Istio architecture

Control Plane

• The control plane is the Istio Daemon (istiod): Manage and inject envoy proxies

• As of istio v1.5, multiple components (Galley, citadel, pilot, mixer) were condensed into a single component istiod

• Galley: Reads the k8s format and transform into the istio format

• Pilot: Reads internal istio format and transform into envoy format (to be sent to proxies)
• Citadel:Manage TLS certificates! Enable TLS/SSL across the entire cluster

• Mixer: Implements policy checks (policy pod) and telemetry (telemetry pod)

• Istio ingress gateway and egress gateway are also part of the control plane

Data plane

• Data plane is composed by intelligent proxies (envoy)
• Data plane is managed by the control plane
• Isto proxy is a helper container

• Envoy, sidecar, proxy in Istio means the same!

• Istio creates a proxy container inside of each pod. The proxy would be a ClusterIP in convention k8s networking

• Proxies are collectively called the Data Plane in Istio
• Everything else is called Control Plane: telemetry, pilot, tracing, etc

Other components

• Grafana: Frontend interface for telemetry
• Jaeger: Tracing
• Kiali: Frontend interface for telemetry
• Prometheus: Scrape metrics to be presented in a good form