Last year we announced that Istio would transform from an indefinitely-appointed Technical Oversight Committee to a regularly elected body, with members serving two-year terms. Each year, three of the six seats are elected. To bootstrap the process, we announced the 2025 election would cover the seats held by the three longest-serving members. One of those three seats became vacant, prompting a by-election. Long-time maintainer Costin Manolache won that election. We thank Costin for his conti...| Istio Blog
Istio 1.27 adds alpha ambient multicluster support, extending ambient's familiar lightweight, modular architecture to deliver secure connectivity, discovery and load balancing across clusters.| Istio
The world of AI inference on Kubernetes presents unique challenges that traditional traffic-routing architectures weren’t designed to handle. While Istio has long excelled at managing microservice traffic with sophisticated load balancing, security, and observability features, the demands of Large Language Model (LLM) workloads require specialized functionality. That’s why we’re excited to announce Istio’s support for the Gateway API Inference Extension, bringing intelligent, model-aw...| Istio Blog
Over the next 12 months, we will focus on improving parity between sidecar mode and ambient mode, providing a supported path for sidecar users to migrate to the ambient data plane when they are ready. We will also revamp our contributor experience, simplifying the process for proposing and implementing new features, and giving recognition to our most valuable contributors. We plan to grow our ecosystem by adding or updating Istio’s integration to various popular cloud native projects and bu...| Istio Blog
The open source and cloud native community gathered from the 1st to 4th of April in London for the first KubeCon of 2025. The four-day conference, organized by the Cloud Native Computing Foundation, was “big” for Istio, as our presence was seen almost everywhere - from the keynotes to the project pavilion. We kick-started the activities in London with Istio Day - a KubeCon + CloudNativeCon co-located event on April 1st. The event was well-received, showcasing lessons learned from running ...| Istio Blog
Istio’s ambient mode splits the service mesh into two distinct layers: Layer 7 processing (the “waypoint proxy”), which remains powered by the traditional Envoy proxy; and a secure overlay (the “zero-trust tunnel” or “ztunnel”), which is a new codebase, written from the ground up in Rust. It is our intention that the ztunnel project be safe to install by default in every Kubernetes cluster, and to that end, it needs to be secure and performant. We comprehensively demonstrated zt...| Istio Blog
The Sail Operator is a community project launched by Red Hat to build a modern operator for Istio. First announced in August 2024, we are pleased to announce Sail Operator is now GA with a clear mission: to simplify and streamline Istio management in your cluster. Simplified deployment & management The Sail Operator is engineered to cut down the complexity of installing and running Istio. It automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial ins...| Istio Blog
An amazing lineup of Istio activities awaits you in London at KubeCon + CloudNativeCon Europe 2025! Join for the Istio Project Meeting hosted at the Maintainer Summit. Come to the Istio Day co-located event. Attend the Istio Maintainers’ Track session: Istio: The Past, Present and Future of the Project and Community Drop by the Istio Contribfest session: A Beginner’s Guide to Contributing to Istio - Hands-on Development and Contribution Workshop Add the following KubeCon sessions to your ...| Istio Blog
Encryption in transit is a baseline requirement for almost all Kubernetes environments today, and forms the foundation of a zero-trust security posture. However, the challenge with security is that it doesn’t come without a cost: it often involves a trade-off between complexity, user experience, and performance. While most Cloud Native users will know of Istio as a service mesh, providing advanced HTTP functionality, it can also serve the role of providing a foundational network security la...| Istio Blog
The Istio Steering Committee oversees the administrative aspects of the project, including governance, branding, marketing, and working with the CNCF. Every year, we estimate the proportion of the hundreds of companies that have contributed to Istio in the past year, and uses that metric to proportionally allocate the nine Contribution Seats on our Steering Committee. After that, four Community Seats are voted for by our project members, with candidates being from companies that did not recei...| Istio Blog
The Istio Steering Committee oversees the administrative aspects of the project, including governance, branding, marketing, and working with the CNCF. Every year, the leaders in the Istio project estimate the proportion of the hundreds of companies that have contributed to Istio in the past year, and uses that metric to proportionally allocate nine Contribution Seats on our Steering Committee. Then, four Community Seats are voted for by our project members, with candidates being from companie...| Istio Blog
