Today, I am happy to announce that the Istio project is announcing its intention to join the Cloud Native Computing Foundation (CNCF). I am very excited for this next step of the Istio project as it will further Tetrate’s mission, which is also my personal mission, to make Istio the industry standard project for service mesh.
My cofounders and I created Tetrate for this cause, and I have been dedicated to it since we conceived of the idea of Istio five years ago in the corridors at Google. Since a large number of organizations rely on Istio as infrastructure for their cloud native journey, CNCF is a natural home for the project to co-exist alongside other CNCF projects such as Kubernetes, Envoy, gRPC, and more.
In particular, having Istio in CNCF makes it easier to advance the development of Istio and Envoy in tandem. It also helps position Istio, along with Envoy, as part of a CNCF-validated “cloud native stack.” According to CNCF’s annual survey, Istio is by far the most popular and most-used service mesh in production. There are more than 20 different companies driving the Istio community, and this announcement sets the stage for continued innovation and growth under the stewardship of CNCF.
2016: Birth of the Idea
I would like to take this opportunity to explain the genesis of Istio. Istio came from the API platform team at Google, called One Platform. (Today, ironically, Istio is part of the US Government project, Platform One, which uses Tetrate products and services.) One platform leveraged all the infrastructure goodness Google had (stubby, monarch, loas etc.), with the addition of an initial service management experience, and exposed it all to application teams.
Each team would write their protos and methods and define their “One Platform APIs.” Once agreed with the API platform team, teams were freed from having to take care of any of the cross-cutting concerns, because Istio handled those services: traffic management, resiliency, observability (using pre-built dashboards per service with consistent nouns), authn, authz, rate limiting, etc.
The idea for Istio came from this; we essentially took the idea of One Platform, added Envoy to it (as a better data plane) and combined it with the LOAS service identity concept – what the world knows as Spiffe today). We took the idea to 12 companies and they all loved it. These included web scale companies, financial services companies, and technology companies – in particular, SaaS providers.
2017: Forming the Core
2017 was when the project was first announced at Gluecon in May 2017. 0.1 showcased the potential of Istio and resulted in a ton of excitement and buzz.
2018-19: Making Core Stable and Adding Capabilities
The next two years involved gathering customer requirements, internalizing usage feedback, and stabilizing core features. In addition, we made some key architectural decisions, such as defining multi-cluster models and re-architecting the code into a single binary for ease of use.
2020: Staying Together as One Community
As the adoption of Istio and the ecosystem of users grew, there were growing concerns around governance and trademark protection. However, as alluded to in our post here, staying together as one community was key to the success of the project. I am proud to say that Istio did just that. So now, the move today towards joining CNCF is another step in growing the community and building trust with end users.
2021: Advancing in Wasm and Other Areas
There was growing interest in onboarding other infrastructures such as virtual machines, functions, and bare metal workloads, as well as customization with technologies like Wasm and other features as native APIs, so users would not have to muck with Envoy filters. 2021 saw the build and rollout of some of these.
“Varun Talwar is one of the founders of the project and has always believed that Istio is a critical part of the cloud-native ecosystem. Today’s announcement validates his vision for the project and I want to thank Tetrate for being a strong advocate for Istio and our community.”– Louis Ryan
Co-founder Istio and Engineering Lead, Google
Foundation of Zero Trust
There has been a lot of discussion on the topic of zero trust, but little clarity. As Eric Brewer mentions today in his keynote at Istiocon, Istio is becoming an essential component of zero trust. The mainstay of that is identity-oriented controls instead of network-oriented controls. The core tenets of this are laid out in the Google whitepaper BeyondProd: A New Approach to Cloud Native Security.
However, there is more to do here as an industry. We need to ensure that we can bring in application users as well as data services. If we can extend the identity concept to users, and provide flexible and rich policy mechanisms for us to specify, monitor and track access controls, we can get to an operable zero trust fabric – a fabric which unifies users, services, and data into one management layer. I mention this in my 2020 keynote for the National Institute of Standards and Technology (NIST) around Trusting Cloud Native Applications here as well. That is why we here at Tetrate have created Tetrate Service Bridge – a management plane which can make this operable for large organizations.
Tetrate Service Bridge is based on:
- Identity for Users, Services, and Data: Each has a cryptographic identity which forms the backbone of all policies.
- Policy and Access Control: Defining Istio policies, but also application and organizational policies – including users and devices – and the ability to manage them at scale.
- Automation: The ability to automate, measure, and continuously monitor policies at runtime.
We can make huge strides forward as an industry if we can enable organizations to deploy and operate security for cloud native workloads in this manner.
Ultimately, no project or technology becomes mainstream without educated, inspired talent. At Tetrate we believe we need to educate the community on this technology and to contribute to a responsible path to adoption. Hence, we provide world class certification and free online training courses, making it easy for anyone in the community to take both beginner and advanced classes on Istio and Envoy, at academy.tetrate.io.
All of us at Tetrate, and myself in particular, are looking forward to next steps, and we will always remain supportive of the Istio project and the community.