Understanding Istio 1.5: Architecture, New Features, and Installation Guide

Istio is an open‑source service mesh that connects, manages, and secures microservices, offering service discovery, load balancing, fault recovery, telemetry, A/B testing, canary releases, rate limiting, access control, and end‑to‑end mTLS. It runs on Kubernetes and provides a transparent layer for logging, tracing, and policy integration.

Istio 1.5 Major Updates

istiod : The control plane is consolidated into a single binary called istiod, simplifying installation, operation, and upgrades while keeping the same APIs and runtime features.

New Extensibility Model : WebAssembly (Wasm) replaces the Mixer component, allowing developers to safely run custom code in Envoy proxies for telemetry, policy, routing, or message transformation, improving flexibility and performance.

Simplified Installation : The istioctl CLI now includes many improvements—better validation, CI integration, and automatic mTLS configuration—making it easier to install and manage Istio. The Operator remains in Alpha.

Enhanced Observability : Telemetry v2 reports native TCP metrics, adds gRPC response codes, halves latency (from 7 ms to 3.3 ms), and removes the Mixer, cutting CPU usage by about 50% (0.55 vCPU per 1000 RPS).

Core Control‑Plane Components

Pilot : Provides service discovery and traffic management (A/B testing, canary, retries, circuit breaking) by translating high‑level routing rules into Envoy configurations.

Galley : Handles configuration validation, extraction, processing, and distribution; after Istio 1.1 it became the central configuration manager.

Injector : Automatically injects the Envoy sidecar into Pods during creation.

Mixer : (Deprecated in 1.5) Previously collected telemetry and enforced policies via its Telemetry and Policy sub‑components.

Citadel : Provides security functions such as authentication, authorization, credential management, and RBAC.

Installation Prerequisites

Before installing Istio, ensure you have a Kubernetes cluster (tested with versions 1.14‑1.16). Verify that Pods and Services meet the following requirements:

Service ports must be named using the pattern name: <protocol>[-<suffix>].

Each Pod must belong to at least one Service; if a Pod belongs to multiple Services, they cannot use different protocols on the same port.

Deployments should include app and version labels to enrich Istio telemetry.

Avoid running Pods with UID 1337 and, if using PodSecurityPolicies, grant the NET_ADMIN capability (or use the Istio CNI plugin).

Downloading and Installing Istio 1.5

Download the release: curl -L https://istio.io/downloadIstio | sh - Change to the Istio directory, e.g., cd istio-1.5.1.

The install/kubernetes folder contains YAML manifests, samples/ holds example apps, and bin/istioctl is the CLI for manual sidecar injection.

Add istioctl to your PATH: export PATH=$PWD/bin:$PATH Install using the default profile: istioctl manifest apply Verify the installation: kubectl get pods -n istio-system If Docker Hub is inaccessible, manually load the required images onto each node (e.g., docker load -i istio_pilot_1_5_1.tar.gz) or pull them from a private registry.

Successful installation is confirmed by the presence of Istio system pods, as shown in the accompanying screenshots.