Kubernetes and Cloud Native Security Associate (KCSA)

Platform Security

Service Mesh Istio

In this guide, we'll dive into Istio, the leading open-source service mesh. You’ll learn how Istio works, explore its architecture, and review its essential components—all with practical examples and best practices.

What Is Istio?

Istio is a free, open-source service mesh that secures, connects, and observes microservices. It integrates seamlessly with Kubernetes and virtual machine-based workloads to provide:

  • Fine-grained traffic control and routing
  • Automatic mutual TLS for service identity and encryption
  • Telemetry collection and distributed tracing
  • Policy enforcement and rate limiting

Istio is backed by industry leaders and supported by major cloud providers, making it ideal for scalable, production-grade deployments.

Istio Architecture

Istio decouples service-to-service communication concerns from application code using a two-plane architecture:

PlaneDescription
Control PlaneManages configurations, policies, and certificates via a unified binary, Istiod.
Data PlaneConsists of Envoy sidecar proxies that enforce policies, route traffic, and collect telemetry.

Control Plane: Istiod

Originally built from Pilot, Citadel, and Galley, Istio’s control plane is now a single binary: Istiod. It handles:

  • Service discovery and traffic configuration
  • Certificate issuance and rotation (mutual TLS)
  • Configuration validation and distribution

Note

Istiod simplifies management by consolidating multiple components into one. Upgrading or securing Istiod affects all control-plane functionality.

Data Plane: Envoy Sidecars

Every workload (e.g., a Kubernetes Pod) runs an Envoy sidecar proxy alongside the application container. Envoy handles:

  • Traffic routing, retries, and failover
  • Secure communication with automatic TLS
  • Metrics and logs for telemetry and monitoring

Core Istio Components

Envoy Sidecar Proxy

Envoy is a high-performance proxy that intercepts inbound and outbound service traffic. Key features:

# Example: Inject Envoy sidecars into a namespace
kubectl label namespace default istio-injection=enabled

Istio Agent

The Istio Agent runs as a sidecar alongside Envoy. It bootstraps the proxy, delivers configuration and certificates, and ensures Envoy stays up to date:

  • Retrieves x.509 certificates for mTLS
  • Streams dynamic configuration to Envoy via SDS/CDS
  • Monitors proxy health and restarts on failure

Warning

Ensure that your Istio Agent has access to the correct ServiceAccount and RBAC permissions; misconfiguration can prevent certificate delivery and break service-to-service TLS.

Quick Reference Table

ComponentPlaneResponsibility
IstiodControl PlaneConfiguration distribution, policy enforcement, certificate management
EnvoyData PlaneTraffic management, telemetry collection, security enforcement
Istio AgentData PlaneProxy bootstrap, configuration & certificate delivery

Watch Video

Watch video content

Previous
Service Mesh