如果正在构建和运行规模化的微服务架构,且已采用 Kubernetes,那么使用服务网格来管理所有架构切面,应当是一个默认选择。在众多服务网格实现中,Istio 是最主流的。它的功能十分丰富,包含服务发现、流量管理、服务到服务以及源到服务的安全性、可观察性(包括遥测和分布式追踪)、滚动发布及韧性机制等。其最新版本易于安装,并提供了控制面板架构,用户体验得到了改善。尽管我们承认维护自己的 Istio 和 Kubernetes 实例,不仅需要足够的知识,还需要一定的内部资源,可能并不适合能力不足的团队,但在我们的诸多项目中,Istio 在保证运维质量的同时,的确降低了大规模微服务的实现门槛。
Istio is becoming the de facto infrastructure to operationalize a microservices ecosystem. Its out-of-the-box implementation of cross-cutting concerns — such as service discovery, service-to-service and origin-to-service security, observability (including telemetry and distributed tracing), rolling releases and resiliency — has been bootstrapping our microservices implementations very quickly. It's the main implementation of the service mesh technique we've been using. We've been enjoying its monthly releases and its continuous improvements with seamless upgrades. We use Istio to bootstrap our projects, starting with observability (tracing and telemetry) and service-to-service security. We're closely watching its improvements to service-to-service authentication everywhere in and outside of the mesh. We'd also like to see Istio establish best practices for configuration files to strike a balance between giving autonomy to service developers and control to the service mesh operators.
When building and operating a microservices ecosystem, one of the early questions to answer is how to implement cross-cutting concerns such as service discovery, service-to-service and origin-to-service security, observability (including telemetry and distributed tracing), rolling releases and resiliency. Over the last couple of years, our default answer to this question has been using a service mesh technique. A service mesh offers the implementation of these cross-cutting capabilities as an infrastructure layer that is configured as code. The policy configurations can be consistently applied to the whole ecosystem of microservices; enforced on both in and out of mesh traffic (via the mesh proxy as a gateway) as well as on the traffic at each service (via the same mesh proxy as a sidecar container). While we're keeping a close eye on the progress of different open source service mesh projects such as Linkerd, we've successfully used Istio in production with a surprisingly easy-to-configure operating model.