Istio Service Mesh

Istio is an open-source service mesh that provides a uniform way to connect, secure, control, and observe services running on Kubernetes and other platforms. The mesh extends Kubernetes by establishing a programmable, application-aware network layer that handles inter-service traffic management, telemetry collection, and security enforcement without requiring application code changes. In ambient mode, generally available since version 1.24, the mesh deploys a zero-trust tunnel for Layer 4 transport security using mutually encrypted connections, and optionally adds Envoy proxy sidecars for Layer 7 features including content-based routing, traffic splitting, and request-level authorization. Traffic management capabilities include weighted load balancing across service versions for canary deployments, circuit breaking to prevent cascading failures, retry policies with timeout enforcement, and fault injection for resilience testing. Security features enforce mutual TLS authentication between all services in the mesh, with automatic certificate rotation through a built-in certificate authority, and fine-grained authorization policies that control which services can communicate based on identity, namespace, and request attributes. Observability is provided through distributed tracing via integration with OpenTelemetry and Jaeger, structured access logging, and per-service golden metrics including request volume, error rate, and latency percentiles exported to Prometheus. The mesh connects to over ten thousand organizations including Salesforce, bol.com, IBM, and Cisco. A graduated CNCF project, it is maintained by contributors from Google, Red Hat, and the broader community.