K
Q

Is there a way to isolate deployments in Istio service mesh?

5/24/2020

I am trying to learn about the microservice architecture and different microservices interacting with each other. I have written a simple microservice based web app and had a doubt regarding it. If a service has multiple versions running, load balancing is easily managed by the envoy siedcar in Istio. My question is that in case there is some vulnerability detected in one of the versions, is there a way to isolate the pod from receiving any more traffic.

We can manually do this with the help of a virtual service and the appropriate routing rule. But can it be dynamically performed based on some trigger event?

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: VirtualServiceName
spec:
  hosts:
    - SomeHost
  http:
  - route:
    - destination:
        host: SomeHost
        subset: v1
      weight: 0
    - destination:
        host: SomeHost
        subset: v2
      weight: 100

Any help is appreciated

-- gandelf_
istio
kubernetes
microservices

Similar Questions

How to fix ZuulException: Forwarding Error
redis-cluster on kubernetes: connection timed out
Openshift zero downtime deployment react + rest api
How to fix: pods "" is forbidden: User "system:anonymous" cannot watch resource "pods" in API group "" in the namespace "default"

1 Answer

5/26/2020

According to istio documentation you can configure failover with LocalityLoadBalancerSetting.

If the goal of the operator is not to distribute load across zones and regions but rather to restrict the regionality of failover to meet other operational requirements an operator can set a ‘failover’ policy instead of a ‘distribute’ policy.

The following example sets up a locality failover policy for regions. Assume a service resides in zones within us-east, us-west & eu-west this example specifies that when endpoints within us-east become unhealthy traffic should failover to endpoints in any zone or sub-zone within eu-west and similarly us-west should failover to us-east.

 failover:
   - from: us-east
     to: eu-west
   - from: us-west
     to: us-east

Failover requires outlier detection to be in place for it to work.

But it's rather for regions/zones not pods.

If it's about pods you could take a look at this istio documentation

While Istio failure recovery features improve the reliability and availability of services in the mesh, applications must handle the failure or errors and take appropriate fallback actions. For example, when all instances in a load balancing pool have failed, Envoy returns an HTTP 503 code. The application must implement any fallback logic needed to handle the HTTP 503 error code..

And take a look at this and this github issues.

During HTTP health checking Envoy will send an HTTP request to the upstream host. By default, it expects a 200 response if the host is healthy. Expected response codes are configurable. The upstream host can return 503 if it wants to immediately notify downstream hosts to no longer forward traffic to it.

I hope you find this useful.

-- jt97
Source: StackOverflow