Istio offers a service mesh implementation with focus on several important features - traffic, observability, security and policy.
When enabled in gardenlet the ManagedIstio feature gate can be used to deploy a Gardener-tailored Istio installation in Seed clusters. It's main usage is to enable features such as Shoot API server SNI. This feature should not be enabled on a Seed cluster where Istio is already deployed.
However, this feature gate is deprecated, turned on by default and will be removed in a future version of Gardener. This means that Gardener will unconditionally deploy Istio with its desired configuration to seed clusters. Consequently, existing/bring-your-own Istio deployments will no longer be supported.
- Third-party JWT is used, therefore each Seed cluster where this feature is enabled must have Service Account Token Volume Projection enabled.
- Kubernetes 1.16+
The default profile which is recommended for production deployment, is not suitable for the Gardener use case as it offers more functionality than desired. The current installation goes through heavy refactorings due to the IstioOperator and the mixture of Helm values + Kubernetes API specification makes configuring and fine-tuning it very hard. A more simplistic deployment is used by Gardener. The differences are the following:
- Telemetry is not deployed.
istiodis deployed.istio-ingress-gatewayis deployed in a separateistio-ingressnamespace.istio-egress-gatewayis not deployed.- None of the Istio addons are deployed.
- Mixer (deprecated) is not deployed
- Mixer CDRs are not deployed.
- Kubernetes
Service, Istio'sVirtualServiceandServiceEntryare NOT advertised in the service mesh. This means that if aServiceneeds to be accessed directly from the Istio Ingress Gateway, it should havenetworking.istio.io/exportTo: "*"annotation.VirtualServiceandServiceEntrymust have.spec.exportTo: ["*"]set on them respectively. - Istio injector is not enabled.
- mTLS is enabled by default.