Important system models impact your overall Istio deployment model. This page discusses the options for each of these models and describes how you can configure Istio to address them.
The workload instances of your application run in one or more clusters. For isolation, performance, and high availability, you can confine clusters to availability zones and regions.
Production systems, depending on their requirements, can run across multiple clusters spanning a number of zones or regions, leveraging cloud load balancers to handle things like locality and zonal or regional fail over.
In most cases, clusters represent boundaries for configuration and endpoint discovery. For example, each Kubernetes cluster has an API Server which manages the configuration for the cluster as well as serving service endpoint information as pods are brought up or down. Since Kubernetes configures this behavior on a per-cluster basis, this approach helps limit the potential problems caused by incorrect configurations.
In Istio, you can configure a single service mesh to span any number of clusters.
In the simplest case, you can confine an Istio mesh to a single cluster. A cluster usually operates over a single network, but it varies between infrastructure providers. A single cluster and single network model includes a control plane, which results in the simplest Istio deployment.
Single cluster deployments offer simplicity, but lack other features, for example, fault isolation and fail over. If you need higher availability, you should use multiple clusters.
You can configure a single mesh to include multiple clusters. Using a multi-cluster deployment within a single mesh affords the following capabilities beyond that of a single cluster deployment:
- Fault isolation and fail over:
cluster-1goes down, fail over to
- Location-aware routing and fail over: Send requests to the nearest service.
- Various control plane models: Support different levels of availability.
- Team or project isolation: Each team runs its own set of clusters.
Multi-cluster deployments give you a greater degree of isolation and availability but increase complexity. If your systems have high availability requirements, you likely need clusters across multiple zones and regions. You can canary configuration changes or new binary releases in a single cluster, where the configuration changes only affect a small amount of user traffic. Additionally, if a cluster has a problem, you can temporarily route traffic to nearby clusters until you address the issue.
You can configure inter-cluster communication based on the network and the options supported by your cloud provider. For example, if two clusters reside on the same underlying network, you can enable cross-cluster communication by simply configuring firewall rules.
Many production systems require multiple networks or subnets for isolation and high availability. Istio supports spanning a service mesh over a variety of network topologies. This approach allows you to select the network model that fits your existing network topology.
In the simplest case, a service mesh operates over a single fully connected network. In a single network model, all workload instances can reach each other directly without an Istio gateway.
A single network allows Istio to configure service consumers in a uniform way across the mesh with the ability to directly address workload instances.
You can span a single service mesh across multiple networks; such a configuration is known as multi-network.
Multiple networks afford the following capabilities beyond that of single networks:
- Overlapping IP or VIP ranges for service endpoints
- Crossing of administrative boundaries
- Fault tolerance
- Scaling of network addresses
- Compliance with standards that require network segmentation
In this model, the workload instances in different networks can only reach each other through one or more Istio gateways. Istio uses partitioned service discovery to provide consumers a different view of service endpoints. The view depends on the network of the consumers.
Control plane models
An Istio mesh uses the control plane to configure all communication between workload instances within the mesh. You can replicate the control plane, and workload instances connect to any control plane instance to get their configuration.
In the simplest case, you can run your mesh with a control plane on a single cluster.
Multi-cluster deployments can also share control plane instances. In this case, the control plane instances can reside in one or more clusters.
For high availability, you should deploy a control plane across multiple clusters, zones, or regions.
This model affords the following benefits:
Improved availability: If a control plane becomes unavailable, the scope of the outage is limited to only that control plane.
Configuration isolation: You can make configuration changes in one cluster, zone, or region without impacting others.
You can improve control plane availability through fail over. When a control plane instance becomes unavailable, workload instances can connect to another available control plane instance. Fail over can happen across clusters, zones, or regions.
The following list ranks control plane deployment examples by availability:
- One cluster per region (lowest availability)
- Multiple clusters per region
- One cluster per zone
- Multiple clusters per zone
- Each cluster (highest availability)
Identity and trust models
When a workload instance is created within a service mesh, Istio assigns the workload an identity.
