Istio security features typically appeal to IT pros who’ve already adopted Kubernetes container orchestration, but a desire for service mesh security pushed one online retail enterprise to adopt containers as a secondary strategy.
Auto Trader UK, the firm that runs the U.K.’s largest online automotive marketplace, was already a mature DevOps and virtualization shop in early 2018 when a potential customer’s request for proposal called for data encryption at rest and in flight. Auto Trader developers deployed application updates multiple times per day to a virtualized private cloud that ran on VMware’s vSphere hypervisor and CloudStack infrastructure automation.
Auto Trader engineers spent months trying to write a sidecar proxy attached to a MongoDB back end for service discovery, but automated end-to-end data encryption proved to be too tough a nut for the company to crack on its own.
“It had taken us months trying to do it using our on-premises virtualization technologies,” said Russell Warman, head of infrastructure and operations at Auto Trader. “One of my colleagues suggested that we could do it quicker using GKE and Istio, and within two weeks he managed to prove that out.”
Istio security prompts container migration
Auto Trader now has 163 applications in production on GKE and plans to migrate its main website to the cloud infrastructure in the first half of 2019. Auto Trader also considered Amazon’s Kubernetes service, but preferred Google because it created Kubernetes and co-created Istio, and because GKE and Istio were available in European regions close to Auto Trader’s headquarters at the time.
“Containers were almost a byproduct of using Istio,” Warman said. “But using them together has given us a load more benefits than if we’d just gone to containers — we wouldn’t have gotten the mutual TLS and end-to-end encryption, [and] we wouldn’t have gotten the visibility and service discovery Istio gives us.”
Istio security with mutual TLS (Transport Layer Security) and granular encryption has been much easier to set up and operate on GKE than the company’s early attempts with VM-based tech.
“Encryption can be done transparently by Istio, so applications are completely unaware and require no changes to implement it,” Warman said. “[GKE has also] improved our security posture because when we deploy, we check it against the OWASP Top 10 vulnerabilities, and using security groups to make sure applications can access only the things they need.”
Istio visibility outweighs ops learning curve
Containers enable Auto Trader to provision infrastructure more efficiently, and its DevOps team to increase the number of daily deployments, Warman said. In 2011, at the start of Auto Trader’s shift to DevOps, it deployed 900 times in the course of a year; in 2015, with the on-premises infrastructure, 2,487 times; and in 2018, it made 11,031 deployments.
Russell Warmanhead of infrastructure and operations, Auto Trader UK
“With containers and Istio, we can deploy smaller changes more frequently, which reduces business risk and means our success rate with deployments is better,” Warman said.
GKE, Kubernetes and Istio security took some getting used to among the company’s operations staff. A pair of ops experts received in-depth training in 2018 and then trained their colleagues, but Auto Trader ran into issues with configuring clusters for upgrades, and struggled to provision enough capacity to perform the Kubernetes upgrade process.
Still, these bumps in the road pale in comparison to the months of attempts to stand up service mesh-based encryption on premises, Warman said. The move to GKE has also eased IT infrastructure monitoring for ops teams because of Istio’s granular telemetry features and data collection through Prometheus.
“Our product teams really love that they only have to put in a couple of labels and they get really great visibility into what their application is doing,” he said.