As organizations grow their microservices footprint on Kubernetes, adding a service mesh becomes an effective way to manage complex networking, enhance security, monitor traffic patterns, and enable resilient deployments. In AWS Elastic Kubernetes Service (EKS), introducing Istio and Kiali provides significant operational value.
This guide explains how to configure Istio and Kiali in an EKS cluster and why they help run distributed services more safely and efficiently.
Why Istio + Kiali Matters for EKS
Before diving into installation, it’s important to understand the value proposition.
Istio: Service Mesh Capabilities
Istio acts as an infrastructure layer between microservices by deploying Envoy sidecars alongside application pods. These sidecars intercept and manage all service‑to‑service traffic.
Key benefits include:
Advanced Traffic Management
Control routing behavior with retries, timeouts, circuit breaking, traffic splitting, mirroring, canary releases, and blue/green deployments.Zero‑Trust Security
Automatic mutual TLS (mTLS) encrypts pod‑to‑pod traffic and enforces service identity. Authorization policies allow fine‑grained access control without changing application code.Uniform Observability
Istio emits consistent metrics, logs, and traces across all services, independent of language or framework.
Kiali: Service Mesh Visualization & Observability
Kiali is a management and observability console built specifically for Istio.
Key benefits include:
Service Mesh Topology Graphs
Visualize services, workloads, and traffic flows in real time.Health & Metrics Dashboards
Monitor request rates, latencies, error ratios, and workload health using Prometheus metrics.Configuration Validation
Detect misconfigurations in Istio resources such asVirtualService,DestinationRule, andGatewayobjects.Tracing Integration
Seamlessly integrates with Jaeger to inspect distributed traces directly from service graphs.
Together, Istio and Kiali turn the service mesh into an observable, debuggable, and governable platform rather than an opaque networking layer.
Prerequisites
This article assumes you have read my previous two articles:
- Provision EKS Cluster with Terraform, Terragrunt & GitHub Actions
- Configure EKS Cluster Security - Pod Security, Network Policies, Pod Identity
Installing Istio on EKS
Istio can be installed using either istioctl or Helm. The istioctl method is recommended for first‑time installs due to built‑in validation and profile support.
Install Istio Using istioctl
1. Download Istio and install istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-*/bin:$PATH
2. Install Istio using the default profile
istioctl install --set profile=default -y
This deploys the Istio control plane into the istio-system Kubernetes namespace.
3. Enable automatic sidecar injection
Label your application namespaces so Envoy sidecars are automatically injected:
kubectl label namespace <application-namespace> istio-injection=enabled
Any newly deployed pods in this namespace will now be part of the service mesh.
For example, let's create a namespace called eks-demo:
kubectl create ns eks-demo
Next, let's create an nginx pod in this namespace:
kubectl -n eks-demo run nginx --image=nginx
Let's now get this newly created pod:
kubectl -n eks-demo get pod
As you can notice, only 1 container has been created in the pod, indicating that the sidecar container hasn't been injected by Istio.
Let's correct this by adding a label to our namespace for automatic sidecar injection:
kubectl label ns eks-demo istio-injection=enabled
Let's now create a new nginx pod:
kubectl -n eks-demo run nginx-istio --image=nginx
We can now get this pod and see that the sidecar container was properly injected into this new pod:
kubectl -n eks-demo get pod nginx-istio
Installing Kiali and Observability Add‑Ons
Istio integrates with several observability tools. At minimum, Kiali requires Prometheus to function.
Quick Add‑On Installation (Evaluation or Non‑Production)
You can deploy Istio’s sample observability stack using:
for ADDON in kiali jaeger prometheus grafana
do
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.28/samples/addons/$ADDON.yaml
done
This installs:
- Prometheus for metrics
- Grafana for dashboards
- Jaeger for distributed tracing
- Kiali for service mesh visualization
Production‑Grade Kiali Installation Using Helm
For better control and security, install Kiali via Helm:
helm repo add kiali https://kiali.org/helm-charts
helm repo update
helm upgrade --install kiali-server kiali/kiali-server \
--namespace istio-system \
--set auth.strategy=anonymous \
--set deployment.ingress.enabled=true
In production, you should integrate authentication (OIDC, OpenID, or token‑based auth) instead of anonymous access.
