istioenvoyproxyistio-sidecarsidecar

Envoy proxy usage without Istio


I am researching the use of Istio service mesh and finding the Envoy proxy is a very good service proxy option to work with it. But over last couple of years, the Envoy proxy seems to have grown as a cloud-native project. In our application, we need service proxy to sit beside our app and this service-proxy should do JWT validation for all incoming requests.

Now I am wondering should i just go with Envoy proxy and setup with JWT validation like explained here https://www.scottguymer.co.uk/post/configuring-jwt-authentication-in-envoy/ Or should i set it up with along with Istio. Istio also does the JWT claims based validation at the ingress gateway level. https://istio.io/latest/docs/tasks/security/authentication/jwt-route/

But my main question is, to keep architecture light without adding too many layers (if we don't have to), should Envoy proxy be used without Istio in this specific case.

I have read this online.

Service mesh like Istio acts as a control plane and uses Envoy in the data plane to do app-level processing (like app-level JWT validation per app-node) via the Sidecar pattern.

But I am wondering if I really need to use service mesh if all i need is a service proxy beside each app-instance.


Solution

  • If you're using Kubernetes I recommend you to use Istio as it will be much easier to manage all your proxies in case you want to use many proxies.

    With Istio you can also select in which namespaces or workloads apply the automatic sidecar injection, so you could decide which apps will run with sidecar, and which apps won't.

    This is adding another layer, but it's also adding more security to your environment.