Discovering Istio

After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Define the Istio solution
  • Explain how Istio works
  • Describe how the project Kyma uses Istio

Introduction to Istio Service Mesh

You want to explore the possibilities of Istio. You have heard that Istio comes in handy for tasks like traffic management, service discovery, and security. Furthermore, you want to get a better understanding of these tasks and how Istio can help you solve them.

What is Istio?

Istio is an open-source service mesh solution that extends Kubernetes. Using Istio, you benefit from a more efficient way to secure, connect, and monitor your services.

An Istio service mesh can also span multiple clusters, virtual machines, and other components not running Kubernetes.

Since Istio follows the service mesh paradigm, it comes with acontrol plane and a data plane. The Istio control plane does not touch any network packets or requests. Instead, it configures the data plane to do the work. The data plane is a set of intelligent proxies that intercept and control all network communication between microservices. The data plane enforces policies, and collects telemetry and routing requests.

How Does Istio Work?

As introduced above, Istio comprises a control plane and a data plane. The data plane is a set of proxies. These proxies intercept and control the network communication in your mesh.

In an Istio service mesh, several proxies are used to gate traffic into your cluster (ingress), between services (service proxy), and out of your cluster (egress). The service proxies are typically deployed as sidecar containers next to each service. Together, they are bundled into a single pod. Service-to-Service communication is technically proxy-to-proxy communication.

Istio uses an ingress gateway for gating traffic into your cluster. The ingress gateway is a dedicated proxy that is deployed in the istio-system namespace.

For gating traffic out of your service mesh, you can either do it directly from the sidecar proxy or use an egress gateway. The egress gateway can also be used to apply policies to the traffic leaving your service mesh. Istio uses the Envoy proxy as a service proxy.

One crucial point is that Istio installs its API in Kubernetes as CRDs (Custom Resource Definitions). You can use Kubernetes native tools like kubectl to manage Istio resources.

Istio Integration into the Kyma Project

Istio is deeply integrated into project "Kyma". Not only can Istio be used to secure, connect and monitor your services, but "Kyma" also comes with high-level abstractions for Istio. For example, you can use the APIRule custom resource to expose your services to the outside world. The APIRule custom resource is a high-level abstraction translated into Istio components (VirtualService). Also, the API Gateway (kyma-gateway) configures the Istio ingress gateway.

Istio's components are installed in the istio-system namespace.


In this lesson, you discovered what Istio is and how it works. You also learned how Istio is integrated into project "Kyma". In the next lesson, you will discover Istio's components, which you can use to for your service mesh.

Further Reading

Log in to track your progress & complete quizzes