istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/docs/ops/deployment/deployment-models/index.html

422 lines
108 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Deployment Models"><meta name=description content="Describes the options and considerations when configuring your Istio deployment."><meta name=keywords content="microservices,services,mesh,single-cluster,multiple-clusters,control-plane,tenancy,networks,identity,trust,single-mesh,multiple-meshes"><meta property="og:title" content="Deployment Models"><meta property="og:type" content="website"><meta property="og:description" content="Describes the options and considerations when configuring your Istio deployment."><meta property="og:url" content="/v1.9/docs/ops/deployment/deployment-models/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / Deployment Models</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="Deployment Models";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/ops\/deployment\/deployment-models\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/ops\/deployment\/deployment-models\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card17 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card17-body><svg class="icon concepts"><use xlink:href="/v1.9/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card17 role=region id=card17-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card17><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.9/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.9/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.9/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.9/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.9/docs/concepts/wasm/>Extensibility</a></li></ul></div></div><div class=card><button class="header dynamic" id=card44 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card44-body><svg class="icon setup"><use xlink:href="/v1.9/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card44 role=region id=card44-body><ul role=tree aria-expanded=true aria-labelledby=card44><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.9/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.9/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.9/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.9/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.9/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.9/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.9/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup kind for Istio." href=/v1.9/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to setup Kops for use with Istio." href=/v1.9/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.9/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup a KubeSphere Container Platform for Istio." href=/v1.9/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.9/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.9/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.9/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.9/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.9/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.9/docs/setup/install/istioctl/>Install with Istioctl</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.9/docs/setup/install/operator/>Istio Operator Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation." href=/v1.9/docs/setup/install/helm/>Install with Helm</a></li><li role=treeitem aria-label="Install Multicluster"><button aria-hidden=true></button><a title="Install an Istio mesh across multiple Kubernetes clusters." href=/v1.9/docs/setup/install/multicluster/>Install Multicluster</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before installing Istio on multiple clusters." href=/v1.9/docs/setup/install/multicluster/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters." href=/v1.9/docs/setup/install/multicluster/multi-primary/>Install Multi-Primary</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters." href=/v1.9/docs/setup/install/multicluster/primary-remote/>Install Primary-Remote</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters on different networks." href=/v1.9/docs/setup/install/multicluster/multi-primary_multi-network/>Install Multi-Primary on different networks</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters on different networks." href=/v1.9/docs/setup/install/multicluster/primary-remote_multi-network/>Install Primary-Remote on different networks</a></li><li role=none><a role=treeitem title="Verify that Istio has been installed properly on multiple clusters." href=/v1.9/docs/setup/install/multicluster/verify/>Verify the installation</a></li></ul></li><li role=none><a role=treeitem title="Deploy Istio and connect a workload running within a virtual machine to it." href=/v1.9/docs/setup/install/virtual-machine/>Virtual Machine Installation</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Upgrade, downgrade, and manage Istio accross multiple control plane revisions." href=/v1.9/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade Istio by first running a canary deployment of a new control plane." href=/v1.9/docs/setup/upgrade/canary/>Canary Upgrades</a></li><li role=none><a role=treeitem title="Upgrade or downgrade Istio in place." href=/v1.9/docs/setup/upgrade/in-place/>In-place Upgrades</a></li><li role=none><a role=treeitem title="Configuring and upgrading Istio with gateways (experimental)." href=/v1.9/docs/setup/upgrade/gateways/>Managing Gateways with Multiple Revisions [Experimental]</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.9/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.9/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.9/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.9/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Install an external control plane and remote cluster." href=/v1.9/docs/setup/additional-setup/external-controlplane/>Install Istio with an External Control Plane</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card77 title="How to do single specific targeted activities with the Istio system." aria-controls=card77-body><svg class="icon tasks"><use xlink:href="/v1.9/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card77 role=region id=card77-body><ul role=tree aria-expanded=true aria-labelledby=card77><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.9/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.9/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.9/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.9/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.9/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.9/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.9/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.9/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label="Locality Load Balancing"><button aria-hidden=true></button><a title="This series of tasks demonstrate how to configure locality load balancing in Istio." href=/v1.9/docs/tasks/traffic-management/locality-load-balancing/>Locality Load Balancing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before configuring locality load balancing." href=/v1.9/docs/tasks/traffic-management/locality-load-balancing/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="This task demonstrates how to configure your mesh for locality failover." href=/v1.9/docs/tasks/traffic-management/locality-load-balancing/failover/>Locality failover</a></li><li role=none><a role=treeitem title="This guide demonstrates how to configure locality distribution." href=/v1.9/docs/tasks/traffic-management/locality-load-balancing/distribute/>Locality weighted distribution</a></li><li role=none><a role=treeitem title="Cleanup steps for locality load balancing." href=/v1.9/docs/tasks/traffic-management/locality-load-balancing/cleanup/>Cleanup</a></li></ul></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.9/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.9/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.9/docs/tasks/traffic-management/ingress/secure-ingress/>Secure Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.9/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh." href=/v1.9/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="Describes how to configure the Kubernetes Gateway API with Istio." href=/v1.9/docs/tasks/traffic-management/ingress/gateway-api/>Kubernetes Gateway API</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.9/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.9/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.9/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.9/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using Secret Discovery Service." href=/v1.9/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/>Egress Gateways with TLS Origination (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services using file mount certificates." href=/v1.9/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination (File Mount)</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.9/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.9/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.9/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.9/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Certificate Management"><button aria-hidden=true></button><a title="Management of the certificates in Istio." href=/v1.9/docs/tasks/security/cert-management/>Certificate Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key." href=/v1.9/docs/tasks/security/cert-management/plugin-ca-cert/>Plug in CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.9/docs/tasks/security/cert-management/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates (experimental)." href=/v1.9/docs/tasks/security/cert-management/custom-ca-k8s/>Custom CA Integration using Kubernetes CSR [Experimental]</a></li></ul></li><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.9/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.9/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.9/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.9/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.9/docs/tasks/security/authorization/authz-http/>HTTP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for TCP