Skip to content

Istio

Istio (https://istio.io/) is a service mesh that allows for ease of integration with new services into the kubernetes cluster and increases our security both with mTLS and TLS termination.

We use Istio for two primary functions

1) Istio introduces mTLS (Mutual TLS) between all of our pods inside our kubernetes cluster, meaning that all service to service communication is encrypted with TLS

2) Istio works as a "reverse-proxy" allowing for us to define in one manifest all of the allowed connections from external services into our kubernetes cluster. This also lets us manage TLS certificates for our domains in one place.

To achieve mTLS, Istio adds a sidecar container to each pod, and forces all routing to go through the sidecar, which then encrypts and sends the network traffic to the sidecar in the target container. This allows our applications to talk to each other as if they are on the same localhost, while in reality encrypting the network once it leaves the pod.

Considerations

Istio is an older-style service mesh, making it a very large centralized managment for mTLS and service-mesh in general. This makes it easily the single most expensive application we run on our cluster. Given another chance to start from scratch, I think I would have chosen linkerd2 as I feel it takes a much more cloud-native, distributed approach to a service mesh.

Resources

This video from HasiCorp (they make a service mesh called Consul) is pretty good with what a service mesh is in general What is a service mesh

IBM video on Istio specifically What is Istio