Accessing the Kiali Dashboard
To access Kiali locally:
kubectl port-forward svc/kiali 20001:20001 -n istio-system
Open your browser at:
http://localhost:20001
From the Kiali UI you can:
- View real‑time service mesh graphs
- Inspect traffic flows and error rates
- Validate Istio configuration
- Navigate directly to Jaeger traces
Operating Istio and Kiali in EKS
Enforcing mTLS
Once workloads are meshed, you can enable strict mTLS:
- Encrypt all east‑west traffic
- Enforce service identity verification
- Reduce reliance on network‑level trust
This can be done for a specific namespace or for the entire service mesh.
Enforce mTLS for a specific namespace
To enforce mTLS in our eks-demo namespace, for example, we can execute the following:
kubectl apply -n eks-demo -f - <<EOF
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
EOF
This enforces mTLS for all traffic between pods in this namespace.
Enforce mTLS for the entire service mesh
To enforce mTLS in the entire service mesh, we create the PeerAuthentication object in the istio-system namespace:
kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
EOF
Creating Traffic and Verifying mTLS using Kiali
To effectively verify that mTLS is enforced, you must generate live traffic between services and observe how Istio secures that traffic. Kiali provides a visual and intuitive way to do this.
Step 1 - Deploy a Sample Application (Traffic Generator)
kubectl -n eks-demo apply -f https://raw.githubusercontent.com/istio/istio/release-1.28/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl -n eks-demo apply -f https://raw.githubusercontent.com/istio/istio/release-1.28/samples/bookinfo/networking/bookinfo-gateway.yaml
Step 2 - Generate Traffic
Generate continuous traffic so that metrics appear in Kiali.
Retrieve the Istio Ingress Gateway external IP address
kubectl -n istio-system get svc istio-ingressgateway
Generate traffic via Curl
while true; do
curl -s http://<INGRESS_IP>/productpage > /dev/null
sleep 1
done
This ensures steady traffic for visualization.
Step 3 - Open the Kiali Dashboard
First, enable access to the Kiali dashboard from a browser using this command (you can skip this step if you did it earlier):
kubectl -n istio-system port-forward svc/kiali 20001:20001
Then navigate to:
http://localhost:20001
Step 4 - Visualize Traffic in the Traffic Graph View
- Select Traffic Graph from the Kiali sidebar
- Choose the
eks-demoNamespace - In the Display dropdown, enable:
Traffic Animation,Security,Traffic Rate.
You should now see services connected by live traffic edges.
Step 5 - Verify mTLS Enforcement
The live traffic line connectors should display a lock icon, indicating that mTLS is enabled.
You can click on any of these lock icons on the arrows, and the right sidebar will display mTLS Enabled.
GitOps‑Driven Configuration
Store Istio configuration (Gateways, VirtualServices, AuthorizationPolicies) in Git and deploy via:
- Argo CD
- Flux
- CI/CD pipelines
This ensures reproducibility, auditability, and safe rollbacks.
In our next article, we'll see how to configure and use Argo CD to automate the deployment of applications.
Conclusion
Adding Istio and Kiali to your AWS EKS platform significantly improves how you manage microservices networking and security.
With this architecture, you gain:
- Encrypted, authenticated service‑to‑service communication
- Advanced traffic control for safer deployments
- Clear visibility into service behavior and dependencies
- Faster troubleshooting through visual observability
When combined with strong EKS provisioning, security controls, and GitOps automation, Istio and Kiali enable a robust, production‑ready Kubernetes platform that scales with confidence.
Top comments (0)