Pods and Services
To be a part of an Istio service mesh, pods and services in a Kubernetes cluster must satisfy the following requirements:
Named service ports: Service ports must be named. The port name key/value pairs must have the following syntax:
name: <protocol>[-<suffix>]. To take advantage of Istio’s routing features, replace<protocol>with one of the following values:grpchttphttp2httpsmongomysqlredistcptlsudp
For example,
name: http2-fooorname: httpare valid port names, butname: http2foois not. If the port name does not begin with a recognized prefix or if the port is unnamed, outbound HTTP or TCP traffic will be automatically detected. Inbound traffic on the port is treated as plain TCP traffic unless the port explicitly usesProtocol: UDPto signify a UDP port.Service association: A pod must belong to at least one Kubernetes service even if the pod does NOT expose any port. If a pod belongs to multiple Kubernetes services, the services cannot use the same port number for different protocols, for instance HTTP and TCP.
Deployments with app and version labels: We recommend adding an explicit
applabel andversionlabel to deployments. Add the labels to the deployment specification of pods deployed using the KubernetesDeployment. Theappandversionlabels add contextual information to the metrics and telemetry Istio collects.The
applabel: Each deployment specification should have a distinctapplabel with a meaningful value. Theapplabel is used to add contextual information in distributed tracing.The
versionlabel: This label indicates the version of the application corresponding to the particular deployment.
Application UIDs: Ensure your pods do not run applications as a user with the user ID (UID) value of 1337.
NET_ADMINcapability: If your cluster enforces pod security policies, pods must allow theNET_ADMINcapability. If you use the Istio CNI Plugin, this requirement no longer applies. To learn more about theNET_ADMINcapability, visit Required Pod Capabilities.
Ports used by Istio
The following ports and protocols are used by Istio. Ensure that there are no TCP headless services using a TCP port used by one of Istio’s services.
| Port | Protocol | Used by | Description |
|---|---|---|---|
| 8060 | HTTP | Citadel | GRPC server |
| 8080 | HTTP | Citadel agent | SDS service monitoring |
| 9090 | HTTP | Prometheus | Prometheus |
| 9091 | HTTP | Mixer | Policy/Telemetry |
| 9876 | HTTP | Citadel, Citadel agent | ControlZ user interface |
| 9901 | GRPC | Galley | Mesh Configuration Protocol |
| 15000 | TCP | Envoy | Envoy admin port (commands/diagnostics) |
| 15001 | TCP | Envoy | Envoy Outbound |
| 15006 | TCP | Envoy | Envoy Inbound |
| 15004 | HTTP | Mixer, Pilot | Policy/Telemetry - mTLS |
| 15010 | HTTP | Pilot | Pilot service - XDS pilot - discovery |
| 15011 | TCP | Pilot | Pilot service - mTLS - Proxy - discovery |
| 15014 | HTTP | Citadel, Citadel agent, Galley, Mixer, Pilot, Sidecar Injector | Control plane monitoring |
| 15020 | HTTP | Ingress Gateway | Pilot health checks |
| 15029 | HTTP | Kiali | Kiali User Interface |
| 15030 | HTTP | Prometheus | Prometheus User Interface |
| 15031 | HTTP | Grafana | Grafana User Interface |
| 15032 | HTTP | Tracing | Tracing User Interface |
| 15443 | TLS | Ingress and Egress Gateways | SNI |
| 15090 | HTTP | Mixer | Proxy |
| 42422 | TCP | Mixer | Telemetry - Prometheus |