What Istio Does
- Traffic Management: Intelligent routing, load balancing, retries, timeouts, circuit breaking
- Canary Deployments: Gradually shift traffic between versions for safe rollouts
- mTLS: Automatic mutual TLS between all services in the mesh
- Authorization: Fine-grained access policies (who can talk to whom)
- Observability: Automatic metrics, logs, and distributed traces for all services
- Fault Injection: Test resilience by injecting delays and errors
- Rate Limiting: Protect services from overload
- Multi-Cluster: Span service mesh across multiple Kubernetes clusters
- Gateway: Ingress and egress gateways for external traffic
- Service Discovery: Automatic discovery of services in the mesh
Architecture
┌─────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Service A │ │ Service B │ │
│ │ ┌────────┐ │ │ ┌────────┐ │ │
│ │ │ App │ │ │ │ App │ │ │
│ │ └───┬────┘ │ │ └───┬────┘ │ │
│ │ ┌───┴────┐ │ │ ┌───┴────┐ │ │
│ │ │ Envoy │──┼──────┼──│ Envoy │ │ │
│ │ │Sidecar │ │ mTLS │ │Sidecar │ │ │
│ │ └────────┘ │ │ └────────┘ │ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────────────────────────────┐ │
│ │ Istiod (Control Plane) │ │
│ │ - Service Discovery │ │
│ │ - Certificate Authority │ │
│ │ - Config Distribution │ │
│ └───────────────────────────────────────┘ │
└─────────────────────────────────────────────┘Installation
Install with istioctl
# Demo profile (full features)
istioctl install --set profile=demo -y
# Production profile (minimal)
istioctl install --set profile=default -y
# With custom configuration
istioctl install -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default
meshConfig:
accessLogFile: /dev/stdout
values:
global:
proxy:
resources:
requests:
cpu: 100m
memory: 128Mi
EOFInstall Observability Addons
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/kiali.yaml
# Open Kiali dashboard
istioctl dashboard kialiKey Features
Traffic Routing
# Virtual Service: Route requests to service versions
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2 # Send Jason to v2
- route:
- destination:
host: reviews
subset: v1 # Everyone else to v1# Destination Rule: Define service versions
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2Canary Deployment
# Start with 90/10 split
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 90
- destination:
host: reviews
subset: v2
weight: 10Gradually shift traffic: 90/10 → 75/25 → 50/50 → 25/75 → 0/100.
mTLS (Mutual TLS)
# Enable strict mTLS cluster-wide
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICTNow ALL service-to-service traffic is automatically encrypted with certificates rotated by Istio.
Authorization Policies
# Only allow frontend to call backend
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: backend-policy
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/frontend"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/*"]Fault Injection
# Inject 5s delay for 10% of requests (test timeouts)
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: ratings
spec:
hosts:
- ratings
http:
- fault:
delay:
percentage:
value: 10.0
fixedDelay: 5s
route:
- destination:
host: ratings
subset: v1# Inject 500 error for 50% of requests (test error handling)
fault:
abort:
percentage:
value: 50.0
httpStatus: 500Circuit Breaking
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 10
maxRequestsPerConnection: 10
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30sIngress Gateway
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: tls-cert
hosts:
- "*.yourdomain.com"Istio vs Alternatives
| Feature | Istio | Linkerd | Cilium | Consul Connect |
|---|---|---|---|---|
| Architecture | Sidecar (Envoy) | Sidecar (custom) | eBPF (sidecar-less) | Sidecar (Envoy) |
| Performance | Good | Excellent | Best | Good |
| Features | Most extensive | Simpler | Growing | Full-featured |
| mTLS | Yes | Yes | Yes | Yes |
| Observability | Excellent | Excellent | Hubble | Good |
| Complexity | High | Low | Medium | Medium |
| CNCF status | Graduated | Graduated | Graduated | N/A |
| Best for | Large enterprises | Simple use cases | Performance | HashiCorp stack |
常见问题
Q: Istio 资源消耗大吗? A: 每个 sidecar 约占用 50-100MB RAM 和 0.1 vCPU。对于 1000 个 pod 的集群,整体开销约 100GB RAM。可以通过 sidecar 资源限制、移除不需要的组件来优化。
Q: Istio 和 Linkerd 怎么选? A: Istio 功能更全面但复杂度高,适合需要高级流量管理和多租户的企业。Linkerd 更简单、性能更好,适合追求简洁和低开销的团队。如果你的团队有专门的平台工程师,选 Istio。
Q: 可以逐步采用吗? A: 可以。Istio 支持逐命名空间启用 sidecar 注入。你可以先在一个命名空间试点,验证效果后逐步推广到整个集群。
来源与致谢
- GitHub: istio/istio — 38.1K+ ⭐ | Apache-2.0
- 官网: istio.io