What is Istio — Open Source Service Mesh for Microservices?

Istio is the leading open-source service mesh. Connect, secure, control, and observe services with mTLS encryption, traffic management, and observability — all without changing application code.

Is Istio — Open Source Service Mesh for Microservices free to use?

Yes. Istio — Open Source Service Mesh for Microservices is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Istio — Open Source Service Mesh for Microservices?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Istio — Open Source Service Mesh for Microservices

What Istio Does

Traffic Management: Intelligent routing, load balancing, retries, timeouts, circuit breaking
Canary Deployments: Gradually shift traffic between versions for safe rollouts
mTLS: Automatic mutual TLS between all services in the mesh
Authorization: Fine-grained access policies (who can talk to whom)
Observability: Automatic metrics, logs, and distributed traces for all services
Fault Injection: Test resilience by injecting delays and errors
Rate Limiting: Protect services from overload
Multi-Cluster: Span service mesh across multiple Kubernetes clusters
Gateway: Ingress and egress gateways for external traffic
Service Discovery: Automatic discovery of services in the mesh

Architecture

┌─────────────────────────────────────────────┐
│              Kubernetes Cluster              │
│                                              │
│  ┌──────────────┐      ┌──────────────┐     │
│  │   Service A  │      │   Service B  │     │
│  │  ┌────────┐  │      │  ┌────────┐  │     │
│  │  │  App   │  │      │  │  App   │  │     │
│  │  └───┬────┘  │      │  └───┬────┘  │     │
│  │  ┌───┴────┐  │      │  ┌───┴────┐  │     │
│  │  │ Envoy  │──┼──────┼──│ Envoy  │  │     │
│  │  │Sidecar │  │ mTLS │  │Sidecar │  │     │
│  │  └────────┘  │      │  └────────┘  │     │
│  └──────┬───────┘      └──────┬───────┘     │
│         │                      │             │
│         ▼                      ▼             │
│  ┌──────────────────────────────────────┐   │
│  │         Istiod (Control Plane)        │   │
│  │   - Service Discovery                 │   │
│  │   - Certificate Authority             │   │
│  │   - Config Distribution               │   │
│  └───────────────────────────────────────┘   │
└─────────────────────────────────────────────┘

Installation

Install with istioctl

# Demo profile (full features)
istioctl install --set profile=demo -y

# Production profile (minimal)
istioctl install --set profile=default -y

# With custom configuration
istioctl install -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  meshConfig:
    accessLogFile: /dev/stdout
  values:
    global:
      proxy:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
EOF

Install Observability Addons

kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/kiali.yaml

# Open Kiali dashboard
istioctl dashboard kiali

Key Features

Traffic Routing

# Virtual Service: Route requests to service versions
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
    - match:
        - headers:
            end-user:
              exact: jason
      route:
        - destination:
            host: reviews
            subset: v2       # Send Jason to v2
    - route:
        - destination:
            host: reviews
            subset: v1       # Everyone else to v1

# Destination Rule: Define service versions
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2

Canary Deployment

# Start with 90/10 split
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
    - route:
        - destination:
            host: reviews
            subset: v1
          weight: 90
        - destination:
            host: reviews
            subset: v2
          weight: 10

Gradually shift traffic: 90/10 → 75/25 → 50/50 → 25/75 → 0/100.

mTLS (Mutual TLS)

# Enable strict mTLS cluster-wide
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

Now ALL service-to-service traffic is automatically encrypted with certificates rotated by Istio.

Authorization Policies

# Only allow frontend to call backend
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: backend-policy
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/frontend"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]

Fault Injection

# Inject 5s delay for 10% of requests (test timeouts)
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: ratings
spec:
  hosts:
    - ratings
  http:
    - fault:
        delay:
          percentage:
            value: 10.0
          fixedDelay: 5s
      route:
        - destination:
            host: ratings
            subset: v1

# Inject 500 error for 50% of requests (test error handling)
fault:
  abort:
    percentage:
      value: 50.0
    httpStatus: 500

Circuit Breaking

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        http1MaxPendingRequests: 10
        maxRequestsPerConnection: 10
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s

Ingress Gateway

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: my-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: tls-cert
      hosts:
        - "*.yourdomain.com"

Istio vs Alternatives

Feature	Istio	Linkerd	Cilium	Consul Connect
Architecture	Sidecar (Envoy)	Sidecar (custom)	eBPF (sidecar-less)	Sidecar (Envoy)
Performance	Good	Excellent	Best	Good
Features	Most extensive	Simpler	Growing	Full-featured
mTLS	Yes	Yes	Yes	Yes
Observability	Excellent	Excellent	Hubble	Good
Complexity	High	Low	Medium	Medium
CNCF status	Graduated	Graduated	Graduated	N/A
Best for	Large enterprises	Simple use cases	Performance	HashiCorp stack

FAQ

Q: Does Istio consume a lot of resources? A: Each sidecar uses roughly 50-100MB RAM and 0.1 vCPU. For a 1000-pod cluster, total overhead is about 100GB RAM. You can optimize by setting sidecar resource limits and removing unneeded components.

Q: Istio or Linkerd — which should I choose? A: Istio has more features but higher complexity — good for enterprises that need advanced traffic management and multi-tenancy. Linkerd is simpler and more performant, suited to teams that prize simplicity and low overhead. If your team has dedicated platform engineers, pick Istio.

Q: Can I adopt it incrementally? A: Yes. Istio supports enabling sidecar injection namespace by namespace. You can pilot in a single namespace, validate the results, then roll out gradually to the whole cluster.

Sources & Credits

GitHub: istio/istio — 38.1K+ ⭐ | Apache-2.0
Official site: istio.io