Discovering Istio

You want to explore the possibilities of Istio. You have heard that Istio comes in handy for tasks like traffic management, service discovery, and security. Furthermore, you want to get a better understanding of these tasks and how Istio can help you solve them.

Istio is an open-source service mesh solution that extends Kubernetes. Using Istio, you benefit from a more efficient way to secure, connect, and monitor your services.

An Istio service mesh can also span multiple clusters, virtual machines, and other components not running Kubernetes.

Since Istio follows the service mesh paradigm, it comes with a control plane and a data plane. The Istio control plane does not touch any network packets or requests. Instead, it configures the data plane to do the work. The data plane is a set of intelligent proxies that intercept and control all network communication between microservices. The data plane enforces policies, collects telemetry, and routing requests.

As introduced above, Istio comprises a control plane and a data plane. The data plane is a set of proxies, which intercept and control the network communication in your service mesh.

In the Istio service mesh, several proxies are used to gate traffic into your cluster (ingress), between services (service proxy), and out of your cluster (egress). The service proxies are typically deployed as sidecar containers next to each service. Together, they are bundled into a single Pod. Service-to-Service communication is technically proxy-to-proxy communication.

Istio uses an ingress gateway for gating traffic into your cluster. The ingress gateway is a dedicated proxy that is deployed in the istio-system namespace.

For gating traffic out of your service mesh, you can either do it directly from the sidecar proxy or use an egress gateway. The egress gateway can also be used to apply policies to the traffic leaving your service mesh. Istio uses the Envoy proxy as a service proxy.

One crucial point is that Istio installs its API in Kubernetes as CRDs (Custom Resource Definitions). You can use Kubernetes native tools like kubectl to manage Istio resources.

In SAP BTP, Kyma runtime, Istio is installed by the Istio module. Not only can Istio be used to secure, connect and monitor your services, but Kyma also comes with high-level abstractions for Istio. For instance, when you expose your workloads using APIRules provided by the API Gateway module, also Istio resources such as VirtualService, AuthorizationPolicy, or RequestAuthentication are automatically created in the background.

Istio's components are installed in the istio-system namespace.