Istio is a service mesh for Kubernetes built around Envoy. It intercepts traffic to and from workloads, terminates and originates mTLS, routes based on HTTP/gRPC semantics, and emits uniform telemetry — all without requiring application code changes. It was originally a joint project of Google, IBM, and Lyft; it moved to the CNCF in 2022 and graduated in 2023.
The data plane is Envoy. Historically it was deployed as a sidecar injected into every pod, and the control plane (istiod) pushed configuration — listeners, clusters, routes, secrets — over xDS to each proxy. istiod also acts as the CA, issuing SPIFFE-style X.509 identities that back mTLS between workloads. Newer versions support ambient mode, which replaces sidecars with a per-node L4 proxy (ztunnel, written in Rust) and optional per-namespace L7 waypoint proxies, so you only pay the full Envoy cost where you actually need L7 features. Configuration is expressed through VirtualService, DestinationRule, AuthorizationPolicy, and Gateway CRDs, with growing support for the upstream Gateway API.
Istio is the heavyweight of the mesh space. Linkerd (Rust micro-proxy, simpler model) and Cilium Service Mesh (eBPF, no sidecars) are the main alternatives. The tradeoff is well understood: Istio gives you the most features and the most knobs, and in exchange you inherit Envoy’s operational surface area.