Kubernetes and Cloud Native Security Associate (KCSA)
Platform Security
Service Mesh Istio
In this guide, we'll dive into Istio, the leading open-source service mesh. You’ll learn how Istio works, explore its architecture, and review its essential components—all with practical examples and best practices.
What Is Istio?
Istio is a free, open-source service mesh that secures, connects, and observes microservices. It integrates seamlessly with Kubernetes and virtual machine-based workloads to provide:
- Fine-grained traffic control and routing
- Automatic mutual TLS for service identity and encryption
- Telemetry collection and distributed tracing
- Policy enforcement and rate limiting
Istio is backed by industry leaders and supported by major cloud providers, making it ideal for scalable, production-grade deployments.
Istio Architecture
Istio decouples service-to-service communication concerns from application code using a two-plane architecture:
| Plane | Description |
|---|---|
| Control Plane | Manages configurations, policies, and certificates via a unified binary, Istiod. |
| Data Plane | Consists of Envoy sidecar proxies that enforce policies, route traffic, and collect telemetry. |
Control Plane: Istiod
Originally built from Pilot, Citadel, and Galley, Istio’s control plane is now a single binary: Istiod. It handles:
- Service discovery and traffic configuration
- Certificate issuance and rotation (mutual TLS)
- Configuration validation and distribution
Note
Istiod simplifies management by consolidating multiple components into one. Upgrading or securing Istiod affects all control-plane functionality.
Data Plane: Envoy Sidecars
Every workload (e.g., a Kubernetes Pod) runs an Envoy sidecar proxy alongside the application container. Envoy handles:
- Traffic routing, retries, and failover
- Secure communication with automatic TLS
- Metrics and logs for telemetry and monitoring
Core Istio Components
Envoy Sidecar Proxy
Envoy is a high-performance proxy that intercepts inbound and outbound service traffic. Key features:
# Example: Inject Envoy sidecars into a namespace
kubectl label namespace default istio-injection=enabled
Istio Agent
The Istio Agent runs as a sidecar alongside Envoy. It bootstraps the proxy, delivers configuration and certificates, and ensures Envoy stays up to date:
- Retrieves x.509 certificates for mTLS
- Streams dynamic configuration to Envoy via SDS/CDS
- Monitors proxy health and restarts on failure
Warning
Ensure that your Istio Agent has access to the correct ServiceAccount and RBAC permissions; misconfiguration can prevent certificate delivery and break service-to-service TLS.
Quick Reference Table
| Component | Plane | Responsibility |
|---|---|---|
| Istiod | Control Plane | Configuration distribution, policy enforcement, certificate management |
| Envoy | Data Plane | Traffic management, telemetry collection, security enforcement |
| Istio Agent | Data Plane | Proxy bootstrap, configuration & certificate delivery |
Links and References
Watch Video
Watch video content