How to prepare for Istio certified associate exam (ICA)
Published on

How to prepare for Istio certified associate exam (ICA)

Author
Written by Peter Jausovec
    Contents
  1. Understanding IstioOperator resource
  2. How traffic comes into the cluster
  3. How to expose services through the Gateway
  4. How to match the traffic
  5. Difference between VirtualService and DestinationRule
  6. Splitting traffic between multiple services/versions/etc.
  7. Where are resiliency and fault injection features configured?
  8. What is the difference between authentication and authorization?
  9. What can I do with PeerAuthentication and RequestAuthentication resources?
  10. Conclusion
Discuss on Discord
Back in September, CNCF announced a new certification called Istio Certified Associate (ICA).
Like any other certification, the purpose of ICA is to validate your knowledge of Istio. It is a great way to show your current or future employer you have the skills and expertise to work with Istio.
You can already purchase the certification exam, but you will be able to take it in November 2023, so keep this in mind as you read this blog post.

Note

Even though I was the one who created the first Istio certification back in 2021, I don't have any knowledge or inside information on what's in this CNCF exam; my guess on what's in the exam is as good as yours.
CNCF publishes an exam curriculum, so we have a high-level idea of different topics that one should review and prepare for. For actual details about the exam, make sure you read the information on the frequently asked questions page and the ICA exam page.
As we saw the news, we (my coworkers Marino, Alessandro, and me) decided to create a series of live streams called Mesh Week. The idea behind these sessions was that anyone interested in Istio and preparing for the Istio Certified Associate exam can use them.
Istio Mesh Week
Istio Mesh Week
We did five live streams, going through the curriculum and covering the following topics:
  1. Istio installation, upgrade and configuration (Watch on YouTube)
  2. Istio traffic management (Watch on YouTube)
  3. Istio resiliency and fault injection (Watch on YouTube)
  4. Security in Istio and securing workloads (Watch on YouTube)
  5. Advanced scenarios and troubleshooting Istio (Watch on YouTube)
Here are my notes, tips, and observations from these sessions.

Understanding IstioOperator resource

If there were only one thing to take away from the Istio installation session, it would be understanding different configuration pieces and where to configure them.
Here's a sample IstioOperator resource that shows you the sections and points to reference documentation:
apiVersion: install.istio.io/v1alpha1
# Reference: https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1
kind: IstioOperator
spec:
  # Configuration profile used as the base for installation
  # Other settings you can configure at this level are namespace, hub, revision, tag
  profile: demo

  # Mesh configuration settings: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1
  meshConfig:
    accessLogFile: /dev/stdout

  # Individual components you can configure: https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioComponentSetSpec
  # Includes base, pilot, cni, ztunnel, ingressGateways, egressGateways, istiodRemote
  components:
    # pilot: ...
    # cni: ...
    egressGateways:
      # Note that there can be more than one egress/ingress gateway instance.
      # To customize a gateway that already is part of the selected profile (E.g., demo in this case)
      # make sure you use the default gateway name
      - name: istio-egressgateway
        # This disables the default egress gateway (i.e., we won't deploy it)
        enabled: false
    ingressGateways:
      # Disable the default ingress gateway
      - name: istio-ingressgateway
        enabled: false
      # Enable a new gateway
      - name: peters-gateway
        enabled: true
        namespace: my-custom-namespace
        label:
          app: my-label
        # Customize the k8s resources: https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
        k8s:
          resources:
            requests:
              cpu: 5m
              memory: 20Mi

How traffic comes into the cluster

Using the Gateway resource (that configures the ingress/egress gateway (the actual pod)) and a combination of a hostname (e.g., hello.com) and a port (80). These two things "tell" the ingress pod to "listen" for that hostname and port.

How to expose services through the Gateway

The routing rules that "tell" Istio where to route the traffic are all in the VirtualService. To expose a Kubernetes service through the Gateway, you attach the gateway to the VirtualService. The Gateway only defines the ports, host names, and TLS configuration you want the gateway to listen on, while the VirtualService defines the routing rules.

How to match the traffic

You can match the traffic on URI paths, headers, query parameters, gateways, etc... The matching acts similarly to the "if-else" statements where the "if" portion is applied if the match is true, otherwise the remaining rules get processed. In most cases, you can match the values exactly, by prefix, or using a Regex.

Difference between VirtualService and DestinationRule

In VirtualService, you match the traffic, define where it gets routed, add/remove headers if needed, while with the DestinationRule, you control the configuration on the endpoints (i.e., collection of target pod IPs) side. I.e., you can control the load-balancing algorithm to be used when selecting one of the destinations, TLS configuration, circuit breakers, etc.

Splitting traffic between multiple services/versions/etc.

You'll have a single Kubernetes Service and one or more Deployments (e.g., v1, v2 deployment). The Service uses a generic label that selects pods from both deployments (e.g. app=helloworld), while the pods from the versioned deployments also have the version=v1 or version=v2 labels.

