Back
Interactive Explainer

Istio Architecture: istiod & Data Plane

Deep dive into istiod (control plane) and Envoy sidecars (data plane), xDS protocol, and the certificate lifecycle.

🎯Key Takeaways
istiod = control plane (config + certificates)
Envoy sidecars = data plane (traffic interception)
xDS protocol: LDS, RDS, CDS, EDS push config to sidecars

Istio Architecture: istiod & Data Plane

Deep dive into istiod (control plane) and Envoy sidecars (data plane), xDS protocol, and the certificate lifecycle.

~1 min read
Be the first to complete!
What you'll learn
  • istiod = control plane (config + certificates)
  • Envoy sidecars = data plane (traffic interception)
  • xDS protocol: LDS, RDS, CDS, EDS push config to sidecars

istiod Architecture

istiod is the Istio control plane (merged from Pilot, Citadel, Galley). It translates Istio CRDs into xDS (discovery service) config and pushes to Envoy sidecars. Envoy sidecars intercept all pod traffic via iptables rules set by the istio-init container. istiod also acts as the Certificate Authority (CA) for mTLS using SPIFFE X.509 SVIDs.

Key takeaways

  • istiod = control plane (config + certificates)
  • Envoy sidecars = data plane (traffic interception)
  • xDS protocol: LDS, RDS, CDS, EDS push config to sidecars

Related concepts

Explore topics that connect to this one.

Suggested next

Often learned after this topic.

Istio Sidecar Injection

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Sign in to track your progress and mark lessons complete.

Continue learning

Istio Sidecar Injection

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

In-app Q&A

Sign in to start or join a thread.