Product Istio Linkerd2 Kuma Maesh Consul connect AWS App Mesh NGINX Service Mesh Open Service Mesh Traefik Mesh Network Service Mesh

1. General information

Link https://istio.io/ https://linkerd.io/2/overview/ https://kuma.io/install/latest/ https://docs.mae.sh/install/ https://www.consul.io/mesh.html https://aws.amazon.com/app-mesh/ https://nginx.com/products/nginx-service-mesh https://openservicemesh.io/ https://traefik.io/traefik-mesh/

Written in Go Go / Rust Go Go Go Go / C Go Go

Developed by Google, IBM, Lyft Buoyant Kong Containous Hashicorp Amazon NGINX Microsoft Traefik Labs

License Apache License 2.0 Apache License 2.0 Apache License 2.0 Apache License 2.0 Mozilla License Closed source Closed source / Apache License 2.0 Apache License 2.0 Apache License 2.0

Platform Comparison of service meshes Kubernetes Kubernetes Agnostic Kubernetes Agnostic ECS, Fargate, EKS, EC2 Kubernetes Kubernetes, Azure AKS AKS, EKS, K3S, GKE

CNCF Maturity N/A Graduated Sandbox N/A N/A Sandbox N/A

2. Data plane

Service proxy Envoy Linkerd proxy Envoy Traefik Built-in, Envoy Envoy NGINX Plus Envoy Maesh

Automatic sidecar injection ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎

Traffic mirroring ✔️ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎

Default load balancing mechanism round-robin EWMA (Exponentially Weighted Moving Average) Round Robin Weighted Round Robin Weighted Weighted

Load balancing options round-robin, weighted, random, least requests ✖︎ Round Robin, Least Request, Ring Hash, Random, Maglev ✔️ Default ✖︎ ✖︎

Lcality load balancing ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎

gRPC load balancing ✔️ ✔️ ✔️ ✖︎ ✔️ ✖︎ ✖︎

HTTP load balancing ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

TCP load balancing ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎ ✖︎

HTTP request matching rules ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

L4 traffic matching rules ✔️ ✖︎ ✔️ ✔️ ✖︎ ✔️ ✔️

Rate limiting ✔️ ✖︎ ✔️ ✔️ ✖︎ ✖︎ ✖︎

Egress gateway ✔️ ✖︎ ✔️ ✔️ ✖︎ ✔️ ✖︎

Ingress gateway ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎

Multi-cluster communication ✔️ ✔️ ✔️ ✔️ ✔️ In Dev ✖︎

DNS Proxying ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

How to contribute:

3. Supported protocols Leave a comment or drop us a line at research@learnk8s.io

TCP ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

UDP License: ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✔️

HTTP/1.1 Apache 2.0 ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

HTTP/2 Last updated: ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎ ✖︎

gRPC May 25, 2022 ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎

gRPC-web ✔️ Treated as TCP Treated as TCP Treated as TCP Treated as TCP Treated as HTTP ✖︎

Mongo ✔️ Treated as TCP Treated as TCP Treated as TCP Treated as TCP Treated as HTTP Treated as HTTP

Redis ✔️ Treated as TCP Treated as TCP Treated as TCP Treated as TCP Treated as HTTP Treated as HTTP

Kafka Treated as TCP Treated as TCP ✔️ Treated as TCP Treated as TCP Treated as HTTP Treated as HTTP

Automatic protocol detection HTTP, HTTP/2 HTTP, HTTP/2, gRPC HTTP, gRPC, Kafka, TCP ✖︎ ✖︎ ✖︎ ✖︎

Client initiated HTTP HTTP, HTTP/2 Treated as TCP HTTP, gRPC, Kafka, TCP ✖︎ ✖︎ Treated as HTTP Treated as HTTP

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

Find more research at:

4. Monitoring https://learnk8s.io/research

Prometheus integration ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

Dedicated dashboard ✔️ ✔️ ✔️ ✖︎ ✔️ ✔️ ✔️ ✔️ ✖︎

Grafana dashboards ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ Grafana Support

Custom metrics ✔️ ✖︎ ✖︎ ✖︎ ✖︎ In Dev ✖︎

Tracing backends Jaeger, Open Tracing, Zipkin, Lightstep Jaeger, OpenTracing Jaeger, DataDog, zipkin Jaeger, Open Tracing, Zipkin Jaeger, Open Tracing, Zipkin Jaeger, OpenTracing, Zipkin, AWS X-Ray Jaeger, Open Tracing, Zipkin, Datadog Jaeger Jaeger

Logging Envoy access logs ✔️ ✔️ ✔️ ✔️ Fluent Bit Log Forwarding ✔️

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

5. Resilience

Circuit breaking ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎ ✔️

Retries and timeout ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ In Dev ✔️

Retry budget ✖︎ ✔️ ✖︎ ✖︎ ✖︎ In Dev ✖︎

Timeout per retry ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎

Abort injection (Fault injection) ✔️ ✔️ ✔️ ✖︎ ✖︎ ✖︎ ✖︎ ✔️ ✔️

Delay injection (Fault injection) ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎ ✖︎

Response Bandwidth (Fault injection) ✖︎ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎

Canary Releases ✔️ ✔️ ✖︎ ✔️ ✖︎ ✔️ ✔️

Control plane HA ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎

Health Checks ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✖︎

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

6.Security

mTLS ✔️ ✔️ ✔️ ✖︎ ✔️ ✔️ ✔️ ✔️ In Planning

mTLS permissive mode ✔️ ✔️ ✔️ ✖︎ ✔️ ✖︎ ✖︎

Built-in CA ✖︎ ✖︎ ✔️ ✔️ ✔️ (via ACM PCA) ✔️ In Planning

External CA certificate ✔️ ✔️ ✔️ ✖︎ ✔️ ✔️ ✔️ ✔️ In Planning

Authentication policies ✔️ ✖︎ ✔️ ✔️ ✖︎ ✖︎ ✖︎

Peer authentication ✔️ ✖︎ ✔️ ✖︎ ✔️ ✖︎ ✖︎

Request authentication ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎

Workload to workload authorization ✔️ ✔️ ✔️ ✔️ ✖︎ ✖︎ ✖︎

End-user to workload authorization ✔️ ✖︎ ✔️ ✖︎ ✖︎ ✖︎ ✖︎

Multi-tenancy ✔️ ✖︎ ✔️ ✖︎ ✔️ ✖︎ ✖︎

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

7. Service Mesh Interface

Access control/Traffic Access ✔️ ✖︎ ✖︎ ✔️ ✔️ ✖︎ ✔️ ✔️ ✔️

Traffic split ✔️ ✔️ ✔️ ✔️ ✖︎ ✖︎ ✔️ ✔️ ✔️

Traffic specs ✔️ ✖︎ ✖︎ ✔️ ✖︎ ✖︎ ✔️ ✔️ ✔️

Metrics ✔️ ✔️ ✔️ ✖︎ ✖︎ ✖︎ ✔️ ✔️ ✖︎

Diagnostic tool Istioctl ✖︎ ✔️ ✖︎ ✖︎ osm-health ✖︎

Notes

Notes Notes Notes Notes Notes Notes Notes Notes Notes

8. Extensibility

Multi-cluster federation ✔️ ✔️ ✔️ In-dev ✖︎

Cross-cluster deployment ✔️ ✔️ ✔️ ✖︎ ✔️ ✔️ ✔️ ✖︎ ✖︎

Proxy extension WASM API ✖︎ ✔️ ✖︎ ✖︎ In-dev ✖︎

Notes

Notes Notes Notes Notes Notes Notes Notes Notes