Pods and Services

To be a part of an Istio service mesh, pods and services in a Kubernetes cluster must satisfy the following requirements:

  • Named service ports: Service ports must be named. The port name key/value pairs must have the following syntax: name: <protocol>[-<suffix>]. To take advantage of Istio’s routing features, replace <protocol> with one of the following values:

    • grpc
    • http
    • http2
    • https
    • mongo
    • mysql
    • redis
    • tcp
    • tls
    • udp

    For example, name: http2-foo or name: http are valid port names, but name: http2foo is not. If the port name does not begin with a recognized prefix or if the port is unnamed, outbound HTTP or TCP traffic will be automatically detected. Inbound traffic on the port is treated as plain TCP traffic unless the port explicitly uses Protocol: UDP to signify a UDP port.

  • Service association: A pod must belong to at least one Kubernetes service even if the pod does NOT expose any port. If a pod belongs to multiple Kubernetes services, the services cannot use the same port number for different protocols, for instance HTTP and TCP.

  • Deployments with app and version labels: We recommend adding an explicit app label and version label to deployments. Add the labels to the deployment specification of pods deployed using the Kubernetes Deployment. The app and version labels add contextual information to the metrics and telemetry Istio collects.

    • The app label: Each deployment specification should have a distinct app label with a meaningful value. The app label is used to add contextual information in distributed tracing.

    • The version label: This label indicates the version of the application corresponding to the particular deployment.

  • Application UIDs: Ensure your pods do not run applications as a user with the user ID (UID) value of 1337.

  • NET_ADMIN capability: If your cluster enforces pod security policies, pods must allow the NET_ADMIN capability. If you use the Istio CNI Plugin, this requirement no longer applies. To learn more about the NET_ADMIN capability, visit Required Pod Capabilities.

Ports used by Istio

The following ports and protocols are used by Istio. Ensure that there are no TCP headless services using a TCP port used by one of Istio’s services.

PortProtocolUsed byDescription
8060HTTPCitadelGRPC server
8080HTTPCitadel agentSDS service monitoring
9090HTTPPrometheusPrometheus
9091HTTPMixerPolicy/Telemetry
9876HTTPCitadel, Citadel agentControlZ user interface
9901GRPCGalleyMesh Configuration Protocol
15000TCPEnvoyEnvoy admin port (commands/diagnostics)
15001TCPEnvoyEnvoy Outbound
15006TCPEnvoyEnvoy Inbound
15004HTTPMixer, PilotPolicy/Telemetry - mTLS
15010HTTPPilotPilot service - XDS pilot - discovery
15011TCPPilotPilot service - mTLS - Proxy - discovery
15014HTTPCitadel, Citadel agent, Galley, Mixer, Pilot, Sidecar InjectorControl plane monitoring
15020HTTPIngress GatewayPilot health checks
15029HTTPKialiKiali User Interface
15030HTTPPrometheusPrometheus User Interface
15031HTTPGrafanaGrafana User Interface
15032HTTPTracingTracing User Interface
15443TLSIngress and Egress GatewaysSNI
15090HTTPMixerProxy
42422TCPMixerTelemetry - Prometheus