Istio supports integration with many different projects. The Istio blog recently featured a post on L7 policy functionality with OpenPolicyAgent. Kyverno is a similar project, and today we will dive how Istio and the Kyverno Authz Server can be used together to enforce Layer 7 policies in your platform. We will show you how to get started with a simple example. You will come to see how this combination is a solid option to deliver policy quickly and transparently to application team everywher...| Istio Blog
Earlier this year, we added Izzy Dolphin, the Indo-Pacific Bottlenose to the CNCF “Phippy and Friends” family. Ever since then, Istio lovers worldwide have been eagerly awaiting the first children’s book featuring our cute dolphin. And here it is! The Istio project is excited to unveil Izzy’s adventure sailing with the Phippy family at KubeCon North America 2024 this week, as together we celebrate the 10 year anniversary of Kubernetes. Copies are available at the the CNCF Store, or on...| Istio Blog
We are proud to announce that Istio’s ambient data plane mode has reached General Availability, with the ztunnel, waypoints and APIs being marked as Stable by the Istio TOC. This marks the final stage in Istio’s feature phase progression, signaling that ambient mode is fully ready for broad production usage. Ambient mesh — and its reference implementation with Istio’s ambient mode — was announced in September 2022. Since then, our community has put in 26 months of hard work and coll...| Istio Blog
An amazing lineup of Istio activities awaits you in Salt Lake City, Utah at KubeCon + CloudNativeCon North America 2024! Come to the Istio Day co-located event. Attend the Istio Maintainers’ Track session: Life of a Packet: Ambient Edition Drop by the Istio Contribfest session: Sidecarless Service Mesh: Let’s Work Together on Istio V2 Add the following KubeCon sessions to your schedule, all of which have an Istio flavor: Why Choose Istio in 2025 | Project Lightning Talk Lightning Talk: Ef...| Istio Blog
A common question from prospective Istio users is “how does Istio compare to Cilium?” While Cilium originally only provided L3/L4 functionality, including network policy, recent releases have added service mesh functionality using Envoy, as well as WireGuard encryption. Like Istio, Cilium is a CNCF Graduated project, and has been around in the community for many years. Despite offering a similar feature set on the surface, the two projects have substantially different architectures, most ...| Istio Blog
Like many Open Source foundations and projects, the Istio project has two governance groups: a Steering Committee, that oversees the administrative and marketing aspects of the project, and a Technical Oversight Committee (TOC), responsible for cross-cutting product and design decisions. The Steering Committee represents the companies and contributors that support the Istio project, while the TOC is the top of an individual contributor ladder made up of our members, maintainers and working gr...| Istio Blog
Shared computing platforms offer resources and shared functionality to tenant teams so that they don’t need to build everything from scratch themselves. While it can sometimes be hard to balance all the requests from tenants, it’s important that platform teams ask the question: what’s the highest value feature we can offer our tenants? Often work is given directly to application teams to implement, but there are some features that are best implemented once, and offered as a service to a...| Istio Blog
Read the whole post at lucavall.in.| Istio Blog
With the recent announcement of the In-Cluster IstioOperator deprecation in Istio 1.23 and its subsequent deletion for Istio 1.24, we want to build awareness of a new operator that the team at Red Hat have been developing to manage Istio as part of the istio-ecosystem organization. The Sail Operator manages the lifecycle of Istio control planes, making it easier and more efficient for cluster administrators to deploy, configure and upgrade Istio in large scale production environments. Instead...| Istio Blog
Istio’s In-Cluster Operator has been deprecated in Istio 1.23. Users leveraging the operator — which we estimate to be fewer than 10% of our user base — will need to migrate to other install and upgrade mechanisms in order to upgrade to Istio 1.24 or above. Read on to learn why we are making this change, and what operator users need to do. Does this affect you? This deprecation only affects users of the In-Cluster Operator. Users who install Istio with the istioctl install command and a...| Istio Blog
On this day in 2017, Google and IBM announced the launch of the Istio service mesh. Istio is an open technology that enables developers to seamlessly connect, manage, and secure networks of different services — regardless of platform, source, or vendor. We can hardly believe that Istio turns seven today! To celebrate the project’s 7th birthday, we wanted to highlight Istio’s momentum and its exciting future. Rapid adoption among users Istio, the most widely adopted service mesh project ...| Istio Blog