traffic." href=/v1.9/docs/tasks/security/authorization/authz-tcp/>TCP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for JWT token." href=/v1.9/docs/tasks/security/authorization/authz-jwt/>JWT Token</a></li><li role=none><a role=treeitem title="Shows how to integrate and delegate access control to an external authorization system." href=/v1.9/docs/tasks/security/authorization/authz-custom/>External Authorization</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.9/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></li><li role=none><a role=treeitem title="Shows how to set up access control on an ingress gateway." href=/v1.9/docs/tasks/security/authorization/authz-ingress/>Ingress Gateway</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.9/docs/tasks/security/authorization/authz-td-migration/>Trust Domain Migration</a></li></ul></li></ul></li><li role=treeitem aria-label="Policy Enforcement"><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.9/docs/tasks/policy-enforcement/>Policy Enforcement</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to dynamically limit the traffic to a service." href=/v1.9/docs/tasks/policy-enforcement/rate-limit/>Enabling Rate Limits using Envoy</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.9/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.9/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.9/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics." href=/v1.9/docs/tasks/observability/metrics/customize-metrics/>Customizing Istio Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to improve telemetry by grouping requests and responses by their type." href=/v1.9/docs/tasks/observability/metrics/classify-metrics/>Classifying Metrics Based on Request or Response (Experimental)</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.9/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.9/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the collection of logs within Istio." href=/v1.9/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.9/docs/tasks/observability/logs/access-log/>Getting Envoy's Access Logs</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.9/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.9/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.9/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.9/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to Lightstep." href=/v1.9/docs/tasks/observability/distributed-tracing/lightstep/>Lightstep</a></li><li role=none><a role=treeitem title="How to configure tracing options (beta/experimental)." href=/v1.9/docs/tasks/observability/distributed-tracing/configurability/>Configurability [Beta/Experimental]</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.9/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.9/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card100 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card100-body><svg class="icon examples"><use xlink:href="/v1.9/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card100 role=region id=card100-body><ul role=tree aria-expanded=true aria-labelledby=card100><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.9/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.9/docs/examples/virtual-machines/>Bookinfo with a Virtual Machine</a></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.9/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem href=/v1.9/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card123 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card123-body><svg class="icon guide"><use xlink:href="/v1.9/img/icons.svg#guide"/></svg>Operations</button><div class="body default" aria-labelledby=card123 role=region id=card123-body><ul role=tree aria-expanded=true aria-labelledby=card123><li role=treeitem aria-label=Deployment><button class=show aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.9/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.9/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><span role=treeitem class=current title="Describes the options and considerations when configuring your Istio deployment.">Deployment Models</span></li><li role=none><a role=treeitem title="Describes Istio's high-level architecture for virtual machines." href=/v1.9/docs/ops/deployment/vm-architecture/>Virtual Machine Architecture</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.9/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Requirements of applications deployed in an Istio-enabled cluster." href=/v1.9/docs/ops/deployment/requirements/>Application Requirements</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.9/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.9/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.9/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes how to wait until a resource reaches a given status of readiness." href=/v1.9/docs/ops/configuration/mesh/config-resource-ready/>Wait on Resource Status for Applied Configuration</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.9/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.9/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.9/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.9/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="How to configure TLS settings to secure network traffic." href=/v1.9/docs/ops/configuration/traffic-management/tls-configuration/>TLS Configuration</a></li><li role=none><a role=treeitem title="How to configure gateway network topology (experimental)." href=/v1.9/docs/ops/configuration/traffic-management/network-topologies/>Configuring Gateway Network Topology [Experimental]</a></li><li role=none><a role=treeitem title="How to configure DNS proxying." href=/v1.9/docs/ops/configuration/traffic-management/dns-proxy/>DNS Proxying</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.9/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows common examples of using Istio security policy." href=/v1.9/docs/ops/configuration/security/security-policy-examples/>Security policy examples</a></li><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.9/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.9/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.9/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="Configure Prometheus to monitor multicluster Istio." href=/v1.9/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>Monitoring Multicluster Istio with Prometheus</a></li></ul></li><li role=treeitem aria-label=Extensibility><button aria-hidden=true></button><a title="Helps you manage extensions to the service mesh." href=/v1.9/docs/ops/configuration/extensibility/>Extensibility</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to make remote WebAssembly modules available in the mesh (experimental)." href=/v1.9/docs/ops/configuration/extensibility/wasm-module-distribution/>Distributing WebAssembly Modules [Experimental]</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.9/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.9/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.9/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.9/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.9/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.9/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.9/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.9/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.9/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.9/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.9/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.9/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.9/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues with Virtual Machines." href=/v1.9/docs/ops/diagnostic-tools/virtual-machines/>Debugging Virtual Machines</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.9/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.9/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.9/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into a running istiod component." href=/v1.9/docs/ops/diagnostic-tools/controlz/>Istiod Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.9/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li><li role=treeitem aria-label=Integrations><button aria-hidden=true></button><a title="Other software that Istio can integrate with to provide additional functionality." href=/v1.9/docs/ops/integrations/>Integrations</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to integrate with cert-manager." href=/v1.9/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="Information on how to integrate with Grafana to set up Istio dashboards." href=/v1.9/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="How to integrate with Jaeger." href=/v1.9/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Information on how to integrate with Kiali." href=/v1.9/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="How to integrate with Prometheus." href=/v1.9/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="How to integrate with Zipkin." href=/v1.9/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card176 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card176-body><svg class="icon reference"><use xlink:href="/v1.9/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card176 role=region id=card176-body><ul role=tree aria-expanded=true aria-labelledby=card176><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.9/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.9/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.9/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.9/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Describes the role of the `status` field in configuration workflow." href=/v1.9/docs/reference/config/config-status/>Configuration Status Field</a></li><li role=treeitem aria-label="Proxy Extensions"><button aria-hidden=true></button><a title="Describes how to configure Istio proxy extensions." href=/v1.9/docs/reference/config/proxy_extensions/>Proxy Extensions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration for Attribute Generation plugin." href=/v1.9/docs/reference/config/proxy_extensions/attributegen/>AttributeGen Config</a></li><li role=none><a role=treeitem title="Configuration for Stackdriver filter." href=/v1.9/docs/reference/config/proxy_extensions/stackdriver/>Stackdriver