Skip to content

Istio Introduction

Istio is an open-source service mesh that helps you manage, secure, and observe communication between microservices—especially in environments like Kubernetes.

At a high level, Istio works by adding a lightweight proxy (usually Envoy) alongside each service. These proxies handle all network traffic between services, so you don’t have to build things like security, retries, or logging into your application code.

What Istio gives you Traffic management Control how requests flow between services (e.g., load balancing, retries, canary releases, A/B testing). Security Automatically encrypt service-to-service traffic (mTLS), manage identities, and enforce access policies. Observability Get metrics, logs, and distributed tracing without modifying your apps. Why it’s usefuf In a microservices system, services constantly talk to each other. Istio centralizes and standardizes how that communication works—so you can manage it consistently without changing your code.

Istioctl

istioctl is the command-line tool for working with Istio. It’s mainly used to install, configure, and troubleshoot an Istio service mesh from your terminal.

Installing istioctl

istioctl is already preinstalled in the development environment.

If you want to install it on a bastion host for debugging, you can run:

curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
cd -

Using istioctl to Debug a Pod/Deployment

Many issues can arise that are difficult to debug. istioctl provides access to error and debug logs from Istio that are not normally visible.

The general structure for enabling debug logging on a pod or deployment is:

istioctl proxy-config log <pod/deployment-name> -n <namespace> --level <DEBUG_OPTIONS>

Debugging the Istio Waypoint Using istioctl

As an example, to view logs for the Istio waypoint:

kubectl logs deploy/waypoint -n oneconnect -f

To enable full debug logging:

istioctl proxy-config log deploy/waypoint -n oneconnect --level debug

For more fine-grained logging (to avoid excessive output):

```bash
istioctl proxy-config log deploy/waypoint -n oneconnect --level wasm:debug,http:debug,rbac:debug

Full List of Debug Options

alternate_protocols_cache: warning
aws: warning
cache_filter: warning
client: warning
config: warning
connection: warning
conn_handler: warning
decompression: warning
dns: warning
dubbo: warning
envoy_bug: warning
ext_authz: warning
ext_proc: warning
file: warning
filter: warning
forward_proxy: warning
grpc: warning
hc: warning
health_checker: warning
http: warning
http2: warning
init: warning
io: warning
jwt: warning
kafka: warning
lua: warning
main: warning
misc: warning
mongo: warning
pool: warning
quic: warning
quic_stream: warning
rbac: warning
redis: warning
router: warning
runtime: warning
secret: warning
tap: warning
testing: warning
thrift: warning
tracing: warning
upstream: warning
udp: warning
wasm: warning