DestinationRule<\/code> and VirtualService<\/code> and more..<\/li>\n<\/ol>\nLet’s get started!<\/p>\n
What is Istio?<\/h2>\n
Istio<\/a> is a popular Service Mesh<\/a>, an infrastructure layer that manages communication between microservices in a Kubernetes cluster. It is used in production by companies like Airbnb, Intuit, eBay, Salesforce, etc.<\/p>\nEveryone starting with Istio will have the following question.<\/p>\n
Why do we need Istio when Kubernetes offers many microservices functionalities?<\/em><\/p>\nWell, when you have dozens or hundreds of microservices talking to each other, you face challenges that Kubernetes cant handle. <\/strong><\/p>\nHere are some of those features Kubernetes doesnt offer natively.<\/p>\n
\n- Load balancing between service versions.<\/li>\n
- Implementing Circuit breaking and retry patterns.<\/li>\n
- Enabling automatic Mutual TLS<\/a> (mTLS) between all services.<\/li>\n
- Automatic metrics collection for all service-to-service calls<\/li>\n
- Distributed tracing to follow requests across services and more..<\/li>\n<\/ol>\n
Without ISTIO, you will have to build these features into every microservice yourself. But Istio provides them at the infrastructure level using sidecar proxies<\/strong> (Envoy) that intercept all network traffic without changing your application code.<\/p>\n\n\ud83d\udccc<\/div>\nExplaining all Istio concepts is beyond the scope of this guide. Here, we will focus on setting up Istio on kubernetes, getting it up and running, and validating the setup using sample applications. You can read the Istio architecture<\/a> blog to dive deep in to Istio internals.<\/div>\n<\/div>\nNow that you have a high level idea of Istio service mesh, lets get started with the setup.<\/p>\n
Setup Prerequisites<\/h2>\n
To set up Istio, you need the following.<\/p>\n
\n- A kubernetes cluster <\/a><\/li>\n
- Kubectl<\/a> [Local workstation]<\/li>\n
- Helm<\/a> [Local workstation]<\/li>\n<\/ol>\n
Lets get started with the setup.<\/p>\n
Kubernetes Node Requirements<\/h2>\n
To have a basic Istio setup up and running, you need to have the following minimum CPU and memory resources on your worker node.<\/p>\n
\n- 4 vCPU<\/li>\n
- 16 GB RAM<\/li>\n<\/ul>\n
It will be enough for Istio control plane + sidecars + a few sample apps to get started.<\/p>\n
\n\u26a0\ufe0f<\/div>\nIf you enable telemetry \/ logging \/ tracing<\/strong><\/b> (Prometheus, Grafana, Jaeger\/Kiali), memory\/CPU overhead will increase.<\/div>\n<\/div>\nIstio Sidecar Vs Ambient Mode<\/h2>\n
Before you start setting up Istio, you should know the following two Istio deployment modes.<\/p>\n
1. Sidecar Mode<\/h3>\n
In this mode, Istio Deploys an Envoy proxy as a sidecar container alongside each application pod. All the traffic flows through this sidecar proxy (data plane component) and provides all the L4-L7 features<\/strong> directly within the pod for all inbound and outbound connections.<\/p>\n![\"Istio](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/11\/image-90.png\")
<\/figure>\nIt also means, each pod requires additional CPU and memory (typically 100-500MB RAM) for the sidecar container.<\/p>\n
2. Ambient Mode<\/h3>\n
In this mode, no sidecars are injected into application pods.<\/p>\n
Istio deploys a node-level proxy called ztunnel<\/a> as a DaemonSet<\/a> for L4 functionality (mTLS, authN\/authZ at transport layer). This means, all pods on a node share the same ztunnel instance instead of their own sidecar proxies.<\/p>\nIf you want L7 features (HTTP, gRPC, etc) you can run an optional namespace-scoped waypoint proxies.<\/p>\n![\"Istio](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/11\/image-91.png\")
<\/figure>\nTo put is simple, ambient mode is more \u201cevolved\u201d in concept but it is still newer. Meaning there are more trade-offs and some gaps<\/p>\n
\n\u26a0\ufe0f<\/div>\nIn this guide we are focussing on the Istio Sidecar Mode<\/strong><\/b> mode because ambient mode still has a few limitations and relative immaturity compared to the sidecar model.<\/p>\nIf you want to learn more about Ambient Mode, please refer to the Set Up Istio in Ambient Mode<\/strong><\/b><\/a> blog.<\/div>\n<\/div>\nInstall Istio Using Helm<\/h2>\n
Helm is the common method followed in organizations to istall and mangage Istio. We will be using Helm to install Istio on the Kubernetes cluster<\/a>. <\/p>\nFollow the steps given below for the installation.<\/p>\n
Step 1: Add Helm Chart Repo<\/h3>\n
First, we need to add and update the official Istio Helm repo on our local machine.<\/p>\n
helm repo add istio https:\/\/istio-release.storage.googleapis.com\/charts\nhelm repo update<\/code><\/pre>\nNow, we have added the Istio repo. So we can list the available charts of this repo.<\/p>\n
helm search repo istio<\/code><\/pre>\nIn the output, we can see all the Istio related chart lists and their latest versions. We will not be using all the charts. <\/p>\n
$ helm search repo istio\n\nNAME CHART VERSION APP VERSION DESCRIPTION \nistio\/istiod 1.28.0 1.28.0 Helm chart for istio control plane \nistio\/istiod-remote 1.23.6 1.23.6 Helm chart for a remote cluster using an extern...\nistio\/ambient 1.28.0 1.28.0 Helm umbrella chart for ambient \nistio\/base 1.28.0 1.28.0 Helm chart for deploying Istio cluster resource...\nistio\/cni 1.28.0 1.28.0 Helm chart for istio-cni components \nistio\/gateway 1.28.0 1.28.0 Helm chart for deploying Istio gateways \nistio\/ztunnel 1.28.0 1.28.0 Helm chart for istio ztunnel components <\/code><\/pre>\nWe will be using only those are required for sidecar mode implementation.<\/p>\n
Step 2: Install Istio CRD’s<\/h3>\n
Istio adds many custom features to Kubernetes like traffic routing, mTLS, gateways, sidecar rules, policies, and more.<\/p>\n
These Istio features do not exist in Kubernetes by default. To support them, Istio defines them as Custom Resource Definitions (CRDs)<\/p>\n
We can install the CRD’s from the Istio chart list. We need to choose the istio\/base<\/code> chart to setup Istio in sidecar mode.<\/p>\nExecute the following command to install istio-base.<\/p>\n
helm install istio-base istio\/base -n istio-system --set defaultRevision=default --create-namespace<\/code><\/pre>\nYou should get a successful message as follows.<\/p>\n
NAME: istio-base\nLAST DEPLOYED: Sat Nov 15 14:58:26 2025\nNAMESPACE: istio-system\nSTATUS: deployed\nREVISION: 1\nTEST SUITE: None\nNOTES:\nIstio base successfully installed!<\/code><\/pre>\nOnce the CRD deployment is completed, the Kubernetes API server supports Istio resource types.<\/p>\n
We can list the Istio CRDs using the following command. <\/p>\n
kubectl get crds | grep istio<\/code><\/pre>\nYou will get the following output. It contains CRD’s realted to security, traffic management, telemetry, extensions and workloads.<\/p>\n
$ kubectl get crds | grep istio\n\nauthorizationpolicies.security.istio.io 2025-11-15T06:20:10Z\ndestinationrules.networking.istio.io 2025-11-15T06:20:10Z\nenvoyfilters.networking.istio.io 2025-11-15T06:20:10Z\ngateways.networking.istio.io 2025-11-15T06:20:10Z\npeerauthentications.security.istio.io 2025-11-15T06:20:10Z\nproxyconfigs.networking.istio.io 2025-11-15T06:20:10Z\nrequestauthentications.security.istio.io 2025-11-15T06:20:10Z\nserviceentries.networking.istio.io 2025-11-15T06:20:10Z\nsidecars.networking.istio.io 2025-11-15T06:20:10Z\ntelemetries.telemetry.istio.io 2025-11-15T06:20:10Z\nvirtualservices.networking.istio.io 2025-11-15T06:20:10Z\nwasmplugins.extensions.istio.io 2025-11-15T06:20:10Z\nworkloadentries.networking.istio.io 2025-11-15T06:20:10Z\nworkloadgroups.networking.istio.io 2025-11-15T06:20:10Z<\/code><\/pre>\nCustomizing Istio Chart & Values (Optional)<\/h3>\n
In enterprise environments<\/strong>, you cannot install Istio directly from the public Helm repo.<\/p>\nYou will have to host the helm chart in internal helm repos (e.g., Nexus, Artifactory, Harbor, S3 bucket, Git repo). Also you will customization to the default values to meet the project requirements.<\/p>\n
In that case, you can download the chart locally or store it on your own repo, use the following command.<\/p>\n
helm pull istio\/base --version 1.28.0 --untar<\/code><\/pre>\nOnce you pull the chart, the directory structure looks like this.<\/p>\n
base\n |-- Chart.yaml\n |-- README.md\n |-- files\n | |-- crd-all.gen.yaml\n | |-- profile-ambient.yaml\n | |-- ...\n | |-- ...\n | |-- ...\n | |-- profile-remote.yaml\n | `-- profile-stable.yaml\n |-- templates\n | |-- NOTES.txt\n | |-- crds.yaml\n | |-- defaultrevision-validatingadmissionpolicy.yaml\n | |-- defaultrevision-validatingwebhookconfiguration.yaml\n | |-- reader-serviceaccount.yaml\n | `-- zzz_profile.yaml\n `-- values.yaml<\/code><\/pre>\nHere, you can see the values.yaml<\/code> file, which has the modifiable parameters.<\/p>\nSo if you want to do a custom installation, you can modify this file or create a new values file with only the required parameters.<\/p>\n
Then run the following command to install the CRDs using the downloaded chart.<\/p>\n
helm install istio-base .\/base -n istio-system --create-namespace<\/code><\/pre>\n\n\ud83d\udca1<\/div>\nTo use the custom values file, during the Helm installation command, use the -f<\/code> field with the path of the custom file.<\/div>\n<\/div>\nStep 3: Install Istio Daemon (Istiod)<\/h3>\n
![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/11\/image-89.png\")
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/11\/image-88.png\")
<\/figure>\n