Istio Glossary
Supported Version: Istio 1.28+ Last Updated: February 23, 2026
This glossary organizes key terms related to Istio and Service Mesh in alphabetical order.
Table of Contents
A-C
Ambient Mode
A new data plane mode introduced in Istio 1.20+ that provides service mesh functionality without Sidecar Proxies.
Features:
- No Sidecar containers required
- Uses ztunnel at the node level
- Improved resource efficiency
- Separation of L4 and L7 functions
Related Documentation: Ambient Mode
Certificate Authority (CA)
An authority that issues and manages certificates for mTLS communication between services.
Role in Istio:
- Istiod's Citadel function performs the CA role
- Issues certificates based on SPIFFE ID
- Automatic certificate renewal (default TTL: 24 hours)
Related Terms: Citadel, SPIFFE, mTLS
Circuit Breaker
A pattern that blocks requests to failed services to prevent failure propagation throughout the entire system.
How It Works:
- Closed: Normal operation
- Open: Blocks requests after consecutive failures
- Half-Open: Allows some requests after a certain time
Istio Implementation:
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
trafficPolicy:
outlierDetection:
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30sRelated Documentation: Circuit Breaker
Citadel
A security component that existed independently before Istio 1.4. It is now integrated into Istiod.
Main Functions:
- Certificate Authority (CA) management
- SPIFFE ID issuance and management
- X.509 certificate generation and renewal
Current Status: Exists as an internal function within Istiod in Istio 1.5+
Related Terms: Istiod, Certificate Authority
CDS (Cluster Discovery Service)
One of the xDS APIs that allows Envoy to dynamically receive configuration for upstream services (clusters).
Information Provided:
- Cluster name and type
- Load balancing policy
- Health check settings
- Circuit breaker settings
- TLS settings
D-F
Data Plane
The layer that handles actual traffic in a service mesh.
Istio's Data Plane:
- Envoy Proxy (Sidecar or Ambient Mode)
- Handles all inbound/outbound traffic
- mTLS encryption/decryption
- Metric collection
Related Terms: Control Plane, Envoy
DestinationRule
An Istio CRD that defines policies for traffic routed by VirtualService.
Main Functions:
- Subset definition (version, region, etc.)
- Load balancing policy
- Connection Pool settings
- Circuit Breaker settings
- TLS settings
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2Related Documentation: DestinationRule
eBPF (Extended Berkeley Packet Filter)
A technology that allows programs to run safely inside the Linux kernel.
Usage in Istio:
- Core technology for Ambient Mode
- Replaces iptables (faster performance)
- Traffic interception through CNI plugins
- No Init Container required
Advantages:
- Low overhead
- Kernel-level processing
- Dynamic programming capability
Related Terms: Ambient Mode, iptables
EDS (Endpoint Discovery Service)
One of the xDS APIs that dynamically provides actual endpoints (pod IPs) within a cluster.
Information Provided:
- Endpoint IP addresses and ports
- Health status
- Load balancing weights
- Locality information
Example:
{
"cluster_name": "outbound|9080||reviews",
"endpoints": [
{
"lb_endpoints": [
{"endpoint": {"address": {"socket_address": {"address": "10.244.1.5", "port_value": 9080}}}},
{"endpoint": {"address": {"socket_address": {"address": "10.244.2.8", "port_value": 9080}}}}
]
}
]
}Envoy Proxy
A high-performance L7 proxy that forms the Data Plane of Istio.
History:
- Developed by Matt Klein at Lyft in 2016
- CNCF Incubating project in 2017
- CNCF Graduated project in 2018
Key Features:
- High-performance proxy written in C++
- Dynamic configuration through xDS API
- HTTP/1.1, HTTP/2, gRPC support
- Rich observability
Components:
- Listeners: Port listening
- Filters: Request/response processing
- Routers: Routing decisions
- Clusters: Upstream services
Related Documentation: Architecture - Envoy Proxy
G-I
Galley
A configuration validation component that existed independently before Istio 1.4. It is now integrated into Istiod.
Main Functions:
- Istio configuration validation
- Kubernetes resource processing
- Error checking before configuration deployment
Current Status: Exists as an internal function within Istiod in Istio 1.5+
Related Terms: Istiod
Gateway
An Istio CRD that defines entry points for external traffic entering the Service Mesh.
Types:
- Ingress Gateway: External to internal traffic
- Egress Gateway: Internal to external traffic
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "example.com"Related Documentation: Gateway and VirtualService
gRPC
A high-performance RPC (Remote Procedure Call) framework developed by Google.
Relationship with Istio:
- xDS API is gRPC-based
- Used for Istiod to Envoy communication
- HTTP/2 based (supports multiplexing)
Advantages:
- Bidirectional streaming
- Low latency
- Uses Protocol Buffers
Related Terms: xDS
Identity
Represents the identity of a workload within the Service Mesh.
Istio's Identity:
- Uses SPIFFE ID format
- Based on Kubernetes ServiceAccount
- Proven by X.509 certificates
Example:
spiffe://cluster.local/ns/default/sa/reviewsiptables
A firewall tool that controls network traffic in Linux.
Role in Istio:
- istio-init container sets up iptables rules
- Redirects all pod traffic to Envoy
- Uses NAT table (PREROUTING, OUTPUT chains)
Key Rules:
# Outbound: All traffic except Envoy -> 15001
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1337 -j REDIRECT --to-port 15001
# Inbound: All traffic -> 15006
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 15006Alternative: eBPF (Ambient Mode)
Related Documentation: Architecture - iptables
Istiod
The unified Control Plane component in Istio 1.5+.
Integrated Functions:
- Pilot: Service Discovery, Traffic Management
- Citadel: Certificate Authority, Identity
- Galley: Configuration Validation
Execution Method:
- Single Go binary:
pilot-discovery - All functions run within a single process
- Default ports: 15012 (xDS), 15017 (Webhook)
Advantages:
- Reduced complexity
- Simplified operations
- Resource efficiency
Related Documentation: Architecture - Istiod
J-L
LDS (Listener Discovery Service)
One of the xDS APIs that allows Envoy to dynamically receive ports to listen on and filter chains.
Information Provided:
- Listener address and port
- Protocol (HTTP, TCP)
- Filter chain configuration
- TLS settings
Istio's Default Listeners:
0.0.0.0:15001: Outbound TCP0.0.0.0:15006: Inbound TCP0.0.0.0:15021: Health check0.0.0.0:15090: Prometheus metrics
Locality-aware Load Balancing
A load balancing method that considers locality (Region, Zone) information.
Priority:
- Endpoints in the same Zone
- Different Zone in the same Region
- Different Region
Configuration Example:
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
trafficPolicy:
loadBalancer:
localityLbSetting:
enabled: true
distribute:
- from: us-west/zone-1a/*
to:
"us-west/zone-1a/*": 80
"us-west/zone-1b/*": 20Related Documentation: Zone Aware Routing
M-O
Mixer
A policy and telemetry component that existed before Istio 1.4.
Main Functions:
- Policy enforcement (Rate Limiting, Access Control)
- Telemetry collection
Reasons for Removal:
- Performance overhead (Mixer call for every request)
- Complex architecture
Current Status: Completely removed in Istio 1.5+ (functionality moved to Envoy)
Related Terms: Istiod
mTLS (Mutual TLS)
A bidirectional TLS communication method where client and server authenticate each other.
Istio's mTLS:
- Automatic certificate issuance and renewal
- SPIFFE ID-based authentication
- Default encryption: AES-256-GCM
Modes:
- STRICT: Only mTLS allowed
- PERMISSIVE: mTLS + plaintext allowed (for migration)
- DISABLE: Only plaintext allowed
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICTRelated Documentation: mTLS
Outlier Detection
A feature that automatically excludes endpoints exhibiting abnormal behavior.
Detection Conditions:
- Consecutive error count
- Error rate
- Response latency
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
trafficPolicy:
outlierDetection:
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50Related Documentation: Outlier Detection
P-R
Downstream
From Envoy's perspective, this refers to the side that sends requests. That is, the client that initiates a connection to Envoy.
Envoy's Downstream:
- Connections coming into Envoy (Inbound)
- Client sending requests
- Connections received by Listener
Traffic Flow:
Downstream (Client) -> Envoy Proxy -> Upstream (Backend)Example Scenarios:
1. Sidecar Mode - Outbound Request
Perspective:
- From Envoy's view: Application is Downstream (sending requests)
- From Envoy's view: Backend service is Upstream (receiving requests)
2. Ingress Gateway - External Request
Downstream-related Envoy Configuration:
# Listener - Receive Downstream connections
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: downstream-config
spec:
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
per_connection_buffer_limit_bytes: 32768 # Downstream buffer
listener_filters:
- name: envoy.filters.listener.tls_inspectorDownstream Metrics:
# Downstream connection count
envoy_listener_downstream_cx_active
# Downstream request count
envoy_http_downstream_rq_total
# Downstream response time
envoy_http_downstream_rq_timeRelated Terms: Upstream, Envoy, Listener
Upstream
From Envoy's perspective, this refers to the side that receives requests. That is, the backend service to which Envoy initiates a connection.
Envoy's Upstream:
- Connections going out from Envoy (Outbound)
- Backend service processing requests
- Endpoints managed by Cluster
Traffic Flow:
Downstream (Client) -> Envoy Proxy -> Upstream (Backend)Upstream Components:
1. Cluster (Upstream Group)
# Define Upstream Cluster with DestinationRule
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews # Upstream service
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
connectionPool:
tcp:
maxConnections: 100 # Upstream connection limit
http:
http1MaxPendingRequests: 50
http2MaxRequests: 100
outlierDetection:
consecutiveErrors: 5 # Upstream failure detection
interval: 30s2. Endpoint (Actual Upstream Instance)
# Check upstream endpoints
istioctl proxy-config endpoints <pod-name> | grep reviews
# Example output:
# ENDPOINT STATUS CLUSTER
# 10.244.1.5:9080 HEALTHY outbound|9080||reviews.default.svc.cluster.local
# 10.244.2.8:9080 HEALTHY outbound|9080||reviews.default.svc.cluster.local
# 10.244.3.12:9080 UNHEALTHY outbound|9080||reviews.default.svc.cluster.localUpstream Traffic Policy:
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
host: reviews
trafficPolicy:
# Upstream load balancing
loadBalancer:
consistentHash:
httpHeaderName: "x-user-id"
# Upstream connection pool
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30s
http:
h2UpgradePolicy: UPGRADE
# Upstream TLS
tls:
mode: ISTIO_MUTUAL
# Upstream Circuit Breaker
outlierDetection:
consecutiveErrors: 5
interval: 10s
baseEjectionTime: 30sUpstream vs Downstream Comparison:
| Item | Downstream | Upstream |
|---|---|---|
| Direction | Coming into Envoy (Inbound) | Going out from Envoy (Outbound) |
| Role | Sending requests (Client) | Receiving requests (Server) |
| Envoy Configuration | Listener, Filter Chain | Cluster, Endpoint |
| Examples | External users, other services | Backend API, Database |
| Metrics | downstream_cx_*, downstream_rq_* | upstream_cx_*, upstream_rq_* |
Real-world Examples:
Scenario 1: Service A -> Service B Call
+---------------------------------------------------------+
| Service A Pod |
| |
| App --> Envoy Sidecar |
| | |
| | Downstream: App |
| | Upstream: Service B |
+----------|-------------------------------------------------+
|
v
+---------------------------------------------------------+
| Service B Pod |
| |
| Envoy Sidecar --> App |
| | |
| | Downstream: Service A Envoy |
| | Upstream: Local App (Service B) |
+---------------------------------------------------------+Service A's Envoy Perspective:
- Downstream: Service A's application
- Upstream: Service B
Service B's Envoy Perspective:
- Downstream: Service A's Envoy
- Upstream: Service B's application (local)
Scenario 2: Ingress Gateway
External Client (Downstream)
|
Ingress Gateway (Envoy)
|
Internal Service (Upstream)Upstream Metrics:
# Upstream connection count
envoy_cluster_upstream_cx_active
# Upstream request success rate
envoy_cluster_upstream_rq_success_rate
# Upstream response time
envoy_cluster_upstream_rq_time
# Upstream health check
envoy_cluster_health_check_success
# Upstream Circuit Breaker
envoy_cluster_circuit_breakers_default_remainingUpstream Health Check:
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
host: reviews
trafficPolicy:
outlierDetection:
# Upstream health detection
consecutiveGatewayErrors: 5
consecutive5xxErrors: 5
interval: 10s
baseEjectionTime: 30s
maxEjectionPercent: 50Debugging:
# 1. Check upstream cluster
istioctl proxy-config clusters <pod-name> --fqdn reviews.default.svc.cluster.local
# 2. Check upstream endpoint status
istioctl proxy-config endpoints <pod-name> --cluster "outbound|9080||reviews.default.svc.cluster.local"
# 3. Check upstream metrics
kubectl exec <pod-name> -c istio-proxy -- \
curl -s localhost:15000/stats/prometheus | grep upstream
# 4. Check upstream connections
istioctl proxy-config all <pod-name> -o json | \
jq '.configs[] | select(.["@type"] | contains("ClustersConfigDump"))'Related Terms: Downstream, Envoy, Cluster, Endpoint
Pilot
A traffic management component that existed independently before Istio 1.4. It is now integrated into Istiod.
Main Functions:
- Service Discovery
- Traffic Management (VirtualService, DestinationRule processing)
- xDS Server
Current Status: Exists as an internal function within Istiod in Istio 1.5+
RDS (Route Discovery Service)
One of the xDS APIs that dynamically provides HTTP routing rules.
Information Provided:
- Route matching rules (path, headers, etc.)
- Weight-based routing
- Redirect and rewrite rules
- Timeout and Retry settings
Relationship with VirtualService:
- VirtualService -> Converted by Istiod -> RDS configuration
Related Terms: xDS, VirtualService
Rate Limiting
A feature that limits the number of requests allowed per unit time.
Implementation Methods:
- Local Rate Limiting: Processed locally by Envoy
- Global Rate Limiting: Uses an external Rate Limit service
apiVersion: networking.istio.io/v1
kind: EnvoyFilter
metadata:
name: filter-local-ratelimit
spec:
configPatches:
- applyTo: HTTP_FILTER
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 100
tokens_per_fill: 100
fill_interval: 1sRelated Documentation: Rate Limiting
S-U
SDS (Secret Discovery Service)
One of the xDS APIs that dynamically provides TLS certificates and keys.
Information Provided:
- X.509 certificates
- Private Key
- CA Root Certificate
Advantages:
- No file system required
- Automatic certificate renewal
- Zero-downtime renewal
Service Entry
An Istio CRD that registers services external to the Service Mesh into the mesh.
Use Cases:
- External API access control
- Apply Istio features to external services (Retry, Timeout, etc.)
- Egress Gateway integration
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: external-api
spec:
hosts:
- api.external.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNSRelated Documentation: ServiceEntry
Service Mesh
An infrastructure layer that manages communication between microservices.
Core Features:
- Traffic management (routing, load balancing)
- Security (mTLS, authentication/authorization)
- Observability (metrics, logs, tracing)
- Resilience (Retry, Circuit Breaker)
Major Implementations:
- Istio
- Linkerd
- Consul Connect
- AWS App Mesh
SigV4 (AWS Signature Version 4)
A signature protocol for authenticating AWS API requests.
How It Works:
Signature Components:
Canonical Request: Standardized format of the request
- HTTP method
- URI path
- Query string
- Headers
- Payload hash
String to Sign: String to be signed
- Algorithm:
AWS4-HMAC-SHA256 - Timestamp
- Credential Scope
- Canonical Request hash
- Algorithm:
Signing Key: Signing key calculation
HMAC(HMAC(HMAC(HMAC("AWS4" + SecretKey, Date), Region), Service), "aws4_request")Signature: Final signature
HMAC(SigningKey, StringToSign)
Integration with Istio:
1. SigV4 Authentication via EnvoyFilter
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: aws-sigv4-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.aws_request_signing
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
service_name: s3
region: us-west-2
use_unsigned_payload: false
match_excluded_headers:
- prefix: x-envoy2. Integration with External Authorization
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: aws-auth
namespace: default
spec:
jwtRules:
- issuer: "https://sts.amazonaws.com"
audiences:
- "sts.amazonaws.com"
jwksUri: "https://sts.amazonaws.com/.well-known/jwks"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-aws-auth
namespace: default
spec:
action: CUSTOM
provider:
name: aws-sigv4-authorizer
rules:
- to:
- operation:
paths: ["/api/*"]Use Case Scenarios:
Scenario 1: S3 Access
# Register S3 with ServiceEntry
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: s3-external
spec:
hosts:
- "*.s3.amazonaws.com"
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
# Configure TLS with DestinationRule
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: s3-external
spec:
host: "*.s3.amazonaws.com"
trafficPolicy:
tls:
mode: SIMPLEApplication Code:
import requests
# Envoy automatically adds SigV4 signature
response = requests.get("https://my-bucket.s3.us-west-2.amazonaws.com/object.txt")
print(response.text)Scenario 2: API Gateway Integration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: aws-api-gateway
spec:
hosts:
- api.example.com
http:
- match:
- uri:
prefix: "/api"
route:
- destination:
host: my-api.execute-api.us-west-2.amazonaws.com
port:
number: 443Scenario 3: DynamoDB Access
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: dynamodb-sigv4
spec:
configPatches:
- applyTo: HTTP_FILTER
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.aws_request_signing
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
service_name: dynamodb
region: us-west-2
host_rewrite: dynamodb.us-west-2.amazonaws.comMethods for Providing AWS Credentials:
- ServiceAccount + IRSA (Recommended):
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/app-roleEC2 Instance Profile:
- Automatically uses IAM role assigned to the node
Environment Variables:
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-credentials
key: access-key-id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-credentials
key: secret-access-keySecurity Considerations:
Credential Rotation:
- Automatic rotation using IRSA
- Default TTL: 1 hour
Principle of Least Privilege:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}- Audit Logging:
- Record all API calls with CloudTrail
- Integration with Istio Access Log
Debugging:
# Check SigV4 signature in Envoy logs
kubectl logs <pod-name> -c istio-proxy | grep aws_request_signing
# Check Authorization header
kubectl exec -it <pod-name> -c istio-proxy -- \
curl -v localhost:15000/config_dump | jq '.configs[] | select(.["@type"] == "type.googleapis.com/envoy.admin.v3.ClustersConfigDump")'
# Test AWS API call
kubectl exec -it <pod-name> -- \
curl -v https://my-bucket.s3.amazonaws.com/test.txtPerformance Impact:
| Operation | Latency |
|---|---|
| SigV4 signature calculation | ~1-2ms |
| Credential load (cache) | ~0.1ms |
| Credential load (IRSA) | ~50ms (first request) |
| Total overhead | ~1-3ms |
Alternative Comparison:
| Method | Advantages | Disadvantages |
|---|---|---|
| SigV4 (Envoy) | No application code changes required | Envoy configuration needed |
| AWS SDK | Flexible control | SDK required in all apps |
| API Gateway | Managed solution | Additional cost |
Related Terms: AuthorizationPolicy, ServiceEntry, EnvoyFilter
References:
Sidecar
A helper container pattern deployed alongside an application container.
Istio's Sidecar:
- Container name:
istio-proxy - Image:
istio/proxyv2 - Runs Envoy Proxy
- Intercepts all traffic (iptables or eBPF)
Injection Methods:
- Automatic: Namespace label
- Manual:
istioctl kube-inject
metadata:
labels:
istio-injection: enabled # Automatic injectionRelated Documentation: Sidecar Injection
Sidecar Resource
An Istio CRD that limits the service information Envoy receives.
Purpose:
- Reduce memory usage
- Shorten configuration push time
- Network isolation
apiVersion: networking.istio.io/v1
kind: Sidecar
metadata:
name: default
namespace: default
spec:
egress:
- hosts:
- "./*" # Same namespace only
- "istio-system/*"Effect:
- Before: 1000 services -> 500 MB memory
- After: 10 services -> 80 MB memory
Related Documentation: Architecture - Sidecar Resource
SPIFFE (Secure Production Identity Framework for Everyone)
A standard for proving workload identity in cloud-native environments.
