6 CNCF Service Mesh Tools
Microservices have grown tremendously in use—they enable decoupled, reusable components and support a rapid development approach. However, it’s challenging to manage a sea of disparate microservices. It’s specifically difficult to consistently apply standard features such as traffic management, security and observability mechanisms across all microservices. This issue grows as the number of microservices climbs into the hundreds and thousands.
This is where service mesh comes in. Service mesh helps to apply common observability and security features across applications. It’s typically split into a control plane, used to configure features, and a data plane, consisting of a sidecar proxy alongside each application. Nowadays, several service mesh options exist in the market, each with varying levels of complexity.
The Cloud Native Computing Foundation (CNCF) is home to much of today’s innovative cloud-native technology. The foundation now hosts a few service meshes and related projects. Below, we’ll outline the CNCF service mesh toolset to better understand how engineers can adopt these tools and their benefits.
1. Linkerd
Ultra-light high-performance service mesh
Like other service meshes, Linkerd consists of a control plane to apply configurations and a data plane that uses a proxy that sits close to services. To achieve high performance, Linkerd relies on its own purpose-built linkerd2-proxy, a microproxy written in Rust. Compared to other service meshes, Linkerd is relatively straightforward to implement.
Linkerd, initially developed by Buoyant, is praised for its simplicity. But that doesn’t mean it isn’t powerful. Linkerd can be used to apply consistent security, observability, monitoring and telemetry features across microservices. Specific features include automatic mTLS, automatic proxy injection, CNI plugin, distributed tracing, fault injection, load balancing and multi-cluster communication. Teams can leverage Linkerd’s features by inserting its data plane proxy into their pods.
Linkerd is the first service mesh to reach graduation status with the CNCF. Linkerd has seen production use within Microsoft, Nordstrom, Expedia, JPMC, Clover Health, Entain, H-E-B and many other enterprises. For information on setting up Linkerd, visit the getting started guide here.
2. Kuma
A universal Envoy service mesh for distributed service connectivity
Kuma is another service mesh hosted by CNCF that provides security, observability, routing and other functionality. Kuma comes prepared for enterprise scalability, supporting multi-cloud and multi-zone modes—though it offers a centralized control plane. It’s built to support multi-mesh features which enable multiple teams to use Kuma across an organization. Kuma’s big emphasis is on instilling zero-trust by protecting Layer 4 and Layer 7 7 networking policy architecture.
Kuma, built by Kong, comes out of the box with bundled policies to apply across your services. For example, traffic metrics could be used to track metrics on every proxy and expose them to a monitoring tool like Prometheus. Or the rate limiting policy could be used to define per-service rate limits.
Unlike Linkerd, Kuma is based on the Envoy Proxy, another CNCF project. Envoy is less purpose-built for service mesh but benefits from community input and extensibility options. Developers can install Kuma on Kubernetes using these commands, or peruse the documentation for other use cases.
3. Open Service Mesh (OSM)
A lightweight and extensible cloud-native service mesh
Open Service Mesh (OSM) is a CNCF-hosted service mesh that runs on Kubernetes and uses the Envoy proxy. OSM is primarily maintained by developers at Microsoft. It’s also unique in being completely controllable via Service Mesh Interface (SMI), a burgeoning industry-standard service mesh API.
Using OSM, users can secure end-to-end communication with mTLS, define access control policies, produce application metrics and manage certificates, among other features. All can be applied consistently across a wide network of dynamic microservices. Though its adoption rate is lower than others on this list, OSM is a robust service mesh contender.
4. Service Mesh Interface (SMI)
A standard interface for service meshes on Kubernetes
Service Mesh Interface (SMI) is a standard interface for service meshes on Kubernetes. It specifies a common set of service mesh actions, distilling functionalities into three main categories: Traffic policy, traffic telemetry and traffic management. A standard service mesh API specification could help usher in interoperability and vendor neutrality into the service mesh landscape, allowing new service meshes and service mesh-related tooling to develop in an agnostic way.
5. Meshery
A service management plane
Istio, Kuma, Linkerd, Open Service Mesh … the number of service meshes on the market is growing. With this growth comes a greater likelihood of an organization supporting multiple meshes for various business needs. Meshery is a tool that can help businesses compare and contrast the value of different meshes. Meshery provides the ability to compare workload performances across service meshes by implementing Service Mesh Performance (SMP). You can also validate compliance and best practices among various meshes.
6. Service Mesh Performance (SMP)
Standardizing service mesh value measurement
Service Mesh Performance (SMP) is a vendor-neutral specification used to evaluate performance and efficiency across service meshes. Meshery (above) is the example implementation of Service Mesh Performance (SMP).
Open Source Service Mesh Projects
Interest in service mesh is rising—a recent study found that the majority of microservices deployments now use service mesh. Furthermore, a 2021 U.S. presidential executive order on cybersecurity directly names service mesh as a tool to enact zero-trust security across departments.
The CNCF-hosted projects above can deliver out-of-the-box service mesh features, such as routing, securing, observability and more. Following the surge of interest in microservices architecture, service mesh is a natural evolution. Thus, we will likely see more service mesh-related projects emerge (and graduate up the CNCF ladder) in the coming years.