Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's an alternative to istio? I want to have http metrics between our services inside kubernetes. I don't really want all the fancy shmancy mtls, dpi and stuff, they don't bring value to me.


Try with Kuma (https://kuma.io/) also part of CNCF, which has been created with a much simpler model for supporting a fleet of Envoy across single and multiple cluster.


If you don't want any of the fancy stuff, then you can just use Envoy without Istio and configure it yourself.


That's an interesting thought. Even if I would throw it away for istio in the end, the experience for managing Envoy, might be valuable.

How do I do that exactly? I need to install some iptables rules inside a pod to redirect pod traffic to envoy?


Envoy is the proxy that does the heavy lifting. Istio is just a glorified configuration system. Even if you choose to use Istio you're still using Envoy.

You're spot-on about using iptables rules. There is an example here with a yaml configuration and some iptables commands: https://github.com/envoyproxy/envoy/blob/main/configs/origin...

You might be able to re-use some of that. It should be pretty easy to get metrics for outbound/inbound http requests, but I don't remember the exact yaml incantation.


Thanks, I'll look into that. Might actually be the simplest solution in the end.


lol i’m not quite following how manually injecting envoy, “configuring envoy yourself/by hand” in a pod and “copying istio code for iptables re-direction” and then trying to maintain this yourself is easier than just using istio?

install istio, turn off mtls if you dont want that (https://istio.io/latest/docs/reference/config/security/peer_...) and you have what you’re looking for. doesn’t get simpler than that.


https://linkerd.io/ is a much lighter-weight alternative but you do still get some of the fancy things like mtls without needing any manual configuration. Install it, label your namespaces, and let it do it's thing!


I don't think that I need mtls and extra CPU load for useless (to me) encryption does not sound so good. Can I opt-out of this specific feature?

Also I'm worried about its pervasiveness. Is it possible to enable those side-cars only on selected pods?


So to answer my own question:

It's not possible to disable mtls with meshed services, no configuration option for this particular feature.

There's no pervasiveness with linkerd, one need to add `linkerd.io/inject: enabled` annotation to the target service and restart deployment.


At least in Istio yes, you can annotate pods or namespaces to be part of your service mesh.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: