Istio
Please make sure the Speedscale Operator is installed before configuring Istio support.
Istio is a service mesh offering that modifies a cluster to provide, among other things, traffic and network management.
External Networking Requirements
Speedscale pods in the the speedscale
namespace, as well as the generator
and responder
pods that are
deployed during traffic replays require external internet access. If your istio installation is configured
with an outbound traffic policy of REGISTRY_ONLY
rather than ALLOW_ANY
, meaning that only whitelisted
services can be accessed from within the cluster (see
OutboundTrafficPolicy),
you will to configure ServiceEntry
resources that allow the following MESH_EXTERNAL
access:
Host | Protocol | Direction |
---|---|---|
app.speedscale.com | HTTPS | Outbound |
downloads.speedscale.com | HTTPS | Outbound |
firehose.us-east-1.amazonaws.com | HTTPS | Outbound |
sqs.us-east-1.amazonaws.com | HTTPS | Outbound |
sns.us-east-1.amazonaws.com | HTTPS | Outbound |
s3.us-east-1.amazonaws.com | HTTPS | Outbound |
*.s3.us-east-1.amazonaws.com | HTTPS | Outbound |
sts.amazonaws.com | HTTPS | Outbound |
sts.us-east-1.amazonaws.com | HTTPS | Outbound |
monitoring.us-east-1.amazonaws.com | HTTPS | Outbound |
gcr.io | HTTPS | Outbound |
speedscale.github.io | HTTPS | Outbound |
These hosts are subject to change and security via TLS is recommended as opposed to IP whitelisting. If you require a list of IPs, they can be programmatically accessed as shown here for AWS and here for GCR.
For example:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: speedscale-external-svc-https
namespace: speedscale
spec:
hosts:
- app.speedscale.com
- downloads.speedscale.com
- firehose.us-east-1.amazonaws.com
- sqs.us-east-1.amazonaws.com
- sns.us-east-1.amazonaws.com
- s3.us-east-1.amazonaws.com
- "*.s3.us-east-1.amazonaws.com"
- sts.amazonaws.com
- sts.us-east-1.amazonaws.com
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: TLS
resolution: NONE
Speedscale Sidecar Configuration
Istio makes use of a transparent proxy known as Envoy, which is added as a sidecar to workloads that reside within the mesh. This sidecar, much like Speedscale's, also modified iptables rules in order to intercept traffic without any modification to a user's application.
No additional configuration is required to add the Speedscale sidecar to workloads that reside within an Istio mesh.
The Speedscale operator intelligently determines when Istio is present and configures workloads accordingly so that both transparent proxies operate in tandem. In addition, the Speedscale operator and sidecar are configured in such a way that they preserve the ability to use Istio mesh features such as mTLS.
If your Istio installation is configured to use the Istio CNI Agent, you must annotate your workloads with the following annotation to maintain compatibility:
sidecar.speedscale.com/istio-cni: "true"
Follow the installation guide to install the Speedscale sidecar on your Istio workloads.
Allow Egress Speedscale Traffic (Optional)
If your Istio installation and sidecar control which subset of egress traffic is allowable, you may
need to add the speedscale
namespace to the sidecar's egress configuration. This step is not
necessary if you do not have custom sidecar configuration. Here is an example from the Istio
docs:
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- "speedscale/*"
Ensure VirtualService Contains Host (Optional)
If your service is accessible both outside and inside the cluster, make sure the Istio
VirtualService
contains the same host. See the Istio
documentation for more
information.
Get In Touch
Istio allows for numerous different networking configuration options that can become difficult to navigate. Please be sure to consult the Istio documentation or reach out to Speedscale directly for more information or assistance.