Jubilation abounds as the open-source nonprofit Cloud Native Computing Foundation (CNCF) said its Project Istio — at last — graduated to being a full project under CNCF criteria.
In case you had forgotten (and we wouldn't blame you), Istio is an open-source service mesh project first started by IBM and Google in 2017 on the Envoy project from Lyft, where it remained for half a decade — much to the frustration of the open-source community.
Despite an initial and unfavored move by Google to nest the project under another open-source group, Open Usage Commons (OUC), Istio was finally donated as an incubation project to CNCF, a more befitting home as the CNCF also harbors Kubernetes — the project that Istio is often deployed on.
“The OUC does not provide much in the way of governance. It was viewed as a way to pretend like Istio was independent from Google while keeping de facto governance in the hands of Google,” Forrester Senior Analyst David Mooter told Silverlinings. “Moving Istio to the CNCF was the right move to give the open-source community confidence in Istio’s independent governance. Its CNCF graduation solidifies that.”
The announcement of Istio’s graduation marks the third and final maturity level (following the sandbox and incubating stages) indicating CNCF’s full faith in its zero-trust networking, traffic management, policy enforcement, load balancing and monitoring provisions.
Craig Box, Istio Steering Committee member and VP of open source and Community at ARMO stated in a release about the project: “The Istio project takes its place alongside the projects that enable it and upon which it is built, including Kubernetes, Envoy, Prometheus, and SPIFFE.”
Istio's security audit
Box explained to Silverlinings that Istio actually met the requirements of this maturity level at the time of its initial submission (last year), but CNCF funded a security audit which ensured Istio is well maintained and has a “strong and sustainable approach” within security.
Co-creator of Istio and CTO at Solo.io Louis Ryan also noted to Silverlinings that “a lot of coordination is required to make sure that the governance and technology of the project [are] transparent to the CNCF Technical Oversight Committee,” and the audit was an extra measure taken since “Istio is critical infrastructure for a lot of users.”
With the service mesh in the market for over six years now, Istio has already been a long-used tool for problems found in distributed systems including observability, traffic management and security, Box continued. He noted that zero trust has become a driving impetus for adoption with the industry’s increasing priority in security.
Ryan also added to that point: “Istio has proven itself to be critical for users looking to meet compliance requirements like FIPS as FedRAMP or deploy a true zero-trust architecture. Istio was the first mesh to deliver mTLS, and with Ambient Mesh we will make this even easier to do at scale.”
Box believes moving forward, what will be most noteworthy in Istio is the way these features are provisioned.
“Instead of a user having to consider deploying and managing proxy servers alongside their applications, Istio's ambient mode moves this concern to the application layer. Ambient mesh is significantly easier to adopt and maintain and represents a huge cost reduction,” he concluded.