2 minute read  


Istio offers a service mesh implementation with focus on several important features - traffic, observability, security and policy.

Gardener ManagedIstio feature gate

When enabled in gardenlet the ManagedIstio feature gate can be used to deploy a Gardener-tailored Istio installation in Seed clusters. It’s main usage is to enable features such as Shoot API server SNI. This feature should not be enabled on a Seed cluster where Istio is already deployed.

However, this feature gate is deprecated, turned on by default and will be removed in a future version of Gardener. This means that Gardener will unconditionally deploy Istio with its desired configuration to seed clusters. Consequently, existing/bring-your-own Istio deployments will no longer be supported.


Differences with Istio’s default profile

The default profile which is recommended for production deployment, is not suitable for the Gardener use case as it offers more functionality than desired. The current installation goes through heavy refactorings due to the IstioOperator and the mixture of Helm values + Kubernetes API specification makes configuring and fine-tuning it very hard. A more simplistic deployment is used by Gardener. The differences are the following:

  • Telemetry is not deployed.
  • istiod is deployed.
  • istio-ingress-gateway is deployed in a separate istio-ingress namespace.
  • istio-egress-gateway is not deployed.
  • None of the Istio addons are deployed.
  • Mixer (deprecated) is not deployed
  • Mixer CDRs are not deployed.
  • Kubernetes Service, Istio’s VirtualService and ServiceEntry are NOT advertised in the service mesh. This means that if a Service needs to be accessed directly from the Istio Ingress Gateway, it should have networking.istio.io/exportTo: "*" annotation. VirtualService and ServiceEntry must have .spec.exportTo: ["*"] set on them respectively.
  • Istio injector is not enabled.
  • mTLS is enabled by default.