Today, Istio’s revolutionary new ambient data plane mode has reached Beta. Ambient mode is designed for simplified operations, broader application compatibility, and reduced infrastructure cost. It gives you a sidecar-less data plane that’s integrated into your infrastructure, all while maintaining Istio’s core features of zero-trust security, telemetry, and traffic management. Ambient mode was announced in September 2022. Since then, our community has put in 20 months of hard work and ...| Istio Blog
Istio provides networking, security and telemetry APIs that are crucial for ensuring the robust security, seamless connectivity, and effective observability of services within the service mesh. These APIs are used on thousands of clusters across the world, securing and enhancing critical infrastructure. Most of the features powered by these APIs have been considered stable for some time, but the API version has remained at v1beta1. As a reflection of the stability, adoption, and value of thes...| Istio Blog
We are thrilled to announce that Service Mesh support in the Gateway API is now officially “Stable”! With this release (part of Gateway API v1.1 and Istio v1.22), users can make use of the next-generation traffic management APIs for both ingress (“north-south”) and service mesh use cases (“east-west”). What is the Gateway API? The Gateway API is a collection of APIs that are part of Kubernetes, focusing on traffic routing and management. The APIs are inspired by, and serve many of...| Istio Blog
Having sailed into, and proudly graduated within the Cloud Native Computing Foundation in 2023, it is now time for Istio to join the CNCF Phippy family’s mission to demystify and simplify cloud native computing. The Istio Steering Committee is excited to unveil Izzy Dolphin, the Istio Indo-Pacific Bottlenose, who today dives into the family of “Phippy and Friends”. Istio stands on the shoulders of several other CNCF projects, including Kubernetes, Envoy, Prometheus, and Helm. Izzy is pr...| Istio Blog
The Istio Steering Committee oversees the administrative aspects of the project, including governance, branding, marketing, and working with the CNCF. Every year, the leaders in the Istio project estimate the proportion of the hundreds of companies that have contributed to Istio in the past year, and uses that metric to proportionally allocate nine Contribution Seats on our Steering Committee. Then, four Community Seats are voted for by our project members, with candidates being from companie...| Istio Blog
The Istio project announced ambient mesh - its new sidecar-less dataplane mode in 2022, and released an alpha implementation in early 2023. Our alpha was focused on proving out the value of the ambient data plane mode under limited configurations and environments. However, the conditions were quite limited. Ambient mode relies on transparently redirecting traffic between workload pods and ztunnel, and the initial mechanism we used to do that conflicted with several categories of 3rd-party Con...| Istio Blog
There will be lots of Istio-related activity at KubeCon + CloudNativeCon Europe in Paris! We’ll keep this page updated with more details as they are published. Come to the Istio Day co-located event. The following KubeCon sessions will be based on Istio, add them to your schedule: Keynote: Platform Building Blocks: How to Build ML Infrastructure with CNCF Projects What Not Do When You’re Updating Istio in a Critical Environment? Comparing Sidecar-Less Service Mesh from Cilium and Istio Ne...| Istio Blog
The open source and cloud native community gathered from the 6th to the 9th of November in Chicago for the final KubeCon of 2023. The four-day conference, organized by the Cloud Native Computing Foundation, was “twice the fun” for Istio, as we grew from a half-day event in Europe in April to a full day co-located event. To add to the excitement, Istio Day North America marked our first event as a CNCF graduated project. With Istio Day NA over, that’s a wrap for our major community event...| Istio Blog
One of the biggest reasons users adopt service mesh is to enable secure communication among applications using mutual TLS (mTLS) based on cryptographically verifiable identities. In this blog, we’ll discuss the requirements of secure communication among applications, how mTLS enables and meets all those requirements, along with simple steps to get you started with enabling mTLS among your applications using Istio. What do you need to secure the communications among your applications? Modern...| Istio Blog
It’s great to be able to safely get together in person again. After two years of only running virtual events, we have filled the calendar for 2023. Istio Day Europe was held in April, and Istio Day North America is coming this November. IstioCon is committed to the industry-leading service mesh that provides a platform to explore insights gained from real-world Istio deployments, engage in interactive hands-on activities, and connect with maintainers across the entire Istio ecosystem. Along...| Istio Blog
There are 2 deployment modes for Istio: ambient mode and sidecar mode. The former is still on the way, the latter is the classic one. Therefore, the coexistence of ambient mode and sidecar mode should be a normal deployment form and the reason why this blog may be helpful for Istio users. Background In the architecture of modern microservices, communication and management among services is critical. To address the challenge, Istio emerged as a service mesh technology. It provides traffic cont...| Istio Blog
