2 minute read
Istio offers a service mesh implementation with focus on several important features - traffic, observability, security and policy.
ManagedIstio feature gate
When enabled in gardenlet the
ManagedIstio feature gate can be used to deploy a Gardener-tailored Istio installation in Seed clusters. It’s main usage is to enable features such as Shoot API server SNI. This feature should not be enabled on a Seed cluster where Istio is already deployed.
- Third-party JWT is used, therefore each Seed cluster where this feature is enabled must have Service Account Token Volume Projection enabled.
- Kubernetes 1.16+
Differences with Istio’s default profile
The default profile which is recommended for production deployment, is not suitable for the Gardener use case as it offers more functionality than desired. The current installation goes through heavy refactorings due to the
IstioOperator and the mixture of Helm values + Kubernetes API specification makes configuring and fine-tuning it very hard. A more simplistic deployment is used by Gardener. The differences are the following:
- Telemetry is not deployed.
istio-ingress-gatewayis deployed in a separate
istio-egress-gatewayis not deployed.
- None of the Istio addons are deployed.
- Mixer (deprecated) is not deployed
- Mixer CDRs are not deployed.
ServiceEntryare NOT advertised in the service mesh. This means that if a
Serviceneeds to be accessed directly from the Istio Ingress Gateway, it should have
.spec.exportTo: ["*"]set on them respectively.
- Istio injector is not enabled.
- mTLS is enabled by default.
Was this page helpful?