gateway. As a result, the endpoint you call is not exposed. To fix this problem, restart the Pods of the Gateway.

  1. List all available endpoints:

    Click to copy
    kubectl get virtualservice --all-namespaces
  2. Restart the Pods of the Istio Ingress Gateway to force them to recreate their configuration:

    Click to copy
    kubectl delete pod -l app=istio-ingressgateway -n istio-system

If this solution doesn't work, you need to change the image of the Istio Ingress Gateway to allow further investigation. Kyma uses distroless Istio images which are more secure, but you cannot execute commands inside them. Follow this steps:

  1. Edit the Istio Ingress Gateway Deployment:

    Click to copy
    kubectl edit deployment -n istio-system istio-ingressgateway
  2. Find the istio-proxy container and delete the -distroless suffix.

  3. Check all ports used by the Istio Ingress Gateway:

    Click to copy
    kubectl exec -ti -n istio-system $(kubectl get pod -l app=istio-ingressgateway -n istio-system -o name) -c istio-proxy -- netstat -lptnu
  4. If ports 80 and 443 are not used, check the logs of the Istio Ingress Gateway container for errors related to certificates. Run:

    Click to copy
    kubectl logs -n istio-system -l app=istio-ingressgateway -c ingress-sds
  5. In case of certificate-related issues, make sure kyma-gateway-certs and kyma-gateway-certs-cacert Secrets are available in the istio-system Namespace and that they contain proper data. Run:

    Click to copy
    kubectl get secrets -n istio-system kyma-gateway-certs -oyaml
    kubectl get secrets -n istio-system kyma-gateway-certs-cacert -oyaml
  6. To regenerate a corrupted certificate, follow this tutorial. If you are running Kyma provisioned through Gardener, follow this tutorial instead.

    NOTE: Remember to switch back to the distroless image after you resolved the issue.

Connection refused errors

Mutual TLS (mTLS) is enabled in the Service Mesh by default. As a result, every element of the Service Mesh must have an Istio sidecar with a valid TLS certificate to allow communication. Attempts to establish connection between a service with a sidecar and a service without a sidecar result in a Connection reset by peer or a GOAWAY response.

  • To enable sidecar injection for Pods of existing Services, restart them after upgrading to Kyma 1.0 or higher.
  • To allow connections between a Service with a sidecar and Services without a sidecar, create an Authentication Policy in the PERMISSIVE mode.
  • To whitelist a Service without a sidecar and disable mTLS traffic for it, create a DestinationRule.

Issues with Istio sidecar injection

Kyma has sidecar injection enabled by default - a sidecar is injected to every Deployment in a cluster, without the need adding any labels. For more information, read this document. If a Pod doesn't have a sidecar and you did not disable sidecar injection on purpose, follow these steps to troubleshoot:

  1. Check if sidecar injection is disabled in the Namespace of the Pod. Run this command to check the istio-injection label:

    Click to copy
    kubectl get namespaces {NAMESPACE} -o jsonpath='{ .metadata.labels.istio-injection }'

    If the command returns disabled the sidecar injection is disabled in this Namespace. To add a sidecar to the Pod, move the Pod's deployment to a Namespace that has sidecar injection enabled, or remove the label from the Namespace and restart the Pod.

    WARNING: Removing the istio-injection=disabled label from Namespace results in injecting sidecars to all Pods inside of the Namespace.

  2. Check if sidecar injection is disabled in the Pod's Deployment:

    Click to copy
    kubectl get deployments {DEPLOYMENT_NAME} -n {NAMESPACE} -o jsonpath='{ .spec.template.metadata.annotations }'

    Sidecar injection is disabled if the output contains the sidecar.istio.io/inject:false line. Delete the label and restart the Pod to enable sidecar injection for the Deployment.

  3. Make sure that the Istio sidecar injector is running:

    Click to copy
    kubectl describe pod -n istio-system -l app=sidecarInjectorWebhook
  4. Make sure that the Istio sidecar injector can communicate with the Kubernetes API server. Search logs for any connectivity issues. Run this command to get the logs:

    Click to copy
    kubectl logs -n istio-system -l app=sidecarInjectorWebhook

For more information, read this document or follow the Istio documentation.