I’m trying to add istio to an existing Kubernetes application. The application consists of a frontend service, which in turn needs to talk to all pods from a set of backend services in order to gather some data and aggregate it. The frontend also sometimes talks to a specific backend, without any rerouting kicking in. In any case, the frontend talks to backends using HTTP and Websocket protocol.
I understand that this might not be the typical application for a service mesh. However, I want to get mTLS support, and I can accept to loose service subgroups for the moment. Also, I would like to configure istio to block other pods talking to the backends than the frondend service/pods … or do I mix up things like NetworkPolicies with istio?
The frontend monitors the set of backend service pods via the Kubernetes API, especially to learn the endpoint IPs for ready backend pods.
As a newcomer to istio and after spending some time with the examples and documentation I’m still lost as to if my goal is feasable?
If I don’t want to use routing, would then creating a VirtualService resource be sufficient for istio to use mTLS between frontend and backend?