Config</a></li><li role=none><a role=treeitem title="Configuration for Stats Filter." href=/v1.9/docs/reference/config/proxy_extensions/stats/>Stats Config</a></li><li role=none><a role=treeitem title="Configuration for AccessLogPolicy Filter." href=/v1.9/docs/reference/config/proxy_extensions/accesslogpolicy/>AccessLogPolicy Config</a></li><li role=none><a role=treeitem title="Configuration for Metadata Exchange Filter." href=/v1.9/docs/reference/config/proxy_extensions/metadata_exchange/>Metadata Exchange Config</a></li><li role=none><a role=treeitem title="How to enable telemetry generation with the Wasm runtime (experimental)." href=/v1.9/docs/reference/config/proxy_extensions/wasm_telemetry/>Wasm-based Telemetry [Experimental]</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.9/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.9/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.9/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.9/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.9/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.9/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.9/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.9/docs/reference/config/networking/workload-group/>Workload Group</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.9/docs/reference/config/networking/workload-entry/>Workload Entry</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.9/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.9/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.9/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.9/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.9/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.9/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li></ul></li><li role=treeitem aria-label="Common Types"><button aria-hidden=true></button><a title="Describes common types in Istio API." href=/v1.9/docs/reference/config/type/>Common Types</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.9/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.9/docs/reference/config/metrics/>Istio Standard Metrics</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.9/docs/reference/config/annotations/>Resource Annotations</a></li><li role=none><a role=treeitem title="Resource labels used by Istio." href=/v1.9/docs/reference/config/labels/>Resource Labels</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configuration analysis." href=/v1.9/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0135/>DeprecatedAnnotation</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0136/>AlphaAnnotation</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0134/>ServiceEntryAddressesRequired</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0132/>VirtualServiceHostNotFoundInGateway</a></li><li role=none><a role=treeitem href=/v1.9/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.9/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio control interface." href=/v1.9/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.9/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.9/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.9/docs/reference/commands/pilot-agent/>pilot-agent</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.9/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.9/docs/ops/ title="Concepts, tools, and techniques to deploy and manage an Istio mesh.">Operations</a></li><li><a href=/v1.9/docs/ops/deployment/ title="Requirements, concepts, and considerations for setting up an Istio deployment.">Deployment</a></li><li>Deployment Models</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Deployment Models</h1><p class=byline><span title="3160 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>15 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Cluster models"><a href=#cluster-models>Cluster models</a><ol><li role=none aria-label="Single cluster"><a href=#single-cluster>Single cluster</a><li role=none aria-label="Multiple clusters"><a href=#multiple-clusters>Multiple clusters</a><li role=none aria-label="DNS with multiple clusters"><a href=#dns-with-multiple-clusters>DNS with multiple clusters</a></ol></li><li role=none aria-label="Network models"><a href=#network-models>Network models</a><ol><li role=none aria-label="Single network"><a href=#single-network>Single network</a><li role=none aria-label="Multiple networks"><a href=#multiple-networks>Multiple networks</a></ol></li><li role=none aria-label="Control plane models"><a href=#control-plane-models>Control plane models</a><ol><li role=none aria-label="Endpoint discovery with multiple control planes"><a href=#endpoint-discovery-with-multiple-control-planes>Endpoint discovery with multiple control planes</a></ol></li><li role=none aria-label="Identity and trust models"><a href=#identity-and-trust-models>Identity and trust models</a><ol><li role=none aria-label="Trust within a mesh"><a href=#trust-within-a-mesh>Trust within a mesh</a><li role=none aria-label="Trust between meshes"><a href=#trust-between-meshes>Trust between meshes</a></ol></li><li role=none aria-label="Mesh models"><a href=#mesh-models>Mesh models</a><ol><li role=none aria-label="Single mesh"><a href=#single-mesh>Single mesh</a><li role=none aria-label="Multiple meshes"><a href=#multiple-meshes>Multiple meshes</a></ol></li><li role=none aria-label="Tenancy models"><a href=#tenancy-models>Tenancy models</a><ol><li role=none aria-label="Namespace tenancy"><a href=#namespace-tenancy>Namespace tenancy</a><li role=none aria-label="Cluster tenancy"><a href=#cluster-tenancy>Cluster tenancy</a><li role=none aria-label="Mesh Tenancy"><a href=#mesh-tenancy>Mesh Tenancy</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>When configuring a production deployment of Istio, you need to answer a number of questions.
Will the mesh be confined to a single <span class=term data-title=Cluster data-body="<p>A cluster is set of compute nodes that run containerized applications.
Typically, the compute nodes comprising a cluster can reach each other directly.
Clusters limit external access through rules or policies.</p>">cluster</span> or distributed across
multiple clusters? Will all the services be located in a single fully connected network, or will
gateways be required to connect services across multiple networks? Is there a single
<span class=term data-title="Control Plane" data-body="<p>A control plane is a set of system services that configure the mesh or a subset of
the mesh to manage the communication between the workload instances within.</p>">control plane</span>, potentially shared across clusters,
or are there multiple control planes deployed to ensure high availability (HA)?
Are all clusters going to be connected into a single <span class=term data-title=Multicluster data-body='<p>Multicluster is a deployment model that consists of a
<a href="/docs/reference/glossary/#service-mesh">mesh</a> with multiple
<a href="/docs/reference/glossary/#cluster">clusters</a>.</p>'>multicluster</span>
service mesh or will they be federated into a <span class=term data-title=Multi-Mesh data-body='<p>Multi-mesh is a deployment model that consists of two or more <a href="/docs/reference/glossary/#service-mesh">service meshes</a>.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through <a href="/docs/reference/glossary/#mesh-federation">mesh federation</a>.
The resulting deployment is a multi-mesh deployment.</p>'>multi-mesh</span> deployment?</p><p>All of these questions, among others, represent independent dimensions of configuration for an Istio deployment.</p><ol><li>single or multiple cluster</li><li>single or multiple network</li><li>single or multiple control plane</li><li>single or multiple mesh</li></ol><p>In a production environment involving multiple clusters, you can use a mix
of deployment models. For example, having more than one control plane is recommended for HA,
but you could achieve this for a 3 cluster deployment by deploying 2 clusters with
a single shared control plane and then adding the third cluster with a second
control plane in a different network. All three clusters could then be configured
to share both control planes so that all the clusters have 2 sources of control
to ensure HA.</p><p>Choosing the right deployment model depends on the isolation, performance,
and HA requirements for your use case. This guide describes the various options and
considerations when configuring your Istio deployment.</p><h2 id=cluster-models>Cluster models</h2><p>The workload instances of your application run in one or more
<span class=term data-title=Cluster data-body="<p>A cluster is set of compute nodes that run containerized applications.
Typically, the compute nodes comprising a cluster can reach each other directly.
Clusters limit external access through rules or policies.</p>">clusters</span>. For isolation, performance, and
high availability, you can confine clusters to availability zones and regions.</p><p>Production systems, depending on their requirements, can run across multiple
clusters spanning a number of zones or regions, leveraging cloud load balancers
to handle things like locality and zonal or regional fail over.</p><p>In most cases, clusters represent boundaries for configuration and endpoint
discovery. For example, each Kubernetes cluster has an API Server which manages
the configuration for the cluster as well as serving
<span class=term data-title="Service Endpoint" data-body='<p>The network-reachable manifestation of a <a href="/docs/reference/glossary/#service">service</a>.
<a href="/docs/reference/glossary/#workload-instance">Workload instances</a> expose service endpoints but not all
services have service endpoints.</p>'>service endpoint</span> information as pods are brought up
or down. Since Kubernetes configures this behavior on a per-cluster basis, this
approach helps limit the potential problems caused by incorrect configurations.</p><p>In Istio, you can configure a single service mesh to span any number of
clusters.</p><h3 id=single-cluster>Single cluster</h3><p>In the simplest case, you can confine an Istio mesh to a single
<span class=term data-title=Cluster data-body="<p>A cluster is set of compute nodes that run containerized applications.
Typically, the compute nodes comprising a cluster can reach each other directly.
