At Mercari, we started to implement Istio a year ago in our microservices environment with 100+ services. By adding few features one step at a time, we could manage to make it work for only several services. Few months ago, lifting Istio up to the next step has required a lot of work on processes and guardrails to prevent users from being left in the wild and potentially harming themselves and others while simplifying the service mesh maintenance.
This talk will focus on explaining what we achieved to make our path towards a safe multi-tenant service mesh a reality, more specifically:
- How to migrate the Istio maintenance from plain manifests-based to istioctl-based
- Create continuous pseudo-acceptance tests to validate Istio after changes
- Explain the rules we are using to protect users and Istio using Gatekeeper and GitOps
- Show what are the limitations for Istio at scale we found out and the way to mitigate them