Hacker News new | past | comments | ask | show | jobs | submit login

GP asked about Service objects though. k8s natively provides name resolution, traffic routing and load balancing to your defined service objects. So what does Envoy do for me that k8s does not do itself?



More protocol support, retries, rate-limits, circuit-breakers, traffic mirroring, better load-balancing, faster proxy performance, complex routing, fine-grained security policies with pluggable authentication, and in-depth monitoring with integrated tracing.

Smaller clusters or services don't need it. The docs overview page is worth a read: https://istio.io/docs/concepts/what-is-istio/


Thanks! I was wondering if mesh effectively replaces services and why, and you've answered that.


things like layer 7 control, you can say - "don't allow HTTP GET on /supersecret". Also, Isito is gRPC aware


This brings about a major problem with centralized route management, though, in that you then must build all of your access controls around URLs rather than deeper business logic.

Istio offers much more, but as far as anything but coarse-grained "this service will never need to talk to this other service" access control, I'd still much rather write the logic in the code where it has access to a lot more domain knowledge.


if you want just simple layer 4 ACLs among the services, I recommend just using NetworkPolicies[1] of k8s.

Personally, I think that Istio is overly complex but then so is k8s :)

[1] https://kubernetes.io/docs/concepts/services-networking/netw...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: