Default Istio setup in Kyma

Istio in Kyma is installed with the help of the istioctl tool. The tool is driven by a configuration file containing an instance of the IstioOperator custom resource.

Istio components

This list shows the available Istio components and addons. Check which of those are enabled in Kyma:

  • Istiod (Pilot)
  • Ingress Gateway
  • Grafana - installed as separate component - monitoring
  • Prometheus - installed as separate component - monitoring

Kyma-specific configuration

These configuration changes are applied to customize Istio for use with Kyma:

  • Both Istio control plane and data plane use distroless images. To learn more, read about Harden Docker Container Images.
  • Automatic sidecar injection is disabled by default. See how to enable sidecar proxy injection.
  • Resource requests and limits for Istio sidecars are modified to best suit the needs of the evaluation and production profiles.
  • Mutual TLS (mTLS) is enabled cluster-wide in a STRICT mode.
  • Ingress Gateway is expanded to handle ports 80, 443, and 31400 for local Kyma deployments.
  • The use of HTTP 1.0 is enabled in the outbound HTTP listeners by PILOT_HTTP10 flag set in Istiod component environment variables.
  • IstioOperator configuration file is modified. Change Kyma settings to customize the configuration.