This document captures my notes on understanding what exactly Istio does and why should I want it in my k8s application architecture.


What is a service mesh?

  • Helps "load balance", enable service to service authentication and monitoring.

Istio case studies and docs

CompanyCase study


Security for enterprise applications:


Download Istio

Download Istio
# to control the version and target arch
# curl -L | ISTIO_VERSION=1.14.1 TARGET_ARCH=x86_64 sh -

curl -L | sh -

# a folder will be downloaded of the latest release version
cd istio-1.14.1

# move the istioctl client binary to folder in PATH
mv bin/istioctl /usr/local/bin/

# application samples are found in the samples folder
ls -m samples

Setup Istio on k8s cluster and deploy a sample app

# configuration profiles can be found here
istioctl install --set profile=demo -y

# add namespace label to allow Istio to inject Envoy sidecar proxies when apps are deployed:
kubectl label namespace default istio-injection=enabled

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

kubectl get services
kubectl get pods

# verify that the app is running
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0]}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

# open the app to outside k8s cluster traffic
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

# ensure no issues with config
istioctl analyze

Understanding the Istio Architecture

The Istio architecture is documented on this page:


Istio service mesh is split into two layers, the data plane and the control plane.

The data plane consists of Envoy proxies deployed as sidecars.  

  • The proxies mediate and control all network communication between microservices.
  • They collect and report telemetry on all mesh traffic.

The control plane manages and configures these proxies to route traffic.


The overall architecture of an Istio-based application.

Then general diagram found from the Istio Architecture document.


Envoy proxies are the only Istio components that interact with the data plane.

These proxies are deployed as sidecars to services and augment the services with Envoy's features.

Envoy helps with:

  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • HTTP/2 and gRPC proxies
  • Circuit breakers
  • Health checks
  • Staged rollouts with %-based traffic split
  • Fault injection
  • Rich metrics

The istiod  process provides service discovery, configuration and certificate management.

  • Converts high level routing rules that control traffic behavior into Envoy specific configuration.
  • Propagates Envoy configuration to the sidecars at runtime.
  • A Certificate Authority and can generate certificates that allow secure mTLS communication in the data plane.

DNS sidecar proxy is needed

DNS sidecar proxy support is available for preview in Istio 1.8.

This provides DNS interception for all workloads with a sidecar, allowing Istio to perform DNS lookup on behalf of the application.


  • No labels