The main principle of Kyma Service Mesh is to inject Pods of every service with the Envoy sidecar proxy. Envoy intercepts the communication between the services and regulates it by applying and enforcing the rules you create.

By default, Istio in Kyma has mutual TLS (mTLS) disabled. See how to enable sidecar proxy injection. You can manage mTLS traffic in services or at a Namespace level by creating DestinationRules and Peer Authentications. If you disable sidecar injection in a service or in a Namespace, you must manage their traffic configuration by creating appropriate DestinationRules and Peer Authentications.

NOTE: The Istio Control Plane doesn't have mTLS enabled.

NOTE: For security and performance we use the distroless version of Istio images. Those images are not Debian-based and are slimmed down to reduce any potential attack surface and increase startup time.

You can install Service Mesh as part of Kyma predefined profiles. For production purposes, use the production profile which has increased resource quotas for all Istio components. It also has HorizontalPodAutoscaler (HPA) enabled for all Istio components.