# Istio — Open Source Service Mesh for Microservices

> Istio is the leading open-source service mesh. Connect, secure, control, and observe services with mTLS encryption, traffic management, and observability — all without changing application code.

## Install

Save in your project root:

## Quick Use

```bash
# Download istioctl
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH

# Install Istio
istioctl install --set profile=demo -y

# Enable sidecar injection for default namespace
kubectl label namespace default istio-injection=enabled

# Verify
istioctl verify-install
```

## Intro

**Istio** is the leading open-source service mesh, providing a uniform way to connect, secure, control, and observe services in a microservices architecture. It works by deploying Envoy proxies as sidecars alongside your application containers, intercepting all network traffic to provide mTLS encryption, traffic management, access policies, and telemetry — all without requiring changes to application code.

With 38.1K+ GitHub stars and Apache-2.0 license, Istio is a CNCF graduated project used by enterprises like Google, IBM, T-Mobile, and thousands of organizations running microservices at scale.

## What Istio Does

- **Traffic Management**: Intelligent routing, load balancing, retries, timeouts, circuit breaking
- **Canary Deployments**: Gradually shift traffic between versions for safe rollouts
- **mTLS**: Automatic mutual TLS between all services in the mesh
- **Authorization**: Fine-grained access policies (who can talk to whom)
- **Observability**: Automatic metrics, logs, and distributed traces for all services
- **Fault Injection**: Test resilience by injecting delays and errors
- **Rate Limiting**: Protect services from overload
- **Multi-Cluster**: Span service mesh across multiple Kubernetes clusters
- **Gateway**: Ingress and egress gateways for external traffic
- **Service Discovery**: Automatic discovery of services in the mesh

## Architecture

```
┌─────────────────────────────────────────────┐
│              Kubernetes Cluster              │
│                                              │
│  ┌──────────────┐      ┌──────────────┐     │
│  │   Service A  │      │   Service B  │     │
│  │  ┌────────┐  │      │  ┌────────┐  │     │
│  │  │  App   │  │      │  │  App   │  │     │
│  │  └───┬────┘  │      │  └───┬────┘  │     │
│  │  ┌───┴────┐  │      │  ┌───┴────┐  │     │
│  │  │ Envoy  │──┼──────┼──│ Envoy  │  │     │
│  │  │Sidecar │  │ mTLS │  │Sidecar │  │     │
│  │  └────────┘  │      │  └────────┘  │     │
│  └──────┬───────┘      └──────┬───────┘     │
│         │                      │             │
│         ▼                      ▼             │
│  ┌──────────────────────────────────────┐   │
│  │         Istiod (Control Plane)        │   │
│  │   - Service Discovery                 │   │
│  │   - Certificate Authority             │   │
│  │   - Config Distribution               │   │
│  └───────────────────────────────────────┘   │
└─────────────────────────────────────────────┘
```

## Installation

### Install with istioctl

```bash
# Demo profile (full features)
istioctl install --set profile=demo -y

# Production profile (minimal)
istioctl install --set profile=default -y

# With custom configuration
istioctl install -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  meshConfig:
    accessLogFile: /dev/stdout
  values:
    global:
      proxy:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
EOF
```

### Install Observability Addons

```bash
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/kiali.yaml

# Open Kiali dashboard
istioctl dashboard kiali
```

## Key Features

### Traffic Routing

```yaml
# Virtual Service: Route requests to service versions
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
    - match:
        - headers:
            end-user:
              exact: jason
      route:
        - destination:
            host: reviews
            subset: v2       # Send Jason to v2
    - route:
        - destination:
            host: reviews
            subset: v1       # Everyone else to v1
```

```yaml
# Destination Rule: Define service versions
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2
```

### Canary Deployment

```yaml
# Start with 90/10 split
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
    - route:
        - destination:
            host: reviews
            subset: v1
          weight: 90
        - destination:
            host: reviews
            subset: v2
          weight: 10
```

Gradually shift traffic: 90/10 → 75/25 → 50/50 → 25/75 → 0/100.

### mTLS (Mutual TLS)

```yaml
# Enable strict mTLS cluster-wide
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
```

Now ALL service-to-service traffic is automatically encrypted with certificates rotated by Istio.

### Authorization Policies

```yaml
# Only allow frontend to call backend
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: backend-policy
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/frontend"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]
```

### Fault Injection

```yaml
# Inject 5s delay for 10% of requests (test timeouts)
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: ratings
spec:
  hosts:
    - ratings
  http:
    - fault:
        delay:
          percentage:
            value: 10.0
          fixedDelay: 5s
      route:
        - destination:
            host: ratings
            subset: v1
```

```yaml
# Inject 500 error for 50% of requests (test error handling)
fault:
  abort:
    percentage:
      value: 50.0
    httpStatus: 500
```

### Circuit Breaking

```yaml
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        http1MaxPendingRequests: 10
        maxRequestsPerConnection: 10
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
```

### Ingress Gateway

```yaml
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: my-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: tls-cert
      hosts:
        - "*.yourdomain.com"
```

## Istio vs Alternatives

| Feature | Istio | Linkerd | Cilium | Consul Connect |
|---------|-------|---------|--------|----------------|
| Architecture | Sidecar (Envoy) | Sidecar (custom) | eBPF (sidecar-less) | Sidecar (Envoy) |
| Performance | Good | Excellent | Best | Good |
| Features | Most extensive | Simpler | Growing | Full-featured |
| mTLS | Yes | Yes | Yes | Yes |
| Observability | Excellent | Excellent | Hubble | Good |
| Complexity | High | Low | Medium | Medium |
| CNCF status | Graduated | Graduated | Graduated | N/A |
| Best for | Large enterprises | Simple use cases | Performance | HashiCorp stack |

## 常见问题

**Q: Istio 资源消耗大吗？**
A: 每个 sidecar 约占用 50-100MB RAM 和 0.1 vCPU。对于 1000 个 pod 的集群，整体开销约 100GB RAM。可以通过 sidecar 资源限制、移除不需要的组件来优化。

**Q: Istio 和 Linkerd 怎么选？**
A: Istio 功能更全面但复杂度高，适合需要高级流量管理和多租户的企业。Linkerd 更简单、性能更好，适合追求简洁和低开销的团队。如果你的团队有专门的平台工程师，选 Istio。

**Q: 可以逐步采用吗？**
A: 可以。Istio 支持逐命名空间启用 sidecar 注入。你可以先在一个命名空间试点，验证效果后逐步推广到整个集群。

## 来源与致谢

- GitHub: [istio/istio](https://github.com/istio/istio) — 38.1K+ ⭐ | Apache-2.0
- 官网: [istio.io](https://istio.io)

---
Source: https://tokrepo.com/en/workflows/e66c0370-3558-11f1-9bc6-00163e2b0d79
Author: AI Open Source