Tetrate Archives

eBPF and Sidecars – Getting the Most Performance and Resiliency out of the Service Mesh

If you’ve been watching the service mesh space recently, you’ll have noticed a lot of talk about eBPF and “sidecar-less” meshes. In fact, there’s been so much talk about these things that I’m hoping for a lot of readers for this blog post, just because I’ve got all of it in the title!

But what actually are “sidecar-less” service meshes? How do they work? And do they solve the problems we’ve been told they do, namely improving performance and reducing resource usage? In this post I’ll explain what these two technologies are, what they can and can’t do for the mesh, and how they do — and do not — work together.

Envoy Proxy & GetEnvoy, Istio, Tetrate

How Tetrate Service Bridge Workspaces Ease Service Mesh Implementation

“All problems in computer science can be solved by another level of indirection.” – David Wheeler

Service mesh is an architectural construct designed to ease software development and delivery in a microservices environment. Making service mesh work at scale requires some new thinking and the introduction of a few new abstractions.

Here at Tetrate, we have been working on service mesh – its opportunities and its challenges – as long as anyone around. This work is based on our founders’ and key employees’ existing and ongoing roles as founders and maintainers of the open source projects that are most widely used in service mesh implementations: the Envoy proxy, Istio service mesh software, and the Skywalking observability project.

To complement the open source projects, and to create a complete solution, we created Tetrate Service Bridge (TSB). TSB adds a highly functional management plane to service mesh implementations, collaborating with Istio as the control plane and Envoy as the data proxy.

FIPS Certification, Istio Distro, Tetrate

Tetrate Istio Distro Achieves FIPS Certification

Tetrate has achieved a unique milestone with an Istio distribution that has been verified to meet US Federal Information Processing Standard (FIPS) 140-2; in short, this distribution is FIPS 140-2 verified. You can access this distribution now from Tetrate (see tetratefips-v0) and can also consider Tetrate Istio Subscription, which includes support for this new distribution. This verified distribution is also included in the US Government’s Iron Bank repository for verified software.

This FIPS-verified distribution is a specific build of the open source Istio project, the leading software platform for delivering service mesh architectures for use in developing and delivering cloud-native software. Istio is widely used with three other open source projects: Kubernetes container orchestration software, Envoy as a sidecar proxy, and Skywalking for observability. (Istio uses the Envoy proxy for its data plane, with Istio itself serving as the control plane.)

Istio, Security, Tetrate

Tetrate First to Provide Hardened Istio to DoD’s Iron Bank

Game of Thrones fans know the Iron Bank as a lender to governments, businesses, and individuals across the known world. But Iron Bank is also the repository for digitally signed container images that are accredited for use across the US Department of Defense. Iron Bank software is accessible to anyone who registers on the Iron Bank repository.

Iron Bank software must comply with relevant Federal Information Processing Standards (FIPS). Now, a FIPS-compliant version of Istio, provided and supported by Tetrate, has been accepted by the DoD and added to Iron Bank. This version of Istio is supported by the Tetrate support service, Tetrate Istio Subscription. Istio is now easily available for rapid deployment across the DoD and beyond.

The DoD is the largest organization in the world, by headcount (more than 2 million employees, civilian and military) and by budget (more than $700B per year.) About 100,000 of those 2 million employees are involved in software development and delivery. So the use of service mesh and Istio, along with Zarf (see below) and disconnected systems, by the DoD will have a large impact across the US government and beyond.

Tetrate

Tetrate Adds Istio and Envoy Support for Arm Neoverse

Arm and Tetrate strengthen the responsiveness of Istio service mesh with integrated hardware and software for high performance computing and cloud-to-edge workloads

Tetrate, founded by creators and maintainers of Istio and Envoy, today announced that Istio service mesh and Envoy proxy now support the Arm® Neoverse™ platform. Arm is the leading technology provider of processor IP and its designs have enabled more than 215 billion chips. Neoverse support enables widely used open source software projects to run faster, with less energy usage and lower total cost of ownership.

mTLS, Security, Tetrate, Tetrate Service Bridge

Securing Microservices across Clouds Using Tetrate Service Bridge

Introduction

Today, digital transformation is a well-established priority for almost all organizations across industries. With digital transformation, which includes adopting cloud, microservices, and container technologies, C-Suite leaders intend to deliver services faster and on demand.

Envoy Proxy & GetEnvoy, Istio, Service Mesh, Tetrate, Wasm

NIST-Tetrate 2022 Conference Talks: NIST Standards for Service Mesh

At the joint NIST-Tetrate conference this year on ZTA and DevSecOps for Cloud Native Applications, Tetrate founding engineer Zack Butcher offered a deep dive into new publications in the NIST SP 800-204 series that sets the standards on security for the use of microservices architecture for the US Government. In this article, we’ll provide a brief overview of Zack’s talk, with a link to a full recording for all the details.

Istio, Open Source, Tetrate

The arm64 Processor Is Now Supported in Istio 1.15

Istio is one of the three core technologies in the container-based cloud native stack. The other two are Kubernetes and Knative, and both of them already support the arm64 architecture. Envoy, Istio’s data plane has supported arm64 as early as version 1.16 (October 2020 ). With the release of Istio 1.15, the control plane supports arm64 as well. You don’t need to build the arm image manually, it works out of the box.

Tetrate

NIST SP 800-207: Laying the Groundwork for Zero Trust Architecture

Background

Since the first animal took a bite out of its neighbor, security concerns have driven an ever-escalating evolution of threat and defense. The evolutionary call and response between threat actors and defenders is punctuated by periods of rapid change between periods of stasis.

We are now in such a period of rapid change. The current security landscape presents us with twin competing challenges: cyber attacks have rapidly increased in scale and sophistication while, at the same time, modern, cloud-native architectures have outgrown traditional network security practices.

In an effort to modernize the security posture of federal agencies and private industry to meet these new challenges, the US government has endorsed zero trust network architecture as a way forward. The National Institute of Standards and Technology (NIST), the body tasked with defining the standards and deployment recommendations for zero trust in the enterprise, has authored a series of special publications to do just that.

In this article, the first of two on NIST zero trust standards, we’ll review NIST’s cornerstone paper, SP 800-207: Zero Trust Architecture, which defines the tenets of zero trust network security and offers recommendations for how to adopt it in your organization.

Envoy Proxy & GetEnvoy, Tetrate

Designing Traffic Flow via Tier-1 and Tier-2 Ingress Gateways

Introduction

Tetrate’s application connectivity platform, Tetrate Service Bridge (TSB), offers two gateway types, called Tier-1 and Tier-2, that are both based on Envoy and help to achieve different goals. Let’s explore how each type of gateway functions, and when to choose one gateway type versus another.