Introducing Istiod and describing their reasons behind this decision
The core functionalities of istio are dependent on Envoy
injected side car proxies. Those proxies extract signals about traffic behavior to help enforce policies.
Envoy supports advanced load balancing features including automatic retries, circuit breaking, rate limiting, traffic mirroring, load balancing and it is shipped with APIs for easy management, and with Layer 7 support Envoy has deep observability features to capture traffic signals, and allow for distributed tracing.
Let's assume that you have istio installed and configured for automatic injection.
Istio relies on a mutating webhook admission controller to inject it's sidecar into the service pod. When a new deployment is created and is part of the mesh, an API call is sent to kubernetes's api-server, this call is first authenticated and then intercepted by istio's mutating webhook.
The webhook injects istio needed containers:
istio-init:
An init-container that runs, finishes it's job and is removed (as init-containers job) before the application starts.
The function of the init container is to setup iptables rules to make all incoming and outgoing traffic pass through the proxy
istio-proxy:
This is the actual envoy proxy that will be intercepting the traffic and communicating with the control plane for configuration.
Once the service is up the workflow happens as follow:
From now on the traffic to and from the application pod is intercepted and controlled by the mesh.
I guess this is already a lot of info, and probably it’s a good step to break this article into two.
Next time we will speak about how the traffic is handled within the mesh for both incoming and outgoing traffic. Till then stay safe and healthy !Let's connect