Clusters limit external access through rules or policies.</p>">cluster</span>. A cluster usually operates over a
<a href=#single-network>single network</a>, but it varies between infrastructure
providers. A single cluster and single network model includes a control plane,
which results in the simplest Istio deployment.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:91.74921915843377%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/single-cluster.svg title="Single cluster"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/single-cluster.svg alt="A service mesh with a single cluster"></a></div><figcaption>A service mesh with a single cluster</figcaption></figure><p>Single cluster deployments offer simplicity, but lack other features, for
example, fault isolation and fail over. If you need higher availability, you
should use multiple clusters.</p><h3 id=multiple-clusters>Multiple clusters</h3><p>You can configure a single mesh to include
multiple <span class=term data-title=Cluster data-body="<p>A cluster is set of compute nodes that run containerized applications.
Typically, the compute nodes comprising a cluster can reach each other directly.
Clusters limit external access through rules or policies.</p>">clusters</span>. Using a
<span class=term data-title=Multicluster data-body='<p>Multicluster is a deployment model that consists of a
<a href="/docs/reference/glossary/#service-mesh">mesh</a> with multiple
<a href="/docs/reference/glossary/#cluster">clusters</a>.</p>'>multicluster</span> deployment within a single mesh affords
the following capabilities beyond that of a single cluster deployment:</p><ul><li>Fault isolation and fail over: <code>cluster-1</code> goes down, fail over to <code>cluster-2</code>.</li><li>Location-aware routing and fail over: Send requests to the nearest service.</li><li>Various <a href=#control-plane-models>control plane models</a>: Support different
levels of availability.</li><li>Team or project isolation: Each team runs its own set of clusters.</li></ul><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:65.0971323771268%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/multi-cluster.svg title=Multicluster><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/multi-cluster.svg alt="A service mesh with multiple clusters"></a></div><figcaption>A service mesh with multiple clusters</figcaption></figure><p>Multicluster deployments give you a greater degree of isolation and
availability but increase complexity. If your systems have high availability
requirements, you likely need clusters across multiple zones and regions. You
can canary configuration changes or new binary releases in a single cluster,
where the configuration changes only affect a small amount of user traffic.
Additionally, if a cluster has a problem, you can temporarily route traffic to
nearby clusters until you address the issue.</p><p>You can configure inter-cluster communication based on the
<a href=#network-models>network</a> and the options supported by your cloud provider. For
example, if two clusters reside on the same underlying network, you can enable
cross-cluster communication by simply configuring firewall rules.</p><h3 id=dns-with-multiple-clusters>DNS with multiple clusters</h3><p>When a client application makes a request to some host, it must first perform a
DNS lookup for the hostname to obtain an IP address before it can proceed with
the request.
In Kubernetes, the DNS server residing within the cluster typically handles
this DNS lookup, based on the configured <code>Service</code> definitions.</p><p>Istio uses the virtual IP returned by the DNS lookup to load balance
across the list of active endpoints for the requested service, taking into account any
Istio configured routing rules.
Istio uses either Kubernetes <code>Service</code>/<code>Endpoint</code> or Istio <code>ServiceEntry</code> to
configure its internal mapping of hostname to workload IP addresses.</p><p>This two-tiered naming system becomes more complicated when you have multiple
clusters. Istio is inherently multicluster-aware, but Kubernetes is not
(today). Because of this, the client cluster must have a DNS entry for the
service in order for the DNS lookup to succeed, and a request to be
successfully sent. This is true even if there are no instances of that
service&rsquo;s pods running in the client cluster.</p><p>To ensure that DNS lookup succeeds, you must deploy a Kubernetes <code>Service</code> to
each cluster that consumes that service. This ensures that regardless of
where the request originates, it will pass DNS lookup and be handed to Istio
for proper routing.
This can also be achieved with Istio <code>ServiceEntry</code>, rather than Kubernetes
<code>Service</code>. However, a <code>ServiceEntry</code> does not configure the Kubernetes DNS server.
This means that DNS will need to be configured either manually or
with automated tooling such as the
<a href=https://github.com/istio-ecosystem/istio-coredns-plugin>Istio CoreDNS Plugin</a>.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-tip"/></svg></div><div class=content><p>There are a few efforts in progress that will help simplify the DNS story:</p><ul><li><p><a href=/v1.9/blog/2020/dns-proxy/>DNS sidecar proxy</a>
support is available for preview in Istio 1.8. This provides DNS interception
for all workloads with a sidecar, allowing Istio to perform DNS lookup
on behalf of the application.</p></li><li><p><a href=https://github.com/istio-ecosystem/admiral>Admiral</a> is an Istio community
project that provides a number of multicluster capabilities. If you need to support multi-network
topologies, managing this configuration across multiple clusters at scale is challenging.
Admiral takes an opinionated view on this configuration and provides automatic provisioning and
synchronization across clusters.</p></li><li><p><a href=https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api>Kubernetes Multi-Cluster Services</a>
is a Kubernetes Enhancement Proposal (KEP) that defines an API for exporting
services to multiple clusters. This effectively pushes the responsibility of
service visibility and DNS resolution for the entire <code>clusterset</code> onto
Kubernetes. There is also work in progress to build layers of <code>MCS</code> support
into Istio, which would allow Istio to work with any cloud vendor <code>MCS</code>
controller or even act as the <code>MCS</code> controller for the entire mesh.</p></li></ul></div></aside></div><h2 id=network-models>Network models</h2><p>Istio uses a simplified definition of <span class=term data-title=Network data-body='<p>Istio uses a simplified definition of network based on general connectivity.
<a href="/docs/reference/glossary/#workload-instance">Workload instances</a> are on the same
network if they are able to communicate directly, without a gateway.</p>'>network</span> to
refer to <span class=term data-title="Workload Instance" data-body='<p>A single instantiation of a <a href="/docs/reference/glossary/#workload">workload&amp;rsquo;s</a> binary.
A workload instance can expose zero or more <a href="/docs/reference/glossary/#service-endpoint">service endpoints</a>,
and can consume zero or more <a href="/docs/reference/glossary/#service">services</a>.</p>
<p>Workload instances have a number of properties:</p>
<ul>
<li>Name and namespace</li>
<li>Unique ID</li>
<li>IP Address</li>
<li>Labels</li>
<li>Principal</li>
</ul>
<p>These properties are available in policy and telemetry configuration
using the many <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/attribute-vocabulary/"><code>source.*</code> and <code>destination.*</code> attributes</a>.</p>'>workload instance</span>s that have direct
reachability. For example, by default all workload instances in a single
cluster are on the same network.</p><p>Many production systems require multiple networks or subnets for isolation
and high availability. Istio supports spanning a service mesh over a variety of
network topologies. This approach allows you to select the network model that
fits your existing network topology.</p><h3 id=single-network>Single network</h3><p>In the simplest case, a service mesh operates over a single fully connected
network. In a single network model, all
<span class=term data-title="Workload Instance" data-body='<p>A single instantiation of a <a href="/docs/reference/glossary/#workload">workload&amp;rsquo;s</a> binary.
A workload instance can expose zero or more <a href="/docs/reference/glossary/#service-endpoint">service endpoints</a>,
and can consume zero or more <a href="/docs/reference/glossary/#service">services</a>.</p>
<p>Workload instances have a number of properties:</p>
<ul>
<li>Name and namespace</li>
<li>Unique ID</li>
<li>IP Address</li>
<li>Labels</li>
<li>Principal</li>
</ul>
<p>These properties are available in policy and telemetry configuration
using the many <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/attribute-vocabulary/"><code>source.*</code> and <code>destination.*</code> attributes</a>.</p>'>workload instances</span>
can reach each other directly without an Istio gateway.</p><p>A single network allows Istio to configure service consumers in a uniform
way across the mesh with the ability to directly address workload instances.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75.78194040013328%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/single-net.svg title="Single network"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/single-net.svg alt="A service mesh with a single network"></a></div><figcaption>A service mesh with a single network</figcaption></figure><h3 id=multiple-networks>Multiple networks</h3><p>You can span a single service mesh across multiple networks; such a
configuration is known as <strong>multi-network</strong>.</p><p>Multiple networks afford the following capabilities beyond that of single networks:</p><ul><li>Overlapping IP or VIP ranges for <strong>service endpoints</strong></li><li>Crossing of administrative boundaries</li><li>Fault tolerance</li><li>Scaling of network addresses</li><li>Compliance with standards that require network segmentation</li></ul><p>In this model, the workload instances in different networks can only reach each
other through one or more <a href=/v1.9/docs/concepts/traffic-management/#gateways>Istio gateways</a>.
Istio uses <strong>partitioned service discovery</strong> to provide consumers a different
view of <span class=term data-title="Service Endpoint" data-body='<p>The network-reachable manifestation of a <a href="/docs/reference/glossary/#service">service</a>.
<a href="/docs/reference/glossary/#workload-instance">Workload instances</a> expose service endpoints but not all
services have service endpoints.</p>'>service endpoint</span>s. The view depends on the
network of the consumers.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75.57262768530374%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/multi-net.svg title="Multi-network deployment"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/multi-net.svg alt="A service mesh with multiple networks"></a></div><figcaption>A service mesh with multiple networks</figcaption></figure><p>This solution requires exposing all services (or a subset) through the gateway.
Cloud vendors may provide options that will not require exposing services on
the public internet. Such an option, if it exists and meets your requirements,
will likely be the best choice.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-tip"/></svg></div><div class=content>In order to ensure secure communications in a multi-network scenario, Istio
only supports cross-network communication to workloads with an Istio proxy.
This is due to the fact that Istio exposes services at the Ingress Gateway with TLS
pass-through, which enables mTLS directly to the workload. A workload without
an Istio proxy, however, will likely not be able to participate in mutual
authentication with other workloads. For this reason, Istio filters
out-of-network endpoints for proxyless services.</div></aside></div><h2 id=control-plane-models>Control plane models</h2><p>An Istio mesh uses the <span class=term data-title="Control Plane" data-body="<p>A control plane is a set of system services that configure the mesh or a subset of
the mesh to manage the communication between the workload instances within.</p>">control plane</span> to configure all
communication between workload instances within the mesh. Workload instances
connect to a control plane instance to get their configuration.</p><p>In the simplest case, you can run your mesh with a control plane on a single
cluster.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:91.74921915843377%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/single-cluster.svg title="Single control plane"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/single-cluster.svg alt="A single cluster with a control plane"></a></div><figcaption>A single cluster with a control plane</figcaption></figure><p>A cluster like this one, with its own local control plane, is referred to as
a <span class=term data-title="Primary Cluster" data-body='<p>A primary cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> with a
<a href="/docs/reference/glossary/#control-plane">control plane</a>. A single
<a href="/docs/reference/glossary/#service-mesh">mesh</a> can have more than
one primary cluster for HA or to reduce latency. Primary clusters can act as the
control plane for <a href="/docs/reference/glossary/#remote-cluster">remote clusters</a>.</p>'>primary cluster</span>.</p><p>Multicluster deployments can also share control plane instances. In this case,
the control plane instances can reside in one or more primary clusters.
Clusters without their own control plane are referred to as
<span class=term data-title="Remote Cluster" data-body='<p>A remote cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> that
connects to a <a href="/docs/reference/glossary/#control-plane">control plane</a>
residing outside of the cluster. A remote cluster can connect to a control plane
running in a <a href="/docs/reference/glossary/#primary-cluster">primary cluster</a>
or to an <a href="/docs/reference/glossary/#external-control-plane">external control plane</a>.</p>'>remote clusters</span>.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:52.89403650064289%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/shared-control.svg title="Shared control plane"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/shared-control.svg alt="A service mesh with a primary and a remote cluster"></a></div><figcaption>A service mesh with a primary and a remote cluster</figcaption></figure><p>To support remote clusters in a multicluster mesh, the control plane in
a primary cluster must be accessible via a stable IP (e.g., a cluster IP).
For clusters spanning networks,
this can be achieved by exposing the control plane through an Istio gateway.
Cloud vendors may provide options, such as internal load balancers, for
providing this capability without exposing the control plane on the
public internet. Such an option, if it exists and meets your requirements,
will likely be the best choice.</p><p>In multicluster deployments with more than one primary cluster, each primary
cluster receives its configuration (i.e., <code>Service</code> and <code>ServiceEntry</code>,
<code>DestinationRule</code>, etc.) from the Kubernetes API Server residing in the same
cluster. Each primary cluster, therefore, has an independent source of
configuration.
This duplication of configuration across primary clusters does require
additional steps when rolling out changes. Large production
systems may automate this process with tooling, such as CI/CD systems, in
order to manage configuration rollout.</p><p>Instead of running control planes in primary clusters inside the mesh, a
service mesh composed entirely of remote clusters can be controlled by an
<span class=term data-title="External Control Plane" data-body='<p>An external control plane is a <a href="/docs/reference/glossary/#control-plane">control plane</a>
that externally manages mesh workloads running in their own <a href="/docs/reference/glossary/#cluster">clusters</a>
or other infrastructure. The control plane may, itself, be deployed in a cluster, although not
in one of the clusters that is part of the mesh it&amp;rsquo;s controlling.
Its purpose is to cleanly separate the control plane from the data plane of a mesh.</p>'>external control plane</span>. This provides isolated
management and complete separation of the control plane deployment from the
data plane services that comprise the mesh.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:41.21621621621622%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/single-cluster-external-control-plane.svg title="External control plane"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/single-cluster-external-control-plane.svg alt="A single cluster with an external control plane"></a></div><figcaption>A single cluster with an external control plane</figcaption></figure><p>A cloud vendor&rsquo;s <span class=term data-title="Managed Control Plane" data-body='<p>A managed control plane is an <a href="/docs/reference/glossary/#external-control-plane">external control plane</a>
that cloud providers manage for their customers.
Managed control planes reduce the complexity of user deployments
and typically guarantee some level of performance and availability.</p>'>managed control plane</span> is a
typical example of an external control plane.</p><p>For high availability, you should deploy multiple control planes across
clusters, zones, or regions.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:92.28423056604902%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/multi-control.svg title="Multiple control planes"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/multi-control.svg alt="A service mesh with control plane instances for each region"></a></div><figcaption>A service mesh with control plane instances for each region</figcaption></figure><p>This model affords the following benefits:</p><ul><li><p>Improved availability: If a control plane becomes unavailable, the scope of
the outage is limited to only workloads in clusters managed by that control plane.</p></li><li><p>Configuration isolation: You can make configuration changes in one cluster,
zone, or region without impacting others.</p></li><li><p>Controlled rollout: You have more fine-grained control over configuration
rollout (e.g., one cluster at a time). You can also canary configuration changes in a sub-section of the mesh
controlled by a given primary cluster.</p></li><li><p>Selective service visibility: You can restrict service visibility to part
of the mesh, helping to establish service-level isolation. For example, an
administrator may choose to deploy the <code>HelloWorld</code> service to Cluster A,
but not Cluster B. Any attempt to call <code>HelloWorld</code> from Cluster B will
fail the DNS lookup.</p></li></ul><p>The following list ranks control plane deployment examples by availability:</p><ul><li>One cluster per region (<strong>lowest availability</strong>)</li><li>Multiple clusters per region</li><li>One cluster per zone</li><li>Multiple clusters per zone</li><li>Each cluster (<strong>highest availability</strong>)</li></ul><h3 id=endpoint-discovery-with-multiple-control-planes>Endpoint discovery with multiple control planes</h3><p>An Istio control plane manages traffic within the mesh by providing each proxy
with the list of service endpoints. In order to make this work in a
multicluster scenario, each control plane must observe endpoints from the API
Server in every cluster.</p><p>To enable endpoint discovery for a cluster, an administrator generates a
<code>remote secret</code> and deploys it to each primary cluster in the mesh. The
<code>remote secret</code> contains credentials, granting access to the API server in the
cluster.
The control planes will then connect and discover the service endpoints for
the cluster, enabling cross-cluster load balancing for these services.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/endpoint-discovery.svg title="Primary clusters with endpoint discovery"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/endpoint-discovery.svg alt="Primary clusters with endpoint discovery"></a></div><figcaption>Primary clusters with endpoint discovery</figcaption></figure><p>By default, Istio will load balance requests evenly between endpoints in
each cluster. In large systems that span geographic regions, it may be
desirable to use <a href=/v1.9/docs/tasks/traffic-management/locality-load-balancing>locality load balancing</a>
to prefer that traffic stay in the same zone or region.</p><p>In some advanced scenarios, load balancing across clusters may not be desired.
For example, in a blue/green deployment, you may deploy different versions of
the system to different clusters. In this case, each cluster is effectively
operating as an independent mesh. This behavior can be achieved in a couple of
ways:</p><ul><li><p>Do not exchange remote secrets between the clusters. This offers the
strongest isolation between the clusters.</p></li><li><p>Use <code>VirtualService</code> and <code>DestinationRule</code> to disallow routing between two
versions of the services.</p></li></ul><p>In either case, cross-cluster load balancing is prevented. External traffic
can be routed to one cluster or the other using an external load balancer.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/blue-green.svg title="Blue-green deployment without cross-cluster load balancing"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/blue-green.svg alt="Blue-green deployment without cross-cluster load balancing"></a></div><figcaption>Blue-green deployment without cross-cluster load balancing</figcaption></figure><h2 id=identity-and-trust-models>Identity and trust models</h2><p>When a workload instance is created within a service mesh, Istio assigns the
workload an <span class=term data-title=Identity data-body="<p>Identity is a fundamental security infrastructure concept. The Istio identity
model is based on a first-class workload identity. At the beginning of
service-to-service communication, the two parties exchange credentials with
their identity information for mutual authentication purposes.</p>
<p>Clients check the servers identity against their secure naming information to
determine if the server is authorized to run the service.</p>
<p>Servers check the client&amp;rsquo;s identity to determine what information the client can
access. Servers base that determination on the configured authorization
policies.</p>
<p>Using identity, servers can audit the time information was accessed and what
information was accessed by a specific client. They can also charge clients
based on the services they use and reject any clients that failed to pay their
bill from accessing the services.</p>
<p>The Istio identity model is flexible and granular enough to represent a human
user, an individual service, or a group of services. On platforms without
first-class service identity, Istio can use other identities that can group
service instances, such as service names.</p>
<p>Istio supports the following service identities on different platforms:</p>
<ul>
<li><p>Kubernetes: Kubernetes service account</p></li>
<li><p>GKE/GCE: GCP service account</p></li>
<li><p>GCP: GCP service account</p></li>
<li><p>AWS: AWS IAM user/role account</p></li>
<li><p>On-premises (non-Kubernetes): user account, custom service account, service
name, Istio service account, or GCP service account. The custom service
account refers to the existing service account just like the identities that
the customers Identity Directory manages.</p></li>
</ul>">identity</span>.</p><p>The Certificate Authority (CA) creates and signs the certificates used to verify
the identities used within the mesh. You can verify the identity of the message sender
with the public key of the CA that created and signed the certificate
for that identity. A <strong>trust bundle</strong> is the set of all CA public keys used by
an Istio mesh. With a mesh&rsquo;s trust bundle, anyone can verify the sender of any
message coming from that mesh.</p><h3 id=trust-within-a-mesh>Trust within a mesh</h3><p>Within a single Istio mesh, Istio ensures each workload instance has an
appropriate certificate representing its own identity, and the trust bundle
necessary to recognize all identities within the mesh and any federated meshes.
The CA creates and signs the certificates for those identities. This model
allows workload instances in the mesh to authenticate each other when
communicating.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:91.74921915843377%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/single-trust.svg title="Trust within a mesh"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/single-trust.svg alt="A service mesh with a common certificate authority"></a></div><figcaption>A service mesh with a common certificate authority</figcaption></figure><h3 id=trust-between-meshes>Trust between meshes</h3><p>To enable communication between two meshes with different CAs, you must
exchange the trust bundles of the meshes. Istio does not provide any tooling
to exchange trust bundles across meshes. You can exchange the trust bundles
either manually or automatically using a protocol such as <a href=https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Federation.md>SPIFFE Trust Domain Federation</a>.
