Kubernetes - Istio

Last Updated: 2023-08-19

Istio supports k8s Ingress, k8s Gateway and istio Gateway

Ingress can point to different backend Services in spec.rules


Gateway -> VirtualService -> Service (LoadBalancer)

Istion ingress = istio-ingressgateway service / deployment running envoy + Gateway + VirtualService

  • Gateway (networking.istio.io): configure layer 4-6 load balancing properties such as ports to expose, TLS settings, and so on.
  • VirtualService (networking.istio.io): application-layer traffic routing (L7); works in tandem with the Gateway; defines the destination service; defines the rules that control how requests for a service are routed within an Istio service mesh; configure routing to the backend services.
  • istio-ingressgateway is a Service of LoadBalancer type.

An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination capabilities for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services.

Istio provides some preconfigured gateway proxy deployments

  • istio-ingressgateway
  • istio-egressgateway: An egress gateway lets you configure a dedicated exit node for the traffic leaving the mesh, letting you limit which services can or should access external networks, or to enable secure control of egress traffic to add security to your mesh

Why Ingress? Otherwise needs multiple LoadBalancers, multiple public IPs.

Why not k8s Ingress? The Kubernetes Ingress resource has for some time been known to have significant shortcomings, especially when using it to configure ingress traffic for large applications and when working with protocols other than HTTP.


  • Kiali: The Console (i.e. UI) for Istio Service Mesh.
  • otel-collector: otel = OpenTelemetry. Collect logs.
  • istioctl: CLI.
  • istiod: run on Istio control plane; provsides service discovery, configuration and certificate management.
  • Envoy: Envoy proxies are the only Istio components that interact with data plane traffic.


apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter

istiod traffic

  • istiod of the primary cluster observes the API Servers in all clusters for endpoints. In this way, the control plane will be able to provide service discovery for workloads in all clusters. The service discovery includes both those with the sidecar and those without.
  • Workloads / Services within the primary cluster opens direct connection to istiod.
  • Workloads / Services within the remote clusters connects to the istiod via the Eastwest Gateway in the primary cluster.