Understanding K8s Native Traffic, Istio Service Mesh, and Dubbo-go Integration

DeWu community adopts cloud‑native practices: all Go services run in a Kubernetes cluster with Istio, and a Dubbo‑go refactor enables one‑click switching between classic microservices and Service Mesh.

Kubernetes native service discovery relies on CoreDNS and Etcd. Each Service of type ClusterIP receives a VIP and an A record <name>.<namespace>.svc pointing to that VIP. Pods obtain IPs stored in Etcd, and each Service has an Endpoint resource listing the pod IPs. Watching Endpoint changes provides discovery.

Native load balancing is implemented by kube‑proxy using iptables or IPVS, syncing Service and Pod IPs from Etcd. This L4 load balancer lacks support for long‑lived connections (e.g., gRPC), motivating the use of a Service Mesh.

Istio’s architecture separates data plane (Envoy sidecar) and control plane (Istiod). Istiod watches Etcd and pushes Service/Pod information to Envoy via XDS, enabling discovery.

Istio performs load balancing inside the sidecar, bypassing iptables. Envoy routes a Service name directly to the Pod IP and includes a built‑in gRPC module to handle long connections.

Traffic hijacking is achieved by an init container that runs the iptables rule istio-iptables -p 15001 -z 15006 -u 1337 -m REDIRECT -i '' -x "" -b '' -d 15090,15020 , redirecting inbound traffic to port 15006 and outbound traffic to port 15001 while excluding health‑check ports.

The Dubbo‑go migration reverts to a traditional Dubbo architecture using Nacos as the registry. Providers publish their container IPs, and consumers subscribe to obtain the IP list and perform load balancing via polling algorithms.

All three mechanisms—Kubernetes native, Istio, and Dubbo—share the same IP publish‑subscribe model.

Gateway traffic consists of an outer Java gateway handling JWT authentication and precise routing, and an inner Kubernetes Ingress (Alibaba Cloud SLB) using Istio Ingress Gateway (Envoy). A VirtualService example forwards URIs starting with /sns-event/ to the sns‑event service on HTTP port 80 and redirects port 15029 to its gRPC endpoint.

The article concludes with an invitation to follow the DeWu Tech public account for more technical insights.