Once you import a trust bundle to a mesh, you can configure local policies for
those identities.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:52.79593627076436%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/multi-trust.svg title="Trust between meshes"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/multi-trust.svg alt="Multiple service meshes with different certificate authorities"></a></div><figcaption>Multiple service meshes with different certificate authorities</figcaption></figure><h2 id=mesh-models>Mesh models</h2><p>Istio supports having all of your services in a
<span class=term data-title="Service Mesh" data-body='<p>A <em>service mesh</em> or simply <em>mesh</em> is an infrastructure layer that enables
managed, observable and secure communication between
<a href="/docs/reference/glossary/#workload-instance">workload instances</a>.</p>
<p>Service names combined with a namespace are unique within a mesh.
In a <a href="/docs/reference/glossary/#multicluster">multicluster</a> mesh, for example,
the <code>bar</code> service in the <code>foo</code> namespace in <code>cluster-1</code> is considered the same
service as the <code>bar</code> service in the <code>foo</code> namespace in <code>cluster-2</code>.</p>
<p>Since <a href="/docs/reference/glossary/#identity">identities</a> are shared within the service
mesh, <a href="/docs/reference/glossary/#workload-instance">workload instances</a> can authenticate communication with any other <a href="/docs/reference/glossary/#workload-instance">workload
instance</a> within the same service mesh.</p>'>mesh</span>, or federating multiple meshes
together, which is also known as <span class=term data-title=Multi-Mesh data-body='<p>Multi-mesh is a deployment model that consists of two or more <a href="/docs/reference/glossary/#service-mesh">service meshes</a>.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through <a href="/docs/reference/glossary/#mesh-federation">mesh federation</a>.
The resulting deployment is a multi-mesh deployment.</p>'>multi-mesh</span>.</p><h3 id=single-mesh>Single mesh</h3><p>The simplest Istio deployment is a single mesh. Within a mesh, service names are
unique. For example, only one service can have the name <code>mysvc</code> in the <code>foo</code>
namespace. Additionally, workload instances share a common identity since
service account names are unique within a namespace, just like service names.</p><p>A single mesh can span <a href=#cluster-models>one or more clusters</a> and
<a href=#network-models>one or more networks</a>. Within a mesh,
<a href=#namespace-tenancy>namespaces</a> are used for <a href=#tenancy-models>tenancy</a>.</p><h3 id=multiple-meshes>Multiple meshes</h3><p>Multiple mesh deployments result from <span class=term data-title="Mesh Federation" data-body='<p>Mesh federation is the act of exposing services between meshes and enabling
communication across mesh boundaries. Each mesh may expose a subset of its
services to enable one or more other meshes to consume the exposed services. You
can use mesh federation to enable communication between meshes in a
<a href="/docs/ops/deployment/deployment-models/#multiple-meshes">multi-mesh deployment</a>.</p>'>mesh federation</span>.</p><p>Multiple meshes afford the following capabilities beyond that of a single mesh:</p><ul><li>Organizational boundaries: lines of business</li><li>Service name or namespace reuse: multiple distinct uses of the <code>default</code>
namespace</li><li>Stronger isolation: isolating test workloads from production workloads</li></ul><p>You can enable inter-mesh communication with <span class=term data-title="Mesh Federation" data-body='<p>Mesh federation is the act of exposing services between meshes and enabling
communication across mesh boundaries. Each mesh may expose a subset of its
services to enable one or more other meshes to consume the exposed services. You
can use mesh federation to enable communication between meshes in a
<a href="/docs/ops/deployment/deployment-models/#multiple-meshes">multi-mesh deployment</a>.</p>'>mesh federation</span>. When federating, each mesh can expose a set of services and
identities, which all participating meshes can recognize.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:68.06079261254328%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/multi-mesh.svg title=Multi-mesh><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/multi-mesh.svg alt="Multiple service meshes"></a></div><figcaption>Multiple service meshes</figcaption></figure><p>To avoid service naming collisions, you can give each mesh a globally unique
<strong>mesh ID</strong>, to ensure that the fully qualified domain
name (FQDN) for each service is distinct.</p><p>When federating two meshes that do not share the same
<span class=term data-title="Trust Domain" data-body='<p><a href="https://spiffe.io/spiffe/concepts/#trust-domain">Trust domain</a> corresponds to the trust root of a system and is part of a workload identity.</p>
<p>Istio uses a trust domain to create all <a href="/docs/reference/glossary/#identity">identities</a> within a mesh.
For example in <code>spiffe://mytrustdomain.com/ns/default/sa/myname</code> the substring <code>mytrustdomain.com</code> specifies that the workload is from a trust domain called <code>mytrustdomain.com</code>.</p>
<p>You can have one or more trust domains in a multicluster mesh, as long as the clusters share the same root of trust.</p>'>trust domain</span>, you must federate
<span class=term data-title=Identity data-body="<p>Identity is a fundamental security infrastructure concept. The Istio identity
model is based on a first-class workload identity. At the beginning of
service-to-service communication, the two parties exchange credentials with
their identity information for mutual authentication purposes.</p>
<p>Clients check the servers identity against their secure naming information to
determine if the server is authorized to run the service.</p>
<p>Servers check the client&amp;rsquo;s identity to determine what information the client can
access. Servers base that determination on the configured authorization
policies.</p>
<p>Using identity, servers can audit the time information was accessed and what
information was accessed by a specific client. They can also charge clients
based on the services they use and reject any clients that failed to pay their
bill from accessing the services.</p>
<p>The Istio identity model is flexible and granular enough to represent a human
user, an individual service, or a group of services. On platforms without
first-class service identity, Istio can use other identities that can group
service instances, such as service names.</p>
<p>Istio supports the following service identities on different platforms:</p>
<ul>
<li><p>Kubernetes: Kubernetes service account</p></li>
<li><p>GKE/GCE: GCP service account</p></li>
<li><p>GCP: GCP service account</p></li>
<li><p>AWS: AWS IAM user/role account</p></li>
<li><p>On-premises (non-Kubernetes): user account, custom service account, service
name, Istio service account, or GCP service account. The custom service
account refers to the existing service account just like the identities that
the customers Identity Directory manages.</p></li>
</ul>">identity</span> and <strong>trust bundles</strong> between them. See the
section on <a href=#trust-between-meshes>Trust between meshes</a> for more details.</p><h2 id=tenancy-models>Tenancy models</h2><p>In Istio, a <strong>tenant</strong> is a group of users that share
common access and privileges for a set of deployed workloads.
Tenants can be used to provide a level of isolation between different teams.</p><p>You can configure tenancy models to satisfy the following organizational
requirements for isolation:</p><ul><li>Security</li><li>Policy</li><li>Capacity</li><li>Cost</li><li>Performance</li></ul><p>Istio supports three types of tenancy models:</p><ul><li><a href=#namespace-tenancy>Namespace tenancy</a></li><li><a href=#cluster-tenancy>Cluster tenancy</a></li><li><a href=#mesh-tenancy>Mesh tenancy</a></li></ul><h3 id=namespace-tenancy>Namespace tenancy</h3><p>A cluster can be shared across multiple teams, each using a different namespace.