SPIFFE ID Format:
spiffe://trust-domain/pathIstio Example:
spiffe://cluster.local/ns/default/sa/reviews
| | | | | |
| | | | | +- ServiceAccount name
| | | | +----- "sa" (ServiceAccount)
| | | +------------ Namespace name
| | +------------------ "ns" (Namespace)
| +------------------------------ Trust Domain
+---------------------------------------- ProtocolComponents:
- SPIFFE ID: Workload identifier
- SVID (SPIFFE Verifiable Identity Document): X.509 certificate
Subset
A logical grouping of services defined in DestinationRule.
Common Uses:
- By version:
v1,v2,v3 - By deployment stage:
stable,canary,test - By region:
us-west,us-east,eu-central
apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2Related Documentation: DestinationRule - Subset Concept
V-Z
Waypoint Proxy
An optional proxy that provides L7 functionality in Ambient Mode.
Role:
- Deployed per Service Account or Namespace
- Based on Envoy Proxy
- Dedicated to L7 traffic management functions
- Works alongside ztunnel
Provided Features:
- L7 routing (Path, Header-based)
- Retry and Timeout
- Circuit Breaker
- Fault Injection
- Header manipulation
Deployment Example:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: reviews-waypoint
namespace: default
spec:
gatewayClassName: istio-waypoint
listeners:
- name: mesh
port: 15008
protocol: HBONEFeatures:
- ztunnel handles only L4, waypoint handles L7
- Selective use only for services that need it
- More resource efficient than Sidecar (shared approach)
- Deployed per Service Account or Namespace
Related Terms: Ambient Mode, ztunnel
VirtualService
An Istio CRD that defines how traffic is routed within the Service Mesh.
Main Functions:
- Routing based on URI, headers, query parameters
- Weight-based traffic distribution
- Retry and Timeout settings
- Fault Injection
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- uri:
prefix: "/v2"
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1Related Documentation: Gateway and VirtualService
WASM (WebAssembly)
A binary instruction format designed to run in web browsers. In Istio, it is used to extend the functionality of the Envoy proxy.
Usage in Istio:
- Add custom logic as Envoy Filter
- Dynamically extend functionality without redeployment
- Can be written in various languages (Rust, C++, Go, etc.)
- Runs safely in a sandbox environment
Major Use Cases:
- Custom Authentication/Authorization: Implement complex business logic
- Request/Response Transformation: Header manipulation, payload transformation
- Advanced Routing: Custom routing logic
- Metric Collection: Specialized telemetry
WASM Plugin Example:
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: custom-auth
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
url: oci://ghcr.io/my-org/custom-auth:v1.0.0
phase: AUTHN
pluginConfig:
api_key_header: "X-API-Key"
validate_endpoint: "https://auth.example.com/validate"Deployment Methods:
1. Deployment via OCI Registry (Recommended)
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: rate-limiter
spec:
url: oci://docker.io/istio/rate-limit:1.0.0
imagePullPolicy: Always
imagePullSecret: registry-credential2. Deployment via HTTP URL
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: custom-filter
spec:
url: https://example.com/filters/custom-filter.wasm
sha256: "8a8c3b5e..."3. Local File Deployment
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: local-filter
spec:
url: file:///etc/istio/filters/custom.wasmWASM Development Example (Rust):
use proxy_wasm::traits::*;
use proxy_wasm::types::*;
#[no_mangle]
pub fn _start() {
proxy_wasm::set_log_level(LogLevel::Trace);
proxy_wasm::set_http_context(|_, _| -> Box<dyn HttpContext> {
Box::new(CustomFilter)
});
}
struct CustomFilter;
impl HttpContext for CustomFilter {
fn on_http_request_headers(&mut self, _: usize) -> Action {
// API Key validation
match self.get_http_request_header("x-api-key") {
Some(key) if key == "secret-key" => {
Action::Continue
}
_ => {
self.send_http_response(
403,
vec![("content-type", "text/plain")],
Some(b"Forbidden: Invalid API Key"),
);
Action::Pause
}
}
}
}Build and Deployment:
# 1. Build WASM (Rust)
cargo build --target wasm32-unknown-unknown --release
# 2. Package as OCI image
docker build -t ghcr.io/my-org/custom-auth:v1.0.0 .
