Skip to content

What is Istio

Key idea:

Istio — open-source service mesh for Kubernetes, originated from Google/IBM (2017), CNCF incubation. Most feature-rich service mesh: automatic mTLS, weighted routing, circuit breakers, observability, WASM extensions. Deploy: istioctl or Helm chart installs istiod (control plane) + injects Envoy sidecars in pods. Production users: eBay, Salesforce, Airbnb.

Below: details, example, related terms, FAQ.

Check your site →

Details

  • istiod: control plane (Pilot + Citadel + Galley merged)
  • Envoy sidecar: data plane, injected automatically in labeled namespaces
  • VirtualService: routing rules (weight, headers, retries)
  • DestinationRule: subsets, load balancing policy
  • AuthorizationPolicy: L7 access control

Example

# Inject Istio into namespace
kubectl label namespace my-app istio-injection=enabled

# Canary deployment with VirtualService
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-app
spec:
  http:
  - route:
    - destination: { host: my-app, subset: v1 }
      weight: 80
    - destination: { host: my-app, subset: v2 }
      weight: 20
EOF

Related Terms

What is Istio's Architecture?

Istio's architecture is based on a control plane and a data plane, designed to manage microservices in a Kubernetes environment efficiently.

The control plane is primarily composed of istiod, which manages configuration and policy, while the data plane consists of Envoy sidecars deployed alongside your application services. This separation allows Istio to handle traffic management, security, and observability without requiring changes to the application code.

In detail:

  • Control Plane: The control plane is responsible for configuring the proxies and collecting telemetry data. Istiod manages the lifecycle of the service mesh, including service discovery, traffic management, and policy enforcement.
  • Data Plane: The data plane consists of Envoy proxies that intercept all incoming and outgoing traffic to and from the service instances. This allows Istio to enforce policies like rate limiting, circuit breaking, and mTLS.
  • Service Discovery: Istio integrates with Kubernetes to automatically discover services and their endpoints, facilitating dynamic routing and load balancing.

This architecture enables Istio to provide advanced features like traffic splitting, retries, and timeouts, making it a robust solution for managing microservices in Kubernetes.

How to Configure Traffic Management in Istio

Traffic management in Istio is achieved through various configurations that allow you to control the flow of traffic between your services. This includes routing, load balancing, and fault injection.

To configure traffic management, you can use VirtualService and DestinationRule resources. Below is an example of how to set up a simple traffic routing rule:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
  - my-service.example.com
  http:
  - route:
    - destination:
        host: my-service
        subset: v1
      weight: 80
    - destination:
        host: my-service
        subset: v2
      weight: 20

In this example, traffic to my-service.example.com is split between two versions of the service, with 80% going to version 1 and 20% to version 2. This is useful for canary deployments and A/B testing.

To define subsets, you will also need a DestinationRule like this:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: my-service
spec:
  host: my-service
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

With these configurations, you can effectively manage traffic and implement advanced routing strategies that enhance the resilience and performance of your microservices.

How to Monitor Services with Istio

Monitoring services in Istio is crucial for gaining insights into your microservices' performance and behavior. Istio provides built-in telemetry features that can be integrated with tools like Prometheus, Grafana, and Jaeger.

To enable monitoring, you need to configure Telemetry and Tracing within Istio. Below is a step-by-step guide:

  1. Install Prometheus: Use the following command to deploy Prometheus in your cluster:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
  1. Enable Metrics: Ensure that your Istio configuration includes the metrics you want to collect. You can modify your istio-operator configuration to enable metrics collection.
  • Install Grafana: Deploy Grafana to visualize your metrics:
  • kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml
    1. Setup Tracing with Jaeger: To visualize request traces, install Jaeger:
    kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml

    Once these tools are deployed, you can access the Grafana dashboard to visualize metrics and Jaeger for tracing requests across your services. This setup provides a comprehensive view of your service mesh, enabling you to identify performance bottlenecks, monitor error rates, and analyze latency.

    Learn more

    Frequently Asked Questions

    Istio vs Linkerd?

    Istio: more features, Envoy-based (C++), complex config. Linkerd: Rust, lightweight, simpler UX. For enterprise — Istio. For < 50 services — Linkerd.

    Performance overhead?

    +3-7 ms latency per hop, +30-100 MB RAM per pod. Acceptable for most but measure on critical paths.

    What is ambient mode?

    Istio 1.18+ introduced ambient mode — sidecar-less (ztunnel per node). Less overhead, but feature parity still WIP.

    Try the live tool that powered this guide

    Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.