The Istio Steering Committee is pleased to announce the four winners of the 2023 election for Community Seats. The winners are: Craig Box, ARMO Iris Ding, Intel Lin Sun, Solo.io Faseela K, Ericsson Software Technology The winners will serve on the Steering Committee for one year, starting on September 1, 2023. They will be responsible for helping to guide the development and governance of Istio, the world’s most popular service mesh. The election was held in August 2023, and was open to any...| Istio Blog
If you have heard anything about service meshes, it is that they work using the sidecar pattern: a proxy server is deployed alongside your application code. The sidecar pattern is just that: a pattern. Up until this point, there has been no formal support for sidecar containers in Kubernetes at all. This has caused a number of problems: what if you have a job that terminates by design, but a sidecar container that doesn’t? This exact use case is the most popular ever on the Kubernetes issue...| Istio Blog
What is connection load balancing? Load balancing is a core networking solution used to distribute traffic across multiple servers in a server farm. Load balancers improve application availability and responsiveness and prevent server overload. Each load balancer sits between client devices and backend servers, receiving and then distributing incoming requests to any available server capable of fulfilling them. For a common web server, it usually has multiple workers (processors or threads). ...| Istio Blog
We are delighted to announce that Istio is now a graduated Cloud Native Computing Foundation (CNCF) project. We would like to thank our TOC sponsors Emily Fox and Nikhita Raghunath, and everyone who has collaborated over the past six years on Istio’s design, development, and deployment. As before, project work continues uninterrupted. We were excited to bring ambient mesh to Alpha in Istio 1.18 and are continuing to drive it to production readiness. Sidecar deployments remain the recommende...| Istio Blog
We all had a blast at Istio Day Europe in April. The event was incredibly well received, but organizers and attendees alike felt that a half-day was not enough to showcase all that Istio has to offer. Due to the overwhelming response, we are glad to share with all of you that Istio Day North America is going to be a full-day event, co-located with KubeCon North America in Chicago. Submit a talk We now encourage Istio users, developers, partners, and advocates to submit a session proposal thro...| Istio Blog
The open source and cloud native community gathered from 18th to 21st April in Amsterdam for the first KubeCon of 2023. The four-day conference, organized by the Cloud Native Computing Foundation, was special for Istio, as we evolved from a participant at ServiceMeshCon to hosting our first official project co-located event. Istio Day Europe 2023, WelcomeIstio Day kicked off with an opening keynote from the Program Committee chairs, Mitch Connors and Faseela K. The event was packed with great...| Istio Blog
With dozens of tools for securing your network available, it is easy to find tutorials and demonstrations illustrating how these individual tools make your network more secure by adding identity, policy, and observability to your traffic. What is often less clear is how these tools interoperate to provide comprehensive security for your network in production. How many tools do you need? When is your network secure enough? This post will explore the tools and practices leveraged by Splunk to s...| Istio Blog
In Istio’s new ambient mode, the istio-cni component running on each Kubernetes worker node is responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node. By default it relies on iptables and Generic Network Virtualization Encapsulation (Geneve) overlay tunnels to achieve this redirection. We have now added support for an eBPF-based method of traffic redirection. Why eBPF Although performance considerations are essential in the implementation of Istio am...| Istio Blog
Over the past year, both Intel and F5 have collaborated on an effort to bring support for Kubernetes Dual-Stack networking to Istio. Background The journey has taken us longer than anticipated and we continue to have work to do. The team initially started with a design based on a reference implementation from F5. The design led to an RFC that caused us to re-examine our approach. Notably, there were concerns about memory and performance issues that the community wanted to be addressed before ...| Istio Blog
Istio ambient service mesh was launched in Sept 2022 in an experimental branch, introducing a new data plane mode for Istio without sidecars. Through collaboration with the Istio community, across Google, Solo.io, Microsoft, Intel, Aviatrix, Huawei, IBM and others, we are excited to announce that Istio ambient mesh has graduated from the experimental branch and merged to Istio’s main branch! This is a significant milestone for ambient mesh, paving the way for releasing ambient in Istio 1.18...| Istio Blog
