Что такое Istio
Istio — open-source service mesh для Kubernetes, originated Google/IBM (2017), CNCF incubation. Самый feature-rich service mesh: mTLS automatic, weighted routing, circuit breakers, observability, WASM extensions. Deploy: istioctl или Helm chart installs istiod (control plane) + injects Envoy sidecars в pods. Production users: eBay, Salesforce, Airbnb.
Ниже: подробности, пример, смежные термины, FAQ.
Подробности
- istiod: control plane (Pilot + Citadel + Galley merged)
- Envoy sidecar: data plane, injected automatically в labeled namespaces
- VirtualService: routing rules (weight, headers, retries)
- DestinationRule: subsets, load balancing policy
- AuthorizationPolicy: L7 access control
Пример
# Inject Istio в namespace
kubectl label namespace my-app istio-injection=enabled
# Canary deployment с VirtualService
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-app
spec:
http:
- route:
- destination: { host: my-app, subset: v1 }
weight: 80
- destination: { host: my-app, subset: v2 }
weight: 20
EOFСмежные термины
Больше по теме
Часто задаваемые вопросы
Istio vs Linkerd?
Istio: more features, Envoy-based (C++), complex config. Linkerd: Rust, lightweight, simpler UX. Для enterprise — Istio. Для < 50 services — Linkerd.
Performance overhead?
+3-7 ms latency per hop, +30-100 MB RAM per pod. Acceptable для most but measure на critical paths.
Ambient mode — что?
Istio 1.18+ introduced ambient mode — sidecar-less (ztunnel per node). Less overhead, но feature parity still WIP.