Accelerate Istio network performance

Big picture

Use Calico to accelerate network performance of routing network traffic via Istio Envoy sidecar.

Accelerate Istio network performance - 图1caution

This feature is experimental and should not be used in production clusters. It uses a recent Linux kernel feature (eBPF SOCKMAP), which our testing confirms requires upstream kernel enhancements to reliably and securely support production clusters. We are contributing fixes to the kernel where needed.

Value

Istio directs all application network traffic through an Envoy sidecar in each pod, which introduces network overhead for all traffic. Calico can greatly reduce this network overhead by automatically optimizing the Linux network path for this traffic.

Concepts

Sidecar acceleration

The Sidecar acceleration process bypasses several layers of kernel networking, allowing data to flow between the sockets unobstructed. This makes the Envoy proxy (sidecar) to container network path as fast and efficient as possible.

Before you begin…

Sidecar acceleration: experimental technology

The sidecar app acceleration feature is disabled by default in Calico because the technology is currently not production ready. Use only in test environments until the technology is hardened for production security.

How to

To enable sidecar acceleration for Istio-enabled apps using Calico:

  • kubectl
  • calicoctl
  1. kubectl patch felixconfiguration default --type merge --patch '{"spec":{"sidecarAccelerationEnabled": true}}'

You should see an output like below:

  1. felixconfiguration.projectcalico.org/default patched
  1. calicoctl patch felixconfiguration default --patch '{"spec":{"sidecarAccelerationEnabled": true}}'

You should see an output like below:

  1. Successfully patched 1 'FelixConfiguration' resource

That’s it! Network traffic that is routed between apps and the Envoy sidecar is automatically accelerated at this point. Note that if you have an existing Istio/Calico implementation and you enable sidecar acceleration, existing connections do not benefit from acceleration.