I am quite confused about where k8s regular service and istio's sidecar reside.
I recently learned about istio and its "sidecar/envoy/proxy" inside the pod. And i am confident in saying that istio's sidecar resides inside the pod. But where does the k8s regular service reside and who is contacted first from the app, the Service or the Proxy/Sidecar?
The diagram in my mind is something like:
K8s services are iptable rules. You can get them by ssh-ing into a node and running:
sudo iptables-save | grep YOUR_SERVICE_NAME
Istio sidecar container is an Envoy
proxy. I don't know what you want to do with it, but you can do:
Envoy
proxy container:kubectl exec -it YOUR_POD_NAME -c istio-proxy sh
kubectl logs YOUR_POD_NAME -c istio-proxy
etc, etc.
Services are internal abstract REST objects like: loadbalancer, clusterip, nodeport, etc. Their definition is stored in Kubernetes API server (etcd).
Services usually are implemented by Kube-proxy and are also assigned to endpoints by matching selectors and labels.
Each node is running an instance of kube-proxy that is managed by etcd. Services are most of time stored as sets of rules in iptables.
Istio services that are used in service mesh are located in Istio control plane and can be used as gateways, egress, ingress, virtualservices etc objects.
The istio control plane also cosists of: Citadel: for key and certificate management Pilot: to distribute authentication policies and secure naming information to the proxies Mixer: to manage authorization and auditing
As you mentioned sidecar proxies (envoy proxy) are injected into pods next to application container.
Here is graph from istio documentation.