The Certificate Authority (CA) creates and signs the certificates used to verify the identities used within the mesh. You can verify the identity of the message sender with the public key of the CA that created and signed the certificate for that identity. A trust bundle is the set of all CA public keys used by an Istio mesh. With a mesh's trust bundle, anyone can verify the sender of any message coming from that mesh.
Trust within a mesh
Within a single Istio mesh, Istio ensures each workload instance has an appropriate certificate representing its own identity, and the trust bundle necessary to recognize all identities within the mesh and any federated meshes. The CA only creates and signs the certificates for those identities. This model allows workload instances in the mesh to authenticate each other when communicating.
Trust between meshes
If a service in a mesh requires a service in another, you must federate identity and trust between the two meshes. To federate identity and trust, you must exchange the trust bundles of the meshes. You can exchange the trust bundles either manually or automatically using a protocol such as SPIFFE Trust Domain Federation. Once you import a trust bundle to a mesh, you can configure local policies for those identities.
Istio supports having all of your services in a mesh, or federating multiple meshes together, which is also known as multi-mesh.
The simplest Istio deployment is a single mesh. Within a mesh, service names are
unique. For example, only one service can have the name
mysvc in the
namespace. Additionally, workload instances share a common identity since
service account names are unique within a namespace, just like service names.
Multiple mesh deployments result from mesh federation.
Multiple meshes afford the following capabilities beyond that of a single mesh:
- Organizational boundaries: lines of business
- Service name or namespace reuse: multiple distinct uses of the
- Stronger isolation: isolating test workloads from production workloads
You can enable inter-mesh communication with mesh federation. When federating, each mesh can expose a set of services and identities, which all participating meshes can recognize.
To avoid service naming collisions, you can give each mesh a globally unique mesh ID, to ensure that the fully qualified domain name (FQDN) for each service is distinct.
When federating two meshes that do not share the same trust domain, you must federate identity and trust bundles between them. See the section on Multiple Trust Domains for an overview.
In Istio, a tenant is a group of users that share common access and privileges to a set of deployed workloads. Generally, you isolate the workload instances from multiple tenants from each other through network configuration and policies.
You can configure tenancy models to satisfy the following organizational requirements for isolation:
Istio supports two types of tenancy models:
Istio uses namespaces as a unit of tenancy within a mesh. Istio also works in environments that don't implement namespace tenancy. In environments that do, you can grant a team permission to deploy their workloads only to a given namespace or set of namespaces. By default, services from multiple tenant namespaces can communicate with each other.
To improve isolation, you can selectively choose which services to expose to other namespaces. You can configure authorization policies for exposed services to restrict access to only the appropriate callers.
When using multiple clusters, the namespaces in each
cluster sharing the same name are considered the same namespace. For example,
Service B in the
foo namespace of
Service B in the
foo namespace of
cluster-2 refer to the same service, and Istio merges their
endpoints for service discovery and load balancing.
Istio supports using clusters as a unit of tenancy. In this case, you can give each team a dedicated cluster or set of clusters to deploy their workloads. Permissions for a cluster are usually limited to the members of the team that owns it. You can set various roles for finer grained control, for example:
- Cluster administrator
To use cluster tenancy with Istio, you configure each cluster as an independent mesh. Alternatively, you can use Istio to implement a group of clusters as a single tenant. Then, each team can own one or more clusters, but you configure all their clusters as a single mesh. To connect the meshes of the various teams together, you can federate the meshes into a multi-mesh deployment.
Since a different team or organization operates each mesh, service naming
is rarely distinct. For example, the
mysvc in the
foo namespace of
cluster-1 and the
mysvc service in the
foo namespace of
cluster-2 do not refer to the same service. The most common example is the
scenario in Kubernetes where many teams deploy their workloads to the
When each team has their own mesh, cross-mesh communication follows the concepts described in the multiple meshes model.