The Istio Steering Committee consists of 9 Contribution Seats, proportionally allocated based on corporate contributions to the project, and 4 elected Community Seats. Last year, we elected four members to the community seats. It’s now time to announce the companies who fuel our growth by selecting the Contribution Seat members. As per the Steering charter, every February we look at which companies have made the most contributions to Istio based on an annually agreed metric. According to ou...| Istio Blog
Istio is a project that platform engineers trust to enforce security policy in their production Kubernetes environments. We pay a lot of care to security in our code, and maintain a robust vulnerability program. To validate our work, we periodically invite external review of the project, and we are pleased to publish the results of our second security audit. The auditors’ assessment was that “Istio is a well-maintained project that has a strong and sustainable approach to security”. No ...| Istio Blog
Istio is sailing up the canals this April! We are delighted to announce Istio Day Europe 2023, a “Day 0” event co-located with KubeCon + CloudNativeCon Europe 2023. Istio Day is the perfect opportunity to meet the Istio maintainers and contributors in person, and hear from users why Istio is constantly ranked the #1 service mesh in production. Submit a talk We now encourage Istio users, developers, partners, and advocates to submit a session proposal through the CNCF event portal, which i...| Istio Blog
Whether you’re running your Kubernetes application services using Istio, or any service mesh for that matter, or simply using ordinary services in a Kubernetes cluster, you need to provide access to your application services for clients outside of the cluster. If you’re using plain Kubernetes clusters, you’re probably using Kubernetes Ingress resources to configure the incoming traffic. If you’re using Istio, you are more likely to be using Istio’s recommended configuration resource...| Istio Blog
The Istio Steering Committee consists of 9 proportionally-allocated Contribution Seats, and 4 elected Community Seats. Our third annual election for our Community Seats has concluded, and we are pleased to announce the choice of our members: Craig Box (ARMO) Iris Ding (Intel) Faseela K (Ericsson Software Technology) Christian Posta (Solo.io) We would like to extend our heartfelt thanks to Zack Butcher, Lin Sun and Zhonghu Xu, whose terms have now ended. With Contribution Seat holders from Goo...| Istio Blog
We are pleased to share that Istio is now an official incubating CNCF project. In April, Istio applied to become a CNCF project. Today, the TOC announced they have voted to accept our application. This journey began with Istio’s inception in 2016. We are grateful for all who have collaborated over the last six years on Istio’s design, development, and deployment. We especially appreciate the efforts of TOC sponsor Dave Zolotusky, TAG Network, and the engineering teams at Airbnb, Intuit, S...| Istio Blog
We recently announced Istio’s new ambient mode, which is a sidecar-less data plane for Istio and the reference implementation of the ambient mesh pattern. As stated in the announcement blog, the top concerns we address with ambient mesh are simplified operations, broader application compatibility, reduced infrastructure costs and improved performance. When designing the ambient data plane, we wanted to carefully balance the concerns around operations, cost, and performance while not sacrifi...| Istio Blog
Cryptographic operations are among the most compute-intensive and critical operations when it comes to secured connections. Istio uses Envoy as the “gateways/sidecar” to handle secure connections and intercept the traffic. Depending upon use cases, when an ingress gateway must handle a large number of incoming TLS and secured service-to-service connections through sidecar proxies, the load on Envoy increases. The potential performance depends on many factors, such as size of the cpuset on...| Istio Blog
The Istio project is pleased to announce its intention to join the Cloud Native Computing Foundation (CNCF). With the support of the Istio Steering Committee, Google has submitted an application proposal for Istio to join the CNCF, the home of its companion projects Kubernetes and Envoy. It is almost 5 years since Google, IBM and Lyft launched Istio 0.1 in May 2017. That first version set the standard for what a service mesh should be: traffic management, policy enforcement, and observability...| Istio Blog
IstioCon is the annual user-centered event for Istio, the industry’s most popular service mesh. This event will take place April 25-29, it will be 100% virtual, and registrations are now open free of charge. If you are among the first 400 people to register to the conference, you are eligible to receive a conference t-shirt! In 2021, more than 4,000 people from across 84 countries joined the event online, to hear from 27 end-user companies how they are using Istio in production. Participant...| Istio Blog
