Table of Contents
- What is Istio
- Service Mesh Architecture
- Istio Components
- Installing Istio
- Sidecar Injection
- Traffic Management
- Security with mTLS
- Authorization Policies
- Namespace Isolation
- Observability
- Debugging Istio
- Production Best Practices
What is Istio
Istio is a service mesh that manages communication between microservices without modifying application code. It delivers traffic management, security, observability, and policy enforcement for Kubernetes workloads.
Service Mesh Architecture
An Istio service mesh is built from two planes:
Data Plane
The data plane runs Envoy proxies as sidecars inside pods. These proxies handle routing, encryption, telemetry, and policy enforcement for application traffic.
Control Plane
Istiod manages the control plane. It distributes configuration, rotates certificates, and enforces service mesh policies across the cluster.
Core Istio Components
Istio relies on several well-defined components:
| Component | Purpose |
|---|---|
| Istiod | Control plane and configuration distribution |
| Envoy Proxy | Sidecar proxy for traffic management and telemetry |
| Kiali | Service mesh visualization and topology |
| Grafana | Metrics dashboards |
| Prometheus | Metrics collection |
| Jaeger | Distributed tracing |
Installing Istio
Install Istio using the official Istioctl installer to get the default profile and validate the control plane.
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
istioctl install --set profile=default -y
kubectl get pods -n istio-systemSidecar Injection
Automatic sidecar injection adds Envoy proxies to application pods so traffic can flow through the mesh.
kubectl label namespace default istio-injection=enabledWhen deployment starts, the pod spec contains both:
app-containeristio-proxy
Traffic Management
Istio uses routing resources to control how requests move through the mesh.
VirtualService
Define routing rules for hosts and paths.
DestinationRule
Set policies and subsets for destination services.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1Security with mTLS
Mutual TLS secures service-to-service communication by verifying identities and encrypting traffic.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICTAuthorization Policies
Use AuthorizationPolicy to control which workloads can communicate inside the mesh.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
spec:
rules:
- from:
- source:
namespaces: ["frontend"]Namespace Isolation Example
Use namespace-level policies to segment traffic between frontend and backend workloads.
- Enable sidecar injection
- Enable strict mTLS
- Apply a deny-all policy
- Allow only same-namespace communication
This enforces service mesh segmentation and prevents cross-namespace access without explicit policy.
Observability
Install monitoring addons to visualize traffic, metrics, and traces.
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/kiali.yamlAccess Kiali locally:
kubectl port-forward svc/kiali -n istio-system 20001:20001Debugging Istio
Use Istio tools to inspect proxy state and diagnose mesh issues.
istioctl proxy-status
istioctl proxy-config cluster POD_NAME
kubectl logs POD_NAME -c istio-proxyProduction Best Practices
- Enable strict mTLS for all services
- Use AuthorizationPolicies to enforce least privilege
- Monitor with Kiali and Prometheus
- Set resource limits for Envoy sidecars
- Use canary deployments for safe rollouts
- Implement circuit breaking for reliability
Learn more about Kubernetes security
Browse related tutorials for more deployment and security guides.
Conclusion
Istio provides secure service-to-service communication, advanced routing, and strong observability for Kubernetes at scale. With a properly configured mesh, your cluster becomes a more resilient and secure platform for production workloads.