Confused about where K8s Services reside and where Istio's Envoy Proxy Reside?

11/22/2019

I am quite confused about where k8s regular service and istio's sidecar reside.

I recently learned about istio and its "sidecar/envoy/proxy" inside the pod. And i am confident in saying that istio's sidecar resides inside the pod. But where does the k8s regular service reside and who is contacted first from the app, the Service or the Proxy/Sidecar?

The diagram in my mind is something like: The diagram in my mind is something like

-- Finley Ben
envoyproxy
istio
kubernetes

2 Answers

11/22/2019

K8s services are iptable rules. You can get them by ssh-ing into a node and running:

sudo iptables-save | grep YOUR_SERVICE_NAME

Istio sidecar container is an Envoy proxy. I don't know what you want to do with it, but you can do:

  • Accessing an Envoy proxy container:

kubectl exec -it YOUR_POD_NAME -c istio-proxy sh

  • Get the logs of it:

kubectl logs YOUR_POD_NAME -c istio-proxy

etc, etc.

-- suren
Source: StackOverflow

11/22/2019

Services are internal abstract REST objects like: loadbalancer, clusterip, nodeport, etc. Their definition is stored in Kubernetes API server (etcd).

Services usually are implemented by Kube-proxy and are also assigned to endpoints by matching selectors and labels.

Each node is running an instance of kube-proxy that is managed by etcd. Services are most of time stored as sets of rules in iptables.


Istio services that are used in service mesh are located in Istio control plane and can be used as gateways, egress, ingress, virtualservices etc objects.

The istio control plane also cosists of: Citadel: for key and certificate management Pilot: to distribute authentication policies and secure naming information to the proxies Mixer: to manage authorization and auditing

As you mentioned sidecar proxies (envoy proxy) are injected into pods next to application container.

Here is graph from istio documentation. Istio Security Architecture

-- Piotr Malec
Source: StackOverflow