Istio Key points — part 1

Istio is an open-source service mesh that manages network traffic in Kubernetes and enhances the cluster’s capabilities by adding observability and security features.

Before we dive deeper into Istio, let’s review how Kubernetes and Istio handle networking both within and outside the cluster.

Typically, Kubernetes service acts as a simple load balancer and endpoint to a pod group to address the issue of a pod’s changing IP address. The service has an immutable IP address and hostname. Each node in the cluster runs a Kube Proxy process that maintains network rules and forwards traffic to the service’s virtual IP address. Meanwhile, the ingress controls traffic in and out of the cluster.

The Istio architecture consists of two planes: the control plane and the data plane. The data plane is the layer where the proxies communicate between themselves. It is made up of services running alongside sidecar proxies. Istio injects a sidecar proxy to every pod in the namespace.

The control plane dynamically updates sidecars as the rules or environment changes. Initially, the control plane consisted of Citadel, Galley, and Pilot running as individual services, but these services have been combined into one service called Istiod.

Citadel — For certificate generation

Pilot — for service discovery

Galley — validate configuration files

Here is a link to Istio Architecture documentation.