_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Istio Tutorial

12. 02. 2025 Updated: 27. 03. 2026 2 min read advanced

Istio is the most widely used service mesh for Kubernetes. It injects a sidecar proxy (Envoy) alongside every pod, taking control of all network communication between services. This gives you mTLS encryption, advanced traffic management (canary, circuit breaker, retry), detailed observability, and security policies — all without changing application code. For enterprise environments with dozens of microservices, it is a critical infrastructure layer.

Installation

curl -L https://istio.io/downloadIstio | sh -
istioctl install --set profile=demo
kubectl label namespace default istio-injection=enabled

After enabling injection, Istio automatically adds an Envoy sidecar container to every new pod in the namespace. The demo profile is suitable for testing; for production, use the default profile or a custom one with optimized resource limits.

Traffic Management

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
spec:
  hosts: [myapp]
  http:
  - route:
    - destination: { host: myapp, subset: v2 }
      weight: 20
    - destination: { host: myapp, subset: v1 }
      weight: 80

Canary deployment at the service mesh level — 20% of traffic goes to the new version, 80% to the existing one. Istio supports routing by HTTP headers, cookies, or query parameters, allowing you to direct specific users or test traffic to the new version. Circuit breakers protect services from cascading failures and automatic retries improve resilience.

mTLS

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
spec:
  mtls: { mode: STRICT }

Mutual TLS encrypts all communication between pods while authenticating both sides. In STRICT mode, unencrypted communication is rejected. Istio automatically rotates certificates and manages the entire PKI lifecycle without administrator intervention.

Observability

  • Kiali — visual dashboard showing service topology and health
  • Jaeger — distributed tracing for following requests across services
  • Grafana — latency, error rate, and throughput metrics per service
istioctl dashboard kiali

Istio for Enterprise

Start with traffic management and mTLS — these deliver the most value. Add observability gradually. Istio has higher resource overhead (sidecar per pod), so evaluate lighter alternatives like Linkerd for simpler environments.

istioservice meshkubernetes
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

Service Mesh Explained

Sidecar proxy, traffic management, observability, and security.

Istio — service mesh for Kubernetes microservices

Istio brings mutual TLS, traffic management and observability to Kubernetes without changing application code.

Secrets Management — HashiCorp Vault, SOPS & Secure Secrets

Complete guide to secrets management in 2026. HashiCorp Vault, Mozilla SOPS, External Secrets Operator, key rotation...

Service Mesh — Istio, Cilium and the Future of the Network Layer

A complete guide to service mesh technologies in 2026. Istio vs Cilium Service Mesh vs Linkerd comparison, sidecar...