December 10, 2020 By Ram Vennam 3 min read

Check out these best practices to consider when running in production with the Istio add-on. 

Istio on IBM Cloud Kubernetes Service provides a seamless installation of Istio, automatic updates and lifecycle management of Istio control plane components, and integration with platform logging and monitoring tools. Today, IBM Cloud is announcing the release of version 1.8 of the Istio add-on. 


  • Scope your EnvoyFilters: Istio’s CRDs (VirtualService, DestinationRule, PeerAuthentication, etc.) provide many options for easily configuring your traffic. For further customization, many users rely on EnvoyFilter to directly configure the Envoy proxies. EnvoyFilter capabilities are very powerful and should be applied with care. Scope down your EnvoyFilter by using the appropriate workloadSelector and match properties to reduce unnecessary overhead.
  • Use namespaces and Sidecar: The Istio control plane is responsible for generating the routing configuration and distributing it to all the proxies in the mesh. Without any scoping, the generation and distribution can quickly become bottlenecked. To alleviate this problem, leverage Kubernetes namespaces to distribute your workload and avoid deploying too many services into a single namespace. Then, use Istio’s Sidecar resource to scope down the amount of configuration received by the proxies by defining what namespaces your workload needs access to. 
  • Disable logging: You can customize a set of Istio configuration options by editing the managed-istio-custom configmap resource. These settings include extra control over monitoring, logging, and networking in your control plane and service mesh. The istio-global-logging-level option is used to set the scope of logs and the level of log messages for control plane components. Set this to none
  • Disable tracing and telemetry: The istio-meshConfig-enableTracing option in the managed-istio-custom configmap controls the generation of trace spans and request IDs. If you’re not leveraging the tracing capabilities of Istio, you can disable this option. Furthermore, to remove any performance overhead associated with telemetry metrics and disable all monitoring, set istio-monitoring-telemetry to false.


  • Multizone cluster: Your users are less likely to experience downtime when you distribute your apps across multiple worker nodes and zones. Create a multizone cluster to distribute your workloads across multiple worker nodes and zones, and protect against zone failures with hosts, networks, or apps. If resources in one zone go down, your cluster workloads continue to run in the other zones.
  • Enable additional gateways: The Istio add-on comes with a single deployment and service of the Istio ingress gateway. An auto-scaling policy is configured to scale the replicas up and down automatically. If you are using a multizone cluster for maximum availability, it’s recommended that you create additional ingress gateway deployments and services in secondary and tertiary zones. Use the istio-ingressgateway-public-1|2|3-enabled and istio-ingressgateway-zone-1|2|3 options in the managed-istio-custom configmap to achieve this.


  • STRICT mTLS: Istio will automatically use mTLS when it determines it’s possible and fallback to plain text when it cannot. This is useful when some of your services are part of the mesh and others are not. If all your services are Istio-enabled, you can enforce mutual TLS for the entire mesh or namespace by creating a PeerAuthenticationPolicy.
  • Edge nodes: Edge worker nodes can improve the security of your IBM Cloud Kubernetes Service cluster by allowing fewer worker nodes to be accessed externally and by isolating the networking workload. When these worker nodes are marked for networking only, other workloads cannot consume the CPU or memory of the worker node and interfere with networking. Add the dedicated=edge label and taint to your edge worker nodes. The ingress gateway pods are pre-configured with the necessary tolerations to allow them to run on the edge nodes. 
  • Security updates: IBM Cloud keeps your Istio control plane and the default gateway components up-to-date by automatically rolling out patch updates to the most recent version of Istio that is supported by IBM Cloud Kubernetes Service. Whenever the managed Istio add-on is updated, make sure that you update the Istio sidecars for your app to match the Istio version of the add-on.

Traffic management

  • Outbound traffic policy: By default, outbound traffic to external URLs goes thru the sidecar proxy, but is not restricted. To prevent your workloads from making outbound calls to unknown hosts, set the istio-global-outboundTrafficPolicy-mode option in the managed-istio-custom configmap to REGISTRY_ONLY. This configures the sidecars to only allow access to defined services

More information

Check out our documentation for more information about the Istio add-on for the IBM Cloud Kubernetes Service

If you have any questions or have any feedback to share, please engage our team via Slack by registering here and join the discussion in the #general or #managed_istio_knative channels on our public IBM Cloud Kubernetes Service Slack.

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters