Istio has been the dominant service mesh for Kubernetes since its 1.0 release in 2018. Two years of production experience has produced clear guidance on where it adds value and where it adds unnecessary complexity.
mTLS as the baseline value
Mutual TLS between every service pair in a Kubernetes cluster eliminates the trust-the-network assumption that flat cluster networking requires. With Istio, every pod-to-pod connection is authenticated by short-lived certificates issued by Istio's built-in CA, and encrypted. An attacker who achieves network adjacency in the cluster cannot read inter-service traffic or impersonate services without the certificate. For regulated industries (finance, healthcare), mTLS is often a compliance requirement.
Traffic management for canary releases
Istio VirtualService and DestinationRule resources enable traffic splitting at the service mesh layer: route 5% of traffic to a new version of a service, the remaining 95% to the stable version, with automatic rollback if error rates exceed a threshold. This is the pattern that Argo CD Rollouts and Flagger implement on top of Istio. The canary release capability removes the binary old/new switch of a rolling deployment and replaces it with a risk-controlled traffic shift.
The observability layer
Istio's Envoy proxies generate distributed tracing spans (compatible with Zipkin, Jaeger), access logs, and L7 metrics (request rate, error rate, latency) for every service pair automatically. Without Istio, these metrics require manual instrumentation in each service. With Istio, they are generated by the data plane for all service-to-service traffic. The automatic observability reduces the instrumentation burden for teams that have not invested in application-level telemetry.
The operational complexity honest assessment
Istio's control plane (istiod in Istio 1.5+, previously split across Pilot, Mixer, Citadel) runs additional components that must be monitored, upgraded, and debugged when things go wrong. Istio version upgrades are non-trivial, canary upgrades of the data plane proxies require understanding the compatibility matrix. For organisations with fewer than 50 services, the operational burden of Istio may exceed the benefit. Linkerd 2 provides the core value (mTLS, observability) with lower operational complexity.