Istio in Kyma is installed with the help of the istioctl tool. The tool is driven by a configuration file containing an instance of the IstioOperator custom resource.

Istio components

This list shows the available Istio components and addons. Check which of those are enabled in Kyma:

• Istiod (Pilot)
• Ingress Gateway
• Grafana - installed as separate component - monitoring
• Prometheus - installed as separate component - monitoring

Kyma-specific configuration

These configuration changes are applied to customize Istio for use with Kyma:

• Both Istio control plane and data plane use distroless images. To learn more, read about Harden Docker Container Images.
• Automatic sidecar injection is disabled by default. See how to enable sidecar proxy injection.
• Resource requests and limits for Istio sidecars are modified to best suit the needs of the evaluation and production profiles.
• Mutual TLS (mTLS) is enabled cluster-wide in a STRICT mode.
• Ingress Gateway is expanded to handle ports 80, 443, and 31400 for local Kyma deployments.
• The use of HTTP 1.0 is enabled in the outbound HTTP listeners by PILOT_HTTP10 flag set in Istiod component environment variables.
• IstioOperator configuration file is modified. Change Kyma settings to customize the configuration.