docker push ghcr.io/my-org/custom-auth:v1.0.0
# 3. Apply WasmPlugin
kubectl apply -f wasmplugin.yamlPerformance Characteristics:
| Metric | Value |
|---|---|
| Startup time | ~1-5ms |
| Memory overhead | ~100KB per filter |
| Execution overhead | ~0.1-1ms per request |
| Sandbox isolation | Guaranteed |
Ambient Mode Support:
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: waypoint-filter
spec:
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: reviews-waypoint
url: oci://ghcr.io/filters/custom:latest
phase: AUTHNDebugging:
# Check WASM plugin status
kubectl get wasmplugin -A
# Check WASM-related logs in Envoy logs
kubectl logs <pod-name> -c istio-proxy | grep wasm
# Check WASM module load
istioctl proxy-config all <pod-name> -o json | jq '.configs[] | select(.name | contains("wasm"))'Security Considerations:
- Sandbox Isolation: WASM modules run in an isolated environment from the Envoy process
- Resource Limits: CPU and memory limits can be configured
- Signature Verification: Integrity check with SHA256 hash
- Least Privilege: Grant only necessary permissions
Advantages:
- High performance (native code level)
- Safe sandbox execution
- Updateable without redeployment
- Multi-language support
- Standard OCI image format
Limitations:
- Some system calls restricted
- Limited file I/O
- Network calls only through Envoy API
Related Terms: Envoy, Waypoint Proxy, Ambient Mode
References:
xDS (Discovery Service)
A set of APIs for dynamic configuration of Envoy Proxy.
Meaning of "xDS":
x: Variable representing various typesDS: Discovery Service
xDS API Types:
| API | Name | Role |
|---|---|---|
| LDS | Listener Discovery Service | Listening ports and filter chains |
| RDS | Route Discovery Service | HTTP routing rules |
| CDS | Cluster Discovery Service | Upstream service configuration |
| EDS | Endpoint Discovery Service | Actual pod IP list |
| SDS | Secret Discovery Service | TLS certificates and keys |
Communication Method:
- Protocol: gRPC
- Port: 15012 (Istiod)
- Bidirectional streaming
Order:
Envoy Start -> LDS -> CDS -> EDS -> RDS -> SDSRelated Documentation: Architecture - xDS API Communication
Zone
Represents a Kubernetes Availability Zone.
Label Format:
topology.kubernetes.io/zone: us-west-1aUsage in Istio:
- Locality-aware Load Balancing
- Zone Aware Routing
- Same Zone priority routing
Related Terms: Locality-aware Load Balancing
ztunnel (Zero Trust Tunnel)
A core component of Ambient Mode, a lightweight L4 proxy running at the node level.
Role:
- Deployed as DaemonSet on each node
- Handles L4 traffic for all pods
- Provides service mesh functionality without Sidecar
- Integrates with CNI plugin
Provided Features:
- mTLS: Automatic encryption/decryption
- L4 Telemetry: Metric collection
- Identity: Service Account-based authentication
- L4 Load Balancing: Basic load balancing
Technical Features:
- Written in Rust (high performance)
- eBPF-based traffic redirection
- No Init Container required
- Low resource usage (~50MB per node)
Deployment Example:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ztunnel
namespace: istio-system
spec:
selector:
matchLabels:
app: ztunnel
template:
spec:
hostNetwork: true
containers:
- name: istio-proxy
image: istio/ztunnel:1.28.0
securityContext:
privileged: true
resources:
requests:
cpu: 100m
memory: 50MiNamespace Activation:
# Enable Ambient Mode
kubectl label namespace default istio.io/dataplane-mode=ambientAdvantages:
- 86% memory reduction compared to Sidecar
- No pod restart required
- Application transparency
- Minimized initial latency
Limitations:
- Waypoint Proxy required for L7 features
- eBPF-compatible kernel required (Linux 4.20+)
Related Terms: Ambient Mode, Waypoint Proxy, eBPF
References
Official Documentation
Related Documentation
Last Updated: November 24, 2025