Application Requirements
Istio provides a great deal of functionality to applications with little or no impact on the application code itself. Many Kubernetes applications can be deployed in an Istio-enabled cluster without any changes at all. However, there are some implications of Istio’s sidecar model that may need special consideration when deploying an Istio-enabled application. This document describes these application considerations and specific requirements of Istio enablement.
Pod requirements
To be part of a mesh, Kubernetes pods must satisfy the following requirements:
Service association: A pod must belong to at least one Kubernetes service even if the pod does NOT expose any port. If a pod belongs to multiple Kubernetes services, the services cannot use the same port number for different protocols, for instance HTTP and TCP.
Application UIDs: Ensure your pods do not run applications as a user with the user ID (UID) value of 1337.
NET_ADMIN
andNET_RAW
capabilities: If pod security policies are enforced in your cluster and unless you use the Istio CNI Plugin, your pods must have theNET_ADMIN
andNET_RAW
capabilities allowed. The initialization containers of the Envoy proxies require these capabilities.To check if the
NET_ADMIN
andNET_RAW
capabilities are allowed for your pods, you need to check if their service account can use a pod security policy that allows theNET_ADMIN
andNET_RAW
capabilities. If you haven’t specified a service account in your pods’ deployment, the pods run using thedefault
service account in their deployment’s namespace.To list the capabilities for a service account, replace
<your namespace>
and<your service account>
with your values in the following command:$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:<your namespace>:<your service account>) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
For example, to check for the
default
service account in thedefault
namespace, run the following command:$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
If you see
NET_ADMIN
andNET_RAW
or*
in the list of capabilities of one of the allowed policies for your service account, your pods have permission to run the Istio init containers. Otherwise, you will need to provide the permission.Pods with app and version labels: We recommend adding an explicit
app
label andversion
label to the specification of the pods deployed using a KubernetesDeployment
. Theapp
andversion
labels add contextual information to the metrics and telemetry that Istio collects.The
app
label: Each deployment should have a distinctapp
label with a meaningful value. Theapp
label is used to add contextual information in distributed tracing.The
version
label: This label indicates the version of the application corresponding to the particular deployment.
Named service ports: Service ports may optionally be named to explicitly specify a protocol. See Protocol Selection for more details.
Ports used by Istio
The following ports and protocols are used by the Istio sidecar proxy (Envoy).
Port | Protocol | Description | Pod-internal only |
---|---|---|---|
15000 | TCP | Envoy admin port (commands/diagnostics) | Yes |
15001 | TCP | Envoy outbound | No |
15006 | TCP | Envoy inbound | No |
15008 | TCP | Envoy tunnel port (inbound) | No |
15020 | HTTP | Merged Prometheus telemetry from Istio agent, Envoy, and application | No |
15021 | HTTP | Health checks | No |
15090 | HTTP | Envoy Prometheus telemetry | No |
The following ports and protocols are used by the Istio control plane (istiod).
Port | Protocol | Description | Local host only |
---|---|---|---|
15010 | GRPC | XDS and CA services (Plaintext) | No |
15012 | GRPC | XDS and CA services (TLS, recommended for production use) | No |
8080 | HTTP | Debug interface (deprecated) | No |
443 | HTTPS | Webhooks | No |
15014 | HTTP | Control plane monitoring | No |
To avoid port conflicts with sidecars, applications should not use any of the ports used by Envoy.
Server First Protocols
Some protocols are “Server First” protocols, which means the server will send the first bytes. This may have an impact on PERMISSIVE
mTLS and Automatic protocol selection.
Both of these features work by inspecting the initial bytes of a connection to determine the protocol, which is incompatible with server first protocols.
In order to support these cases, follow the Explicit protocol selection steps to declare the protocol of the application as TCP
.
The following ports are known to commonly carry server first protocols, and are automatically assumed to be TCP
:
Protocol | Port |
---|---|
SMTP | 25 |
DNS | 53 |
MySQL | 3306 |
MongoDB | 27017 |
Because TLS communication is not server first, TLS encrypted server first traffic will work with automatic protocol detection as long as you make sure that all traffic subjected to TLS sniffing is encrypted:
- Configure
mTLS
modeSTRICT
for the server. This will enforce TLS encryption for all requests. - Configure
mTLS
modeDISABLE
for the server. This will disable the TLS sniffing, allowing server first protocols to be used. - Configure all clients to send
TLS
traffic, generally through aDestinationRule
or by relying on auto mTLS. - Configure your application to send TLS traffic directly.
Application Bind Address
When Istio captures inbound traffic, it will redirect it to the localhost
address. As a result, applications should bind to wildcard (0.0.0.0
for IPv4 or ::
for IPv6). Applications listening on their pod IP will need to be modified.
Outbound traffic
In order to support Istio’s traffic routing capabilities, traffic leaving a pod may be routed differently than when a sidecar is not deployed.
For HTTP based traffic, traffic is routed based on the Host
header. This may lead to unexpected behavior if the destination IP and Host
header are not aligned. For example, a request like curl 1.2.3.4 -H "Host: httpbin.default"
will be routed to the httpbin
service, rather than 1.2.3.4
.
For Non-HTTP based traffic (including HTTPS), Istio does not have access to an Host
header, so routing decisions are based on the Service IP address.
One implication of this is that direct calls to pods (for example, curl <POD_IP>
), rather than Services, will not be matched. While the traffic may be passed through, it will not get the full Istio functionality including mTLS encryption, traffic routing, and telemetry.
See also
Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.
Demystifying Istio’s Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Install Istio with the Istio CNI plugin
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Expanding into New Frontiers - Smart DNS Proxying in Istio
Workload Local DNS resolution to simplify VM integration, multicluster, and more.
Using MOSN with Istio: an alternative data plane
An alternative sidecar proxy for Istio.
Provision a certificate and key for an application without sidecars
A mechanism to acquire and share an application certificate and key through mounted files.