Discovering Istio

You want to explore the possibilities of Istio. You have heard that Istio comes in handy for tasks like traffic management, service discovery, and security. Furthermore, you want to get a better understanding of these tasks and how Istio can help you solve them.

Istio is an open-source service mesh solution that extends Kubernetes. Using Istio, you benefit from a more efficient way to secure, connect, and monitor your services.

An Istio service mesh can also span multiple clusters, virtual machines, and other components not running Kubernetes.

Since Istio follows the service mesh paradigm, it comes with acontrol plane and a data plane. The Istio control plane does not touch any network packets or requests. Instead, it configures the data plane to do the work. The data plane is a set of intelligent proxies that intercept and control all network communication between microservices. The data plane enforces policies, and collects telemetry and routing requests.

As introduced above, Istio comprises a control plane and a data plane. The data plane is a set of proxies. These proxies intercept and control the network communication in your mesh.

In an Istio service mesh, several proxies are used to gate traffic into your cluster (ingress), between services (service proxy), and out of your cluster (egress). The service proxies are typically deployed as sidecar containers next to each service. Together, they are bundled into a single pod. Service-to-Service communication is technically proxy-to-proxy communication.

Istio uses an ingress gateway for gating traffic into your cluster. The ingress gateway is a dedicated proxy that is deployed in the istio-system namespace.

For gating traffic out of your service mesh, you can either do it directly from the sidecar proxy or use an egress gateway. The egress gateway can also be used to apply policies to the traffic leaving your service mesh. Istio uses the Envoy proxy as a service proxy.

One crucial point is that Istio installs its API in Kubernetes as CRDs (Custom Resource Definitions). You can use Kubernetes native tools like kubectl to manage Istio resources.

Istio is deeply integrated into project "Kyma". Not only can Istio be used to secure, connect and monitor your services, but "Kyma" also comes with high-level abstractions for Istio. For example, you can use the APIRule custom resource to expose your services to the outside world. The APIRule custom resource is a high-level abstraction translated into Istio components (VirtualService). Also, the API Gateway (kyma-gateway) configures the Istio ingress gateway.

Istio's components are installed in the istio-system namespace.