IstioCon 2022, set for April 25-29, will be the second annual conference for Istio, the industry’s most popular service mesh. This year’s conference will again be 100% virtual, connecting community members across the globe with Istio’s ecosystem. Visit the conference website for all the information related to the event. IstioCon provides an opportunity to showcase the lessons learned from running Istio in production, hands-on experiences from the Istio community, and will feature mainta...| Istio Blog
Istio 1.9 introduced experimental support for WebAssembly (Wasm) module distribution and a Wasm extensions ecosystem repository with canonical examples and use cases for extension development. Over the past 9 months, the Istio, Envoy, and Proxy-Wasm communities have continued our joint effort to make Wasm extensibility stable, reliable, and easy to adopt, and we are pleased to announce Alpha support for Wasm extensibility in Istio 1.12! In the following sections, we’ll walk through the upda...| Istio Blog
Aeraki [Air-rah-ki] is the Greek word for ‘breeze’. While Istio connects microservices in a service mesh, Aeraki provides a framework to allow Istio to support more layer-7 protocols other than just HTTP and gRPC. We hope this breeze can help Istio sail a little further. Lack of Protocols Support in Service Mesh We are now facing some challenges with service meshes: Istio and other popular service mesh implementations have very limited support for layer 7 protocols other than HTTP and gRP...| Istio Blog
In keeping with our 2021 theme of improving Day 2 Istio operations, the Istio team has been evaluating extending the support window for our releases to give users more time to upgrade. For starters, we are extending the support window of Istio 1.9 by six weeks, to October 5, 2021. We hope that this additional support window will allow the many users who are currently using Istio 1.9 to upgrade, either to Istio 1.10 or directly to Istio 1.11. By overlapping support between 1.9 and 1.11, we int...| Istio Blog
With the rapid popularization of cloud native technology in China, Istio has also gained popularity in this corner of the world. Almost all Chinese CSPs have creating and are running service mesh products based on Istio. We welcomed thousands of Istio users and developers to the first IstioCon in February 2021, and the attendees expressed an interest in participating in more meetups and helping to grow the community at the local level. To this end, the Istio community united six partners — ...| Istio Blog
Last year we introduced a new Steering Committee charter, which shares governance responsibilities between Contribution Seats, selected based on contributions to the project, and Community Seats, elected by the project members. We elected four members, with the committee representing seven different companies. It’s now time to kick off our 2021 election for Community Seats. Members have two weeks to submit nominations, and voting will run from 12 to 25 July. You can learn all about the elec...| Istio Blog
Istio’s powerful APIs can be used to solve a variety of service mesh use cases. Many users know about its strong ingress and east-west capabilities but it also offers many features for egress (outgoing) traffic. This is especially useful when your application needs to talk to an external service - such as a database endpoint provided by a cloud provider. There are often multiple endpoints to chose from depending on where your workload is running. For example, Amazon’s DynamoDB provides se...| Istio Blog
Like all security software, your service mesh should be kept up-to-date. The Istio community releases new versions every quarter, with regular patch releases for bug fixes and security vulnerabilities. The operator of a service mesh will need to upgrade the control plane and data plane components many times. You must take care when upgrading, as a mistake could affect your business traffic. Istio has many mechanisms to make it safe to perform upgrades in a controlled manner, and in Istio 1.10...| Istio Blog
Celebrating Istio’s 4th birthday Four years ago today, the Istio project was born to the open source world. To celebrate this anniversary, we are hosting a week-long birthday celebration that focuses on contributions to the Istio project that stem from using Istio in production. Read on to learn how to participate in this celebration and enter a chance to win some Istio swag. Istio's 4th Birthday!A year of important developments for Istio Over the last 12 months, the Istio project has been ...| Istio Blog
As Service Mesh technology moves from cutting edge to stable infrastructure, many users have expressed an interest in upgrading their service mesh less frequently, as qualifying a new minor release can take a lot of time. Upgrading can be especially difficult for users who don’t keep up with new releases, as Istio has not supported upgrades across multiple minor versions. To upgrade from 1.6.x to 1.8.x, users first had to upgrade to 1.7.x and then to 1.8.x. With the release of Istio 1.10, w...| Istio Blog
While most of the work in the Istio Product Security Working Group is done behind the scenes, we are listening to the community in setting expectations for security releases. We understand that it is difficult for mesh administrators, operators and vendors to be aware of security bulletins and security releases. We currently disclose vulnerabilities and security releases via numerous channels: istio.io via our Release Announcements and Security Bulletins Discuss announcements channel on Slack...| Istio Blog
In versions of Istio prior to 1.4, security policy was configured using v1alpha1 APIs (MeshPolicy, Policy, ClusterRbacConfig, ServiceRole and ServiceRoleBinding). After consulting with our early adopters, we made major improvements to the policy system and released v1beta1 APIs along with Istio 1.4. These refreshed APIs (PeerAuthentication, RequestAuthentication and AuthorizationPolicy) helped standardize how we define policy targets in Istio, helped users understand where policies were appli...| Istio Blog
IstioCon 2021 is a week-long, community-led, virtual conference starting on February 22. This event provides an opportunity to hear the lessons learned from companies like Atlassian, Airbnb, FICO, eBay, T-Mobile and Salesforce running Istio in production, hands-on experiences from the Istio community, and will feature maintainers from across the Istio ecosystem. You can now find the full schedule of events which includes a series of English sessions and Chinese sessions. By attending the conf...| Istio Blog
Background Istio’s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including the DENY action, exclusion semantics, X-Forwarded-For header support, nested JWT claim support and more. These features improve the flexibility of the authorization policy, but there are still many use cases that cannot be supported with this ...| Istio Blog
At Deutsche Telekom Pan-Net, we have embraced Istio as the umbrella to cover our services. Unfortunately, there are services which have not yet been migrated to Kubernetes, or cannot be. We can set Istio up as a proxy service for these upstream services. This allows us to benefit from capabilities like authorization/authentication, traceability and observability, even while legacy services stand as they are. At the end of this article there is a hands-on exercise where you can simulate the sc...| Istio Blog
This blog presents my latest experience about how to configure and enable proxy protocol with stack of AWS NLB and Istio Ingress gateway. The Proxy Protocol was designed to chain proxies and reverse-proxies without losing the client information. The proxy protocol prevents the need for infrastructure changes or NATing firewalls, and offers the benefits of being protocol agnostic and providing good scalability. Additionally, we also enable the X-Forwarded-For HTTP header in the deployment to m...| Istio Blog
IstioCon 2021 will be the inaugural conference for Istio, the industry’s most popular service mesh. In its inaugural year, IstioCon will be 100% virtual, connecting community members across the globe with Istio’s ecosystem. This conference will take place at the end of February. All the information related to IstioCon will be published on the conference website. IstioCon provides an opportunity to showcase the lessons learned from running Istio in production, hands-on experiences from the...| Istio Blog
Since November 20th, 2020, Docker Hub has introduced rate limits on image pulls. Because Istio uses Docker Hub as the default registry, usage on a large cluster may lead to pods failing to startup due to exceeding rate limits. This can be especially problematic for Istio, as there is typically the Istio sidecar image alongside most pods in the cluster. Mitigations Istio allows you to specify a custom docker registry which you can use to make container images be fetched from your private regis...| Istio Blog
DNS resolution is a vital component of any application infrastructure on Kubernetes. When your application code attempts to access another service in the Kubernetes cluster or even a service on the internet, it has to first lookup the IP address corresponding to the hostname of the service, before initiating a connection to the service. This name lookup process is often referred to as service discovery. In Kubernetes, the cluster DNS server, be it kube-dns or CoreDNS, resolves the service’s...| Istio Blog
Last month, we announced a revision to our Steering Committee charter, opening up governance roles to more contributors and community members. The Steering Committee now consists of 9 proportionally-allocated Contribution Seats, and 4 elected Community Seats. We have now concluded our inaugural election for the Community Seats, and we’re excited to welcome the following new members to the Committee: Neeraj Poddar (Aspen Mesh) Zack Butcher (Tetrate) Christian Posta (Solo.io) Zhonghu Xu (Huaw...| Istio Blog
Overview Istio has a wide range of security policies which can be easily configured into systems of services. As the number of applied policies increases, it is important to understand the relationship of latency, memory usage, and CPU usage of the system. This blog post goes over common security policies use cases and how the number of security policies or the number of specific rules in a security policy can affect the overall latency of requests. Setup There are a wide range of security po...| Istio Blog
