Istio Sidecar Proxies ​
Learn more about Istio sidecar proxies: what they are, what benefits they bring, how and when the Istio module restarts workloads with Istio sidecar proxy injection enabled.
What Is a Service Mesh? ​
A service mesh is an infrastructure layer that handles service-to-service communication, proxying, service discovery, traceability, and security, independently of the code of the services. To deliver this functionality, the Istio module uses the Istio service mesh that is customized for the specific needs of an implementation. The main principle of the Istio service mesh is to inject Pods of every service with Istio sidecar proxy, which is an extended version of the Envoy proxy. Envoy intercepts the communication between the services and regulates it by applying and enforcing the rules you create.
Purpose and Benefits of Istio Sidecar Proxies ​
By default, Istio installed as part of the Istio module is configured with automatic Istio sidecar proxy injection disabled. This means that none of your workloads' Pods, except those in the kyma-system namespace, get their own sidecar proxy container running next to the application. When Istio sidecar proxy injection is disabled for a service or for a namespace, you must manage mutual TLS (mTLS) traffic in services or at a namespace level by creating DestinationRule and PeerAuthentication resources. With an Istio sidecar proxy injected, a resource becomes part of the Istio service mesh, which brings the following benefits that would be complex to manage otherwise.
Secure Communication ​
The Istio module sets peer authentication to cluster-wide STRICT mode. This ensures that your workload only accepts mutual TLS (mTLS) traffic where both client and server certificates are validated to ensure that all traffic is encrypted. This provides each service with a strong identity and a reliable system for managing keys and certificates.
Also, with Istio sidecar proxy injected, you can perform request authentication for your service. Istio enables request authentication with JSON Web Token (JWT) validation using a custom authentication provider.
Observability ​
Istio sidecar proxies enhance tracing capabilities by performing global tracing and forwarding the data to a tracing backend using the OTLP protocol. When you integrate your application into the Istio service mesh, you can easily access advanced observability features without needing to implement complex instrumentation within the application.
Traffic Management ​
If you have an Istio sidecar proxy injected into every workload, you can use Istio’s traffic routing rules without additional configuration. See Traffic management.
Traffic shifting and request routing allows you to use techniques like canary releases and A/B testing to make your software release process faster and more reliable. To improve the resiliency of your applications, you can use mirroring and fault injection for testing and audit purposes.
Resiliency ​
Application resiliency is an important topic within traffic management. Traditionally, application libraries implemented resiliency features like timeouts, retries, and circuit breakers. However, with service mesh, you can delegate such tasks to the mesh, and the same configuration options work regardless of the programming language of your application. See Network Resilience and Testing.