The CNCF Technical Oversight Committee (TOC) has voted to accept Istio as a CNCF incubating project.
Istio is an open source service mesh that transparently provides a uniform and efficient way to secure, connect, and monitor services in cloud native applications. It provides zero-trust networking, policy enforcement, traffic management, load balancing, and monitoring, without requiring applications to be rewritten.
Development of Istio began in 2016. It was initially developed by Google and IBM, alongside the Lyft team who built the Envoy proxy. Significant contributions have since come from:
- Technology companies and cloud providers, including Red Hat, Cisco, VMware, Intel, Huawei, Tencent, Alibaba, and DaoCloud
- Companies founded to bring Istio solutions to market, including Tetrate, Aspen Mesh, and Solo.io
- Istio’s end users, including Auto Trader UK, Salesforce, SAP, and Yahoo!
Istio stands on the shoulders of several CNCF projects, such as Kubernetes, Envoy, gRPC, Prometheus, and SPIFFE. It can be installed with Helm, and integrations exist for projects including Knative, Flagger, Jaeger, Open Policy Agent, and OpenTelemetry.
Istio reached 1.0 in 2018. In 2019, Istio was the fourth fastest growing open source project in all of GitHub. Over 190 companies have committed to Istio, with more than 20 vendors offering a hosted Istio product or add-on for their Kubernetes platform, including Google, IBM, Red Hat, VMware, Huawei, Alibaba, Cisco, Oracle, and D2IQ.
“We are pleased to unify Google’s industry-defining stack of cloud native projects — Kubernetes, Istio, and Knative — in one home under the CNCF,” said Craig Box, Developer Relations Lead at Google Cloud and Istio Steering Committee member. “Our team has been working to bring the service mesh community together around the Kubernetes Gateway API, and we look forward to seeing, and driving, more such collaboration between CNCF projects. This is a significant milestone for Istio and its community, and we are thrilled to reach this next step in the evolution of the project.”
“Support for open source innovations is a critical component of IBM’s hybrid cloud strategy, and we see this in particular with Istio — to which we have contributed from the start. With the acceptance of Istio into the CNCF, the project is entering a new phase in its evolution and growth, and we applaud this milestone. The open governance and robust community of CNCF will help nurture the project, ensuring a bright future for the users of Istio and for the contributors and overall CNCF communities.” — Jason McGee, IBM Fellow and General Manager, IBM Cloud
“Istio is one of the key open source projects in the cloud native ecosystem. Huawei Cloud started contributing to Istio in 2018. Istio has showcased its potential in enterprise digitalization and application modernization through use cases in many industries, such as internet, finance, and automobile. I am glad to see the Istio project being accepted into CNCF. We will keep contributing to Istio and working with the CNCF to promote the community and use cases in more industries.” — Bruno Zhang, CTO of Huawei Cloud
The US Government has mandated zero trust architectures for federal infrastructure, and the Istio community supported this goal alongside governmental agencies, including co-authoring the National Institute of Standards and Technology SP 800-204A standard for securing microservices. Istio has seen governmental adoption, selected as the service mesh for the DoD Enterprise DevSecOps initiative, and famously deployed on an F/16 jet.
“Bringing Istio to CNCF further validates its neutrality and maturity as a foundational technology in modern software platforms,” said Nicolas Chaillan, former Chief Software Officer for the Air Force and Space Force and advisor to Tetrate. “Istio has been an integral part in driving security best practices in government and commercial organizations, this will accelerate Istio’s adoption and broaden its impact across the industry.”
According to the CNCF annual survey, Istio is the most widely adopted service mesh. A list of public reference customers can be found on the Istio website, including case studies from Airbnb, Atlassian, eBay, Salesforce.com, Splunk, T Mobile, and WP Engine. The two annual IstioCon events have each attracted over 4,000 attendees.
“Istio’s extensibility, broad feature support, and scalability make it a great choice for Airbnb. Airbnb is currently serving the vast majority of internal traffic with Istio and plans to use Istio as the service mesh solution going forward.” – Weibo He, Staff Software Engineer, Airbnb
“The use of Istio has been a force multiplier for WP Engine. By implementing Istio, we created a platform that provides increased security and observability, allowing our application teams to focus on their business logic.” – Glenn Jones, Principal Software Engineer, WP Engine
“Istio is at the core of Intuit’s Developer platform and powers communication between thousands of services across hundreds of Kubernetes clusters running as a multi-cluster service mesh. Istio’s extensible architecture allowed Intuit to build customizations and augment Service Mesh with its own tooling. In the process of automating one of Istio’s multi-cluster models, Intuit contributed an open source project called Admiral for service discovery in a multi-cluster Istio service mesh. We are excited to see the development of ambient mesh and actively working on exploring it internally.” – Jason Webb, Distinguished Engineer, Intuit
An Istio service mesh is logically split into a data plane and a control plane.
The data plane is composed of a set of intelligent Envoy proxies, most commonly deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic. Istio engineers have contributed many substantial features to Envoy, including extensibility via WebAssembly.
The control plane manages and configures the proxies to route traffic. Logically separated inside a single binary, components include the data plane programmer (Pilot), certificate authority (Citadel), configuration management engine (Galley), and sidecar admission controller.
- 85 maintainers from 15 companies
- >8,800 individual contributors
- >40,000 pull requests
- >20,000 issues
- >260 releases
- >33,000 GitHub Stars
- >8,500 Slack members
Almost six years into the project, Istio is not resting on its laurels. A new operating model named ambient mesh was recently announced, addressing common operational challenges by moving data plane functionality from sidecar containers into the network infrastructure. Ambient mesh has been released as an experimental feature and is currently under community development. Istio continues to support the sidecar deployment model and the two modes will seamlessly interoperate.
“Welcoming Istio into CNCF is an exciting move as the number of service mesh options expands in the cloud native ecosystem. Istio brings service mesh innovation to the forefront in the CNCF project family with its new ambient mesh architecture. We are seeing increasing end user adoption of service meshes and anticipate broad impact on the industry as projects like Istio continue to mature. We look forward to working with the Istio community to help it graduate to the next level.” – Chris Aniszczyk, CTO of CNCF
As a CNCF-hosted project, Istio is now part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.
To learn more about Istio:
- Check out the project site and GitHub repository
- Read the docs
- Explore the sample application
- Join the community, including on our Slack and discussion site
- Learn about ambient mesh on the Kubernetes Podcast from Google