Overview From experience working with various service mesh users and vendors, we believe there are 3 key personas for a typical service mesh: Mesh Operator, who manages the service mesh control plane installation and upgrade. Mesh Admin, often referred as Platform Owner, who owns the service mesh platform and defines the overall strategy and implementation for service owners to adopt service mesh. Mesh User, often referred as Service Owner, who owns one or more services in the mesh. Prior to ...| Istio Blog
MOSN (Modular Open Smart Network) is a network proxy server written in Go. It was built at Ant Group as a sidecar/API Gateway/cloud-native Ingress/Layer 4 or Layer 7 load balancer etc. Over time, we’ve added extra features, like a multi-protocol framework, multi-process plug-in mechanism, a DSL, and support for the xDS APIs. Supporting xDS means we are now able to use MOSN as the network proxy for Istio. This configuration is not supported by the Istio project; for help, please see Learn Mo...| Istio Blog
Since day one, the Istio project has believed in the importance of being contributor-run, open, transparent and available to all. In that spirit, Google is pleased to announce that it will be transferring ownership of the project’s trademarks to the new Open Usage Commons. Istio is an open source project, released under the Apache 2.0 license. That means people can copy, modify, distribute, make, use and sell the source code. The only freedom people don’t have under the Apache 2.0 license...| Istio Blog
Introducing Workload Entries: Bridging Kubernetes and VMs Historically, Istio has provided great experience to workloads that run on Kubernetes, but it has been less smooth for other types of workloads, such as Virtual Machines (VMs) and bare metal. The gaps included the inability to declaratively specify the properties of a sidecar on a VM, inability to properly respond to the lifecycle changes of the workload (e.g., booting to not ready to ready, or health checks), and cumbersome DNS workar...| Istio Blog
Canary deployments are a core feature of Istio. Users rely on Istio’s traffic management features to safely control the rollout of new versions of their applications, while making use of Istio’s rich telemetry to compare the performance of canaries. However, when it came to upgrading Istio, there was not an easy way to canary the upgrade, and due to the in-place nature of the upgrade, issues or changes found affect the entire mesh at once. Istio 1.6 will support a new upgrade model to saf...| Istio Blog
In this blog post I show how to configure the Ingress Application Load Balancer (ALB) on IBM Cloud Kubernetes Service (IKS) to direct traffic to the Istio ingress gateway, while securing the traffic between them using mutual TLS authentication. When you use IKS without Istio, you may control your ingress traffic using the provided ALB. This ingress-traffic routing is configured using a Kubernetes Ingress resource with ALB-specific annotations. IKS provides a DNS domain name, a TLS certificate...| Istio Blog
Istio sidecars obtain their certificates using the secret discovery service. A service in the service mesh may not need (or want) an Envoy sidecar to handle its traffic. In this case, the service will need to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services. For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be deployed only to provision the private key and certificates through the CSR flow from the CA ...| Istio Blog
Originally posted on the Solo.io blog As organizations adopt Envoy-based infrastructure like Istio to help solve challenges with microservices communication, they inevitably find themselves needing to customize some part of that infrastructure to fit within their organization’s constraints. WebAssembly (Wasm) has emerged as a safe, secure, and dynamic environment for platform extension. In the recent announcement of Istio 1.5, the Istio project lays the foundation for bringing WebAssembly t...| Istio Blog
Configuring Wasm extensions for Envoy and Istio declaratively.| Istio
Use Istio Egress Traffic Control to prevent attacks involving egress traffic.| Istio
Learn how to use discovery selectors and how they intersect with Sidecar resources.| Istio
Reducing complexity by simplifying the virtual machine on-boarding experience.| Istio
A generic approach to set up egress gateways that can route traffic to a restricted set of target remote hosts dynamically, including wildcard domains.| Istio
A purpose-built per-node proxy for Istio ambient mesh.| Istio
Introducing the new destination oriented waypoint proxy for simplicity and scalability.| Istio
Step by step guide to get started with Istio ambient mesh.| Istio
A standard API for service mesh, in Istio and in the broader community.| Istio
Using a proxy server to support istioctl commands in a mesh with an external control plane.| Istio
Replacing iptables rules with eBPF allows transporting data directly from inbound sockets to outbound sockets, shortening the datapath between sidecars and services.| Istio
Introduction to Istio support for gRPC's proxyless service mesh features.| Istio
Results of a third-party security review by NCC Group.| Istio
Learn how to easily deploy StatefulSets with Istio 1.10.| Istio
Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take.| Istio
An update on Envoy and Istio's WebAssembly-based extensibility effort.| Istio
Understanding the benefits Istio brings, even when no configuration is used.| Istio