You can grant a team permission to deploy its workloads only to a given namespace
or set of namespaces.</p><p>By default, services from multiple namespaces can communicate with each other,
but you can increase isolation by selectively choosing which services to expose to other
namespaces. You can configure authorization policies for exposed services to restrict
access to only the appropriate callers.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75.78194040013328%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/exp-ns.svg title="Namespaces with an exposed service"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/exp-ns.svg alt="A service mesh with two namespaces and an exposed service"></a></div><figcaption>A service mesh with two namespaces and an exposed service</figcaption></figure><p>Namespace tenancy can extend beyond a single cluster.
When using <a href=#multiple-clusters>multiple clusters</a>, the namespaces in each
cluster sharing the same name are considered the same namespace by default.
For example, <code>Service B</code> in the <code>Team-1</code> namespace of cluster <code>West</code> and <code>Service B</code> in the
<code>Team-1</code> namespace of cluster <code>East</code> refer to the same service, and Istio merges their
endpoints for service discovery and load balancing.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75.78194040013328%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/cluster-ns.svg title="Multicluster namespaces"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/cluster-ns.svg alt="A service mesh with two clusters with the same namespace"></a></div><figcaption>A service mesh with clusters with the same namespace</figcaption></figure><h3 id=cluster-tenancy>Cluster tenancy</h3><p>Istio supports using clusters as a unit of tenancy. In this case, you can give
each team a dedicated cluster or set of clusters to deploy their
workloads. Permissions for a cluster are usually limited to the members of the
team that owns it. You can set various roles for finer grained control, for
example:</p><ul><li>Cluster administrator</li><li>Developer</li></ul><p>To use cluster tenancy with Istio, you configure each team&rsquo;s cluster with its
own <span class=term data-title="Control Plane" data-body="<p>A control plane is a set of system services that configure the mesh or a subset of
the mesh to manage the communication between the workload instances within.</p>">control plane</span>, allowing each team to manage its own configuration.
Alternatively, you can use Istio to implement a group of clusters as a single tenant
using <span class=term data-title="Remote Cluster" data-body='<p>A remote cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> that
connects to a <a href="/docs/reference/glossary/#control-plane">control plane</a>
residing outside of the cluster. A remote cluster can connect to a control plane
running in a <a href="/docs/reference/glossary/#primary-cluster">primary cluster</a>
or to an <a href="/docs/reference/glossary/#external-control-plane">external control plane</a>.</p>'>remote clusters</span> or multiple
synchronized <span class=term data-title="Primary Cluster" data-body='<p>A primary cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> with a
<a href="/docs/reference/glossary/#control-plane">control plane</a>. A single
<a href="/docs/reference/glossary/#service-mesh">mesh</a> can have more than
one primary cluster for HA or to reduce latency. Primary clusters can act as the
control plane for <a href="/docs/reference/glossary/#remote-cluster">remote clusters</a>.</p>'>primary clusters</span>.
Refer to <a href=#control-plane-models>control plane models</a> for details.</p><h3 id=mesh-tenancy>Mesh Tenancy</h3><p>In a multi-mesh deployment with <span class=term data-title="Mesh Federation" data-body='<p>Mesh federation is the act of exposing services between meshes and enabling
communication across mesh boundaries. Each mesh may expose a subset of its
services to enable one or more other meshes to consume the exposed services. You
can use mesh federation to enable communication between meshes in a
<a href="/docs/ops/deployment/deployment-models/#multiple-meshes">multi-mesh deployment</a>.</p>'>mesh federation</span>, each mesh
can be used as the unit of isolation.</p><figure style=width:50%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:76.17309435102204%><a data-skipendnotes=true href=/v1.9/docs/ops/deployment/deployment-models/cluster-iso.svg title="Cluster isolation"><img class=element-to-stretch src=/v1.9/docs/ops/deployment/deployment-models/cluster-iso.svg alt="Two isolated service meshes with two clusters and two namespaces"></a></div><figcaption>Two isolated service meshes with two clusters and two namespaces</figcaption></figure><p>Since a different team or organization operates each mesh, service naming
is rarely distinct. For example, a <code>Service C</code> in the <code>foo</code> namespace of
cluster <code>Team-1</code> and the <code>Service C</code> service in the <code>foo</code> namespace of cluster
<code>Team-2</code> will not refer to the same service. The most common example is the
scenario in Kubernetes where many teams deploy their workloads to the <code>default</code>
namespace.</p><p>When each team has its own mesh, cross-mesh communication follows the
concepts described in the <a href=#multiple-meshes>multiple meshes</a> model.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></p><p class=desc>Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Describes Istio's high-level architecture and design goals." href=/v1.9/docs/ops/deployment/architecture/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>Architecture</a></div><div class=right><a title="Describes Istio's high-level architecture for virtual machines." href=/v1.9/docs/ops/deployment/vm-architecture/>Virtual Machine Architecture<svg class="icon right-arrow"><use xlink:href="/v1.9/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Cluster models"><a href=#cluster-models>Cluster models</a><ol><li role=none aria-label="Single cluster"><a href=#single-cluster>Single cluster</a><li role=none aria-label="Multiple clusters"><a href=#multiple-clusters>Multiple clusters</a><li role=none aria-label="DNS with multiple clusters"><a href=#dns-with-multiple-clusters>DNS with multiple clusters</a></ol></li><li role=none aria-label="Network models"><a href=#network-models>Network models</a><ol><li role=none aria-label="Single network"><a href=#single-network>Single network</a><li role=none aria-label="Multiple networks"><a href=#multiple-networks>Multiple networks</a></ol></li><li role=none aria-label="Control plane models"><a href=#control-plane-models>Control plane models</a><ol><li role=none aria-label="Endpoint discovery with multiple control planes"><a href=#endpoint-discovery-with-multiple-control-planes>Endpoint discovery with multiple control planes</a></ol></li><li role=none aria-label="Identity and trust models"><a href=#identity-and-trust-models>Identity and trust models</a><ol><li role=none aria-label="Trust within a mesh"><a href=#trust-within-a-mesh>Trust within a mesh</a><li role=none aria-label="Trust between meshes"><a href=#trust-between-meshes>Trust between meshes</a></ol></li><li role=none aria-label="Mesh models"><a href=#mesh-models>Mesh models</a><ol><li role=none aria-label="Single mesh"><a href=#single-mesh>Single mesh</a><li role=none aria-label="Multiple meshes"><a href=#multiple-meshes>Multiple meshes</a></ol></li><li role=none aria-label="Tenancy models"><a href=#tenancy-models>Tenancy models</a><ol><li role=none aria-label="Namespace tenancy"><a href=#namespace-tenancy>Namespace tenancy</a><li role=none aria-label="Cluster tenancy"><a href=#cluster-tenancy>Cluster tenancy</a><li role=none aria-label="Mesh Tenancy"><a href=#mesh-tenancy>Mesh Tenancy</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink