Istio Architecture Overview and Core Components
This article provides a detailed overview of Istio’s architecture, explaining the roles and interactions of its data plane, control plane, and core components such as Envoy sidecar, Pilot, Mixer, Citadel, Galley, sidecar‑injector, and ingress gateway within a Kubernetes‑based service mesh.
Istio Architecture Overview
Istio is regarded as the best cloud‑native companion for Kubernetes. The "Istio Technical Practice" series uses technical articles and video lectures to explain Istio micro‑service governance and enterprise‑grade cloud platform solutions.
Data Plane
The data plane consists of a set of sidecar proxies (Envoy) that mediate all network traffic between micro‑services and communicate with the control plane’s Pilot to receive routing policies.
Control Plane
Pilot provides service discovery, advanced routing (A/B testing, canary releases), and fault handling (timeouts, retries, circuit breaking). It translates high‑level rules into Envoy configuration and distributes them via the XDS protocol. The control plane also validates configuration through Galley and enforces policies via Mixer.
Core Components
Sidecar (Envoy) : A high‑performance C++ proxy deployed as a sidecar in the same pod as the application, handling inbound and outbound traffic.
Mixer : Collects telemetry and enforces access control by receiving attributes from Envoy, evaluating policies, and forwarding metrics to backend monitoring systems. It includes stateless, highly‑available, and caching features.
Pilot : Manages service discovery and converts routing, security, and traffic‑management rules (VirtualService, DestinationRule, Gateway, ServiceEntry) into Envoy‑readable configurations.
Citadel : Provides mutual TLS authentication and identity management by issuing certificates to each service via Kubernetes secrets, enabling secure, encrypted communication without code changes.
Galley : Validates configuration formats and supplies verified configuration to Pilot and Mixer, decoupling platform specifics.
Sidecar‑Injector : Automatically injects the Envoy sidecar into pods during creation, making the process transparent to users.
Ingress Gateway : Exposes services outside the mesh through a load‑balanced gateway that receives traffic rules from Pilot and forwards requests to the appropriate sidecars.
The series also invites readers to try the Alauda Service Mesh (ASM) product, which offers a managed Istio‑based service‑mesh platform.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Cloud Native Technology Community
The Cloud Native Technology Community, part of the CNBPA Cloud Native Technology Practice Alliance, focuses on evangelizing cutting‑edge cloud‑native technologies and practical implementations. It shares in‑depth content, case studies, and event/meetup information on containers, Kubernetes, DevOps, Service Mesh, and other cloud‑native tech, along with updates from the CNBPA alliance.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.