Simplicity and Security: What Commercial Providers Offer for the Service Mesh
By Emily Omier
The News Stack is running a series of posts on the value that a service mesh brings to Kubernetes deployments. This week, we resume that series with this latest installment. Check back often for more updates. “Open source is free like a puppy,” said Andrew Jenkins, chief technology officer at Aspen Mesh, provider of an enterprise version of the open source Istio service mesh.
The argument for an enterprise offering versus a pure open source software is essentially the same, whether we’re talking about Kubernetes, Spinnaker or a service mesh. Open source is free, but often doesn’t come with the full functionality that companies need. The cost of adjusting open source solutions internally can add up to more than the cost of paying for a product that already comes with those features out-of-the-box.
The other reason organizations turn to commercial service mesh providers is support. In the case of Linkerd, that is the only reason to turn to Buoyant, the company offering commercial Linkerd support. “We don’t hold anything back,” explains William Morgan, CEO of Buoyant. “This is more of a philosophical stance. However, if you want to have a commercial relationship with us, we will make sure the service mesh works for you, with services and integration and all that stuff.”
Service meshes are designed for very complex architectures. They only make sense for companies operating at scale, but can themselves add complexity to the infrastructure. One major focus of companies like Aspen Mesh is mitigating the complexity a service mesh introduces. “We add our own dashboard on top, and we use that user interface to a lot of our data,” Jenkins explains. This makes it easier for companies to use the service mesh than if they were just using vanilla Istio.
In the case of Consul, HashiCorp’s service mesh, organizations can use the service mesh to connect services running in Kubernetes with legacy applications running in other environments — reducing the overall complexity for the many real-world organizations that have a mix of both cloud native applications and legacy apps. “We see a lot of people starting out with a service mesh for their cloud native applications,” explained Raymond Austin, product marketing manager for Consul at HashiCorp. “Then they realize they have a bunch of on-prem stuff or virtual machine environments. They want to connect Kubernetes to an existing data center environment, for example.”
Idit Levine, CEO of service mesh service and tool provider Solo.io, agrees that simplicity is one of the reasons to work with a commercial service mesh provider, especially when you’re dealing with multiple clusters and/or multiple service meshes. “The ability to have one very simple API to manage it all is very important to our customers,” she said.
Security is one of the primary three reasons that organizations use a service mesh, but it can also introduce security vulnerabilities into the infrastructure. Though it’s entirely possible for organizations to patch security vulnerabilities themselves, end users are not usually as technically sophisticated or on-top of the latest Common Vulnerabilities and Exposures (CVEs) as commercial service mesh providers. “Aspen Mesh is part of the security early disclosure list,” Jenkins explained. “And like many other vendors with open core products, we also test and harden our product before it’s released to customers, so it tends to be less buggy and more secure.
For organizations that need their infrastructure to stay as secure as possible but don’t have the internal resources or expertise, a commercial service mesh can help.
Is it hard to set up something like Istio or Linkerd? Yes and no, various sources agreed. “The skills gap is absolutely real,” Jenkins said. But it’s not really a service mesh skills gap, but rather a container/Kubernetes/cloud native skills gap. “If you’re already pretty fluent in Kubernetes, Istio or Linkerd are going to pretty easy to pick up. If you’re new to the container and container orchestration world, there’s a lot to learn.” Whatever the maturity level, one of the advantages of a commercial offering is support. There’s no easy way to get advice or troubleshooting from purely open-source service meshes. For some organizations that doesn’t matter, but for others, the knowledge that there’s someone to call in case of a problem is critical — and might even be baked into corporate governance policies.
One of the benefits of using a sidecar proxy service mesh with Kubernetes, Jenkins said, is that it allows a smaller central platform team to manage a large infrastructure, and it reduces the burden on application developers to manage anything related to infrastructure management. Using a commercial service mesh provider lets organizations even further reduce the need to manage infrastructure internally, he says. Austin agreed that one of the things that makes a service mesh “enterprise-grade” is increased operational simplicity, making it as simple as possible for small platforms to manage huge application suites. For enterprises, that translates to the ability to spend more engineering resources on feature development and creating business value and less on infrastructure management.
“Installing the service mesh is the easy part,” Levine said. “You have to configure it, operate it.” Solo, she said, focuses on making the configuration and operations as simple as possible for the end-user.
A Complex Ecosystem
Perhaps one misconception about service meshes is that they are all the same. Istio exposes a much larger number of configuration options to users than Linkerd, for example — and on purpose. For some organizations, that is an advantage. But Linkerd’s more opinionated approach means it’s also much easier to use, which is an advantage as well. Other options, like Consul, Kuma or Grey Matter all have their own benefits. The right choice depends on the organization. “Kubernetes is the clear winner for orchestration for containers,” Levine said. “I think that service meshes are a way more complex ecosystem, there’s not going to be only one clear winner.” Is there a clear way to know if a company will benefit from a commercial service mesh? Morgan, of Buoyant, offers a clear barometer. “If you’re a company that’s been very successful with pure open source in the past, that probably means you’ll be successful with open source service mesh,” he said. “If you’re the type of company that tends to need a lot of help, that’s a sign that you’ll need help with service mesh too.”