What is Istio
Istio — open-source service mesh for Kubernetes, originated from Google/IBM (2017), CNCF incubation. Most feature-rich service mesh: automatic mTLS, weighted routing, circuit breakers, observability, WASM extensions. Deploy: istioctl or Helm chart installs istiod (control plane) + injects Envoy sidecars in pods. Production users: eBay, Salesforce, Airbnb.
Below: details, example, related terms, FAQ.
Details
- istiod: control plane (Pilot + Citadel + Galley merged)
- Envoy sidecar: data plane, injected automatically in labeled namespaces
- VirtualService: routing rules (weight, headers, retries)
- DestinationRule: subsets, load balancing policy
- AuthorizationPolicy: L7 access control
Example
# Inject Istio into namespace
kubectl label namespace my-app istio-injection=enabled
# Canary deployment with VirtualService
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-app
spec:
http:
- route:
- destination: { host: my-app, subset: v1 }
weight: 80
- destination: { host: my-app, subset: v2 }
weight: 20
EOFRelated Terms
Learn more
Frequently Asked Questions
Istio vs Linkerd?
Istio: more features, Envoy-based (C++), complex config. Linkerd: Rust, lightweight, simpler UX. For enterprise — Istio. For < 50 services — Linkerd.
Performance overhead?
+3-7 ms latency per hop, +30-100 MB RAM per pod. Acceptable for most but measure on critical paths.
What is ambient mode?
Istio 1.18+ introduced ambient mode — sidecar-less (ztunnel per node). Less overhead, but feature parity still WIP.