
- Nov 24, 2020
- Fundamentals
Fundamentally, services meshes are implemented using so-called sidecars. The most prevalent sidecar is probably Envoy. In essence, sidecars are separate containers that proxy network communication from services. Sidecars observe, control, and often encrypt the network communication between services.
Sidecars form the data plane of service meshes. The other part of a service mesh, the control plane, manages and configures the sidecars to balance load, enforce policies, and collect stats.
Glad you asked! Unfortunately, in the context of confidential computing, that wouldn't help much. Briefly, there are two main reasons:
In particular, the second reasons requires careful design and thought. Of course there is also much more to consider like "what happens in case of failures or updates?" or "how does the user of the app know that everything is alright without jumping through 10,000 hoops?".
By now, we hope to have convinced you that confidential computing is useful, that services meshes are useful, and that we clearly need a dedicated service mesh for confidential computing --- just like Marblerun.
In the next and final episode of this series we're going to dig deeper into the requirements for a service mesh for confidential computing and give an intro to the design of Marblerun. See you soon!