Istio

Istio is an open-source tool that makes it easier for DevOps teams to observe, secure, control, and troubleshoot the traffic within a complex network of microservices.

As a network of microservices changes and grows, the interactions between them can become increasingly difficult to manage and understand. In such a situation, it is useful to have a service mesh as a separate infrastructure layer. Istio's service mesh lets you manipulate traffic between microservices without changing the microservices directly.

This core service mesh provides features that include but are not limited to the following:

• Traffic Management such as ingress and egress routing, circuit breaking, mirroring.
• Security with resources to authenticate and authorize traffic and users, mTLS included.
• Observability of logs, metrics, and distributed traffic flows.

Prerequisites

Before enabling Istio, we recommend that you confirm that your Rancher worker nodes have enough CPU and memory to run all of the components of Istio.

Architecture

Istio installs a service mesh that uses Envoy sidecar proxies to intercept traffic to each workload. These sidecars intercept and manage service-to-service communication, allowing fine-grained observation and control over traffic within the cluster.

Only workloads that have the Istio sidecar injected can be tracked and controlled by Istio.

When a namespace has Istio enabled, new workloads deployed in the namespace will automatically have the Istio sidecar. You need to manually enable Istio in preexisting workloads.

For more information on the Istio sidecar, refer to the Istio sidecare-injection docs and for more information on Istio's architecture, refer to the Istio Architecture docs