Note

Replace the version labels with whatever you like, want, or need.
To tell Istio about these different versions, you create named subsets in the DestinationRule. Then, to route to one or the other subset, you reference it in the VirtualService.
The way this works behind the scenes (i.e., Envoy) is that there are different clusters (an Envoy concept) configured for each subset. For example, a cluster named ...|8080|v1|httpbin... and ...|8080|v2|httpbin... and so on. Note the subset names in the string -- this tells Envoy which endpoints (one cluster in Envoy can have multiple endpoints (i.e., hosts, i.e., pod IPs)) to make part of the v2 cluster or part of the v1 cluster and so on. Then, when the matching occurs, and traffic gets routed to one or the other, Envoy points the traffic to one of the pre-defined clusters with the endpoints that are part of that subset.
I've explained how this works with a demo here.

Where are resiliency and fault injection features configured?

Any timeouts, retries, and fault injection is configured in the VirtualService resource. While things like circuit breakers and outlier detection are configured in the DestinationRule.

What is the difference between authentication and authorization?

In the security stream, we talked about the difference between authentication ("Is a credential valid and trusted?") and authorization ("Is a validated credential allowed to perform an action on an object?").
We also introduced the resources in Istio that manage authentication and authorization.

What can I do with PeerAuthentication and RequestAuthentication resources?

The two resources that deal with authentication in Istio are the PeerAuthentication and the RequestAuthentication. The former deals with services, while the latter deals with users and end-user authentication.
The "result" of both resources is either a principal (PeerAuthentication, service) or a requestPrincipal (RequestAuthentication, user). ​ These two values, along with IP blocks, namespaces, claims, etc., can be used to create authorization policies in the AuthorizationPolicy resource (specifically in the rules section).
You can use the AuthorizationPolicy to configure and define the following:
  1. Which workloads are we applying the policy to? (can be a set of workloads (e.g., using labels), a namespace, or even mesh-wide)
  2. What is the action? Are we denying (DENY) the requests or allowing (ALLOW) them?
  3. The actual rules that get evaluated. These get split into three sections:
    • From (from): where are the requests coming from (e.g., namespace, principal, request principal)
    • To (to): what are the operations we want to apply the action to (e.g., "GET request on /api/blah", "POST and DELETE requests on /hello/*", ...)
    • When (when): conditions when to apply the rule (e.g., "When the issuer of the JWT token == "someone")
The nice thing about the AuthorizationPolicy is that you can combine rules involving services and end-users. For example, you can allow all requests from the default namespace only if the request contains a valid JWT token and the user claim equals ricky.

Conclusion

Thanks to everyone who showed up and said Hello during the live streams. I hope you found them helpful and that you learned something new. If you decide to take on the Istio Certified Associate, let me know how it goes!
You can watch all streams on Learn Cloud Native YouTube channel.
Join the discussion
SHARE THIS ARTICLE
Peter Jausovec

Peter Jausovec

Peter Jausovec is a platform advocate at Solo.io. He has more than 15 years of experience in the field of software development and tech, in various roles such as QA (test), software engineering and leading tech teams. He's been working in the cloud-native space, focusing on Kubernetes and service meshes, and delivering talks and workshops around the world. He authored and co-authored a couple of books, latest being Cloud Native: Using Containers, Functions, and Data to Build Next-Generation Applications.

Related posts

Beginners guide to gateways and proxies
Gateways

Beginners guide to gateways and proxies

Have you heard of gateways, proxies, load balancer, API gateways? This article explains what gateways are, what is their purpose and how they work with practical examples

Peter Jausovec

Peter Jausovec

Start Kubernetes Release
Kubernetes

Start Kubernetes Release

Start Kubernetes will teach you everything you need to know to use Kubernetes effectively.

Peter Jausovec

Peter Jausovec

Debugging Kubernetes applications using Istio
Service Mesh

Debugging Kubernetes applications using Istio

This article explains how you can use Istio in combination with ngrok to debug a service running locally on your machine while the production version of the service is running in the cluster

Peter Jausovec

Peter Jausovec

How to configure rate limiter in Istio
Service Mesh

How to configure rate limiter in Istio

In this article you'll learn how rate limiting works in Envoy and how to configure a local rate limiter on the worloads inside the mesh, as well as at the edge of the mesh for the ingress and ingress gateways.

Peter Jausovec

Peter Jausovec

How to expose custom ports on Istio ingress gateway
Service Mesh

How to expose custom ports on Istio ingress gateway

This article explains how to expose custom ports on the Istio ingress and how can you use the same host name, but different port, and route the traffic to two (or more) Kubernetes services.

Peter Jausovec

Peter Jausovec

5 Tips to Be More Productive with Kubernetes
Kubernetes

5 Tips to Be More Productive with Kubernetes

I like to read and see how people set up their environments and any tools, tips, and tricks they use to be more productive when working with Kuberentes and Istio. What follows is a collection of 5 tips and tools that I use daily and I think it makes me be more productive with Kuberentes and Istio.

Peter Jausovec

Peter Jausovec

;