Cross-service communication management subsystem
| 🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions. |
1. General description
The Cross-service communication management subsystem implementing the Service Mesh network pattern helps developers and registry administrators securely connect external systems to the Registry Platform and vice versa, protects and monitors components of the Platform and registries, provides a set of components for managing external/internal traffic, network policies, telemetry and security, provides load balancing, traffic routing and encryption.
|
You can read more about the list of services included in Service Mesh in the section Service Mesh: Platform and registry components |
2. Subsystem functions
-
The subsystem provides mechanisms to protect services from attacks and malicious actions, in particular, authentication, authorization, encryption and access control.
-
The subsystem allows you to control how traffic passes between services, in particular, it determines routing and load balancing.
-
The subsystem provides collection and display of various metrics, which allows Platform administrators to view and to analyze the operation of components of the registers and the Platform, in particular, the level of availability and performance.
-
Creating and managing security policies and restricting access to Platform components and registries.
4. Subsystem components
| Component name | Namespace | Deployment | Source | Repository | Appointment |
|---|---|---|---|---|---|
Istio control plane |
|
|
3rd-party |
Istiod - it is the main component of the subsystem that provides the main functions of the service mesh, such as traffic routing, traffic management and security. Istiod consists of several components, namely:
|
|
Istio operator |
|
|
3rd-party |
Istio operator allows you to install, configure, and manage various `istiod' components. This simplifies the setup and deployment of `istio' as a component of the Platform |
|
Prometheus |
|
|
3rd-party |
Prometheus is a performance metrics monitoring and analysis component used with Istio to collect, analysis and visualization of metrics of Platform components and registers. |
|
Service Mesh management and monitoring web interface |
|
|
3rd-party |
A component that provides Platform administrators and registries with the ability to configure and analyze status components of service-mesh Platforms and registries, monitor components included in service-mesh in real life time and quickly detect problems in the network. |
5. Technology stack
During the design and development of the subsystem, the following technologies were used:
6. Subsystem quality attributes
6.1. Observability
The subsystem provides the ability to monitor the Platform and registries and provides the collection of helpful metrics for administrators to understand the behavior and performance of Platform components and registries to identify issues and improve their performance.
6.2. Security
The subsystem provides protection of Platform components and registries against external attacks and internal threats through authentication, authorization, restriction of network interaction, verification of JWT tokens, encryption of traffic between services (mTLS), which fully corresponds to the Zero-trust approach.
There is a mechanism for limiting access to the interface, which in turn minimizes the attack surface of the subsystem from the outside.
The subsystem will meet the requirements of cryptoresistance using strong ciphers and TLS 1.2 or higher. Certificates generated by the subsystem are stored in a secure, encrypted storage, access to which is controlled.
All communication between subsystem components takes place over a secure communication channel with mandatory identification and authentication.
6.3. Reliability
The subsystem ensures the resistance of Platform components and registries to failures by means of automatic redirection traffic, retries of requests
6.4. Performance
The subsystem provides load balancing between the components of the Platform and registries and provides the possibility of use different balancing strategies, which allows you to increase the performance of applications and manage their versions.