Service Mesh

Overview

Kyma Service Mesh is the component responsible for service-to-service communication, proxying, service discovery, traceability, and security. Kyma Service Mesh is based on Istio open platform. The main principle of Kyma Service Mesh operation is the process of injecting Pods of every service with an Envoy - a sidecar proxy which intercepts the communication between the services and regulates it by applying and enforcing the rules you create. Kyma Dex, which is also a part of the Service Mesh, allows you to integrate any OpenID Connect-compliant identity provider or a SAML2-based enterprise authentication server with your solution.

See this Istio diagram to understand the relationship between the Istio components and Services.

Sidecar Proxy Injection

By default, the Istio Sidecar Injector watches all Pod creation operations on all Namespaces but it does not inject the newly created Pods with a sidecar proxy.

To enable the sidecar proxy injection, set the istio-injection label value to enabled for the Namespace in which you want to enable the sidecar proxy injection. Use this command:

kubectl label namespace {YOUR_NAMESPACE} istio-injection=enabled

With the sidecar proxy injection enabled, you can inject the sidecar to Pods of a selected deployment in the given Namespace. Add this annotation to the deployment configuration file:

sidecar.istio.io/inject: "true"

Read the Installing the Istio Sidecar document to learn more about sidecar proxy injection.

Istio patch

As a core component, Istio installs with every Kyma deployment by default. The installation consists of two steps:

  1. Istio installs using the official, raw charts from the currently supported release. The charts that are currently used are stored in the resources/istio directory. The installation is customized by enabling security in Istio.

NOTE: Every installation of Istio for Kyma must have security enabled.

  1. A custom Istio patch is applied to further customize the Istio installation. A Kubernetes job introduces these changes:
    • Sets a memory limit for every sidecar.
    • Modifies Istio components to use Zipkin in the kyma-system Namespace, instead of the default istio-system.
    • Adds a webhook to the Istio Pilot.
    • Creates a TLS certificate for the Ingress Gateway.
    • Deletes all resources related to the prometheus, tracing, grafana, and servicegraphcharts.

To learn more about the custom Istio patch applied in Kyma, see the components/istio-kyma-patch/ directory.

Use an existing Istio installation with Kyma

You can use an existing installation of Istio running on Kubernetes with Kyma. The custom Istio patch is applied to such an installation.

NOTE: You cannot skip applying the Istio patch in the Kyma installation process.

To allow such implementation, you must install Kyma without Istio. Read the Installation with custom Istio deployment document in the Kyma topic for more details.