Community

Istio

DescriptionInstallSecurityExample: KServe

Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.

Looking for Commercial Support? LEARN MORE

Prerequisites

Deploy k0rdent v1.7.0: QuickStart

Install template to k0rdent

helm upgrade --install istio-base oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istio-base:1.27.1" -n kcm-system
helm upgrade --install istiod oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istiod:1.27.1" -n kcm-system
helm upgrade --install istio-gateway oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istio-gateway:1.27.1" -n kcm-system

Verify service template

kubectl get servicetemplates -A
# NAMESPACE    NAME                            VALID
# kcm-system   istio-base-1-27-1               true
# kcm-system   istiod-1-27-1                   true
# kcm-system   istio-gateway-1-27-1            true

Deploy service template

apiVersion: k0rdent.mirantis.com/v1beta1
kind: MultiClusterService
metadata:
  name: istio
spec:
  clusterSelector:
    matchLabels:
      group: demo
  serviceSpec:
    services:
    - template: istio-base-1-27-1
      name: istio-base
      namespace: istio-system
    - template: istiod-1-27-1
      name: istiod
      namespace: istio-system
    - template: istio-gateway-1-27-1
      name: istio-gateway
      namespace: istio-system

• Official docs

Aggregated CVE Summary

This table provides an aggregated overview of known CVEs affecting this application.

Critical	High	Medium	Low	Unknown
0	12	26	23	0

The counts represent the number of unique CVE identifiers detected across the entire application stack, including all associated Helm charts, container images, and underlying OS or language-level packages. If the same CVE appears in multiple images or packages, it is counted only once in this summary.

The vulnerability data is generated using the Trivy security scanner, which analyzes container images and their dependencies against multiple vulnerability databases. The results reflect the state of the analyzed images at the time of scanning.

Severity levels

CVEs are grouped by severity according to standard vulnerability scoring:

• Critical – Vulnerabilities that can be easily exploited and may lead to full system compromise, remote code execution, or severe data exposure.
• High – Serious vulnerabilities that could significantly impact confidentiality, integrity, or availability, often requiring prompt remediation.
• Medium – Vulnerabilities with moderate impact that typically require specific conditions or configurations to be exploitable.
• Low – Issues with limited impact or difficult exploitation, often informational or defense-in-depth concerns.
• Unknown – CVEs for which a severity score is not available or could not be determined at the time of analysis.

This summary is intended to provide a high-level security posture of the application.

Prerequisites

Deploy k0rdent v1.7.0: QuickStart

Install template to k0rdent

helm upgrade --install istio-base oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istio-base:1.27.1" -n kcm-system
helm upgrade --install istiod oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istiod:1.27.1" -n kcm-system
helm upgrade --install istio-gateway oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=istio-gateway:1.27.1" -n kcm-system
helm upgrade --install cert-manager oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=cert-manager:1.18.2" -n kcm-system
helm upgrade --install knative-operator oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=knative-operator:1.17.4" -n kcm-system
helm upgrade --install kserve-crd oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=kserve-crd:v0.15.0" -n kcm-system
helm upgrade --install kserve oci://ghcr.io/k0rdent/catalog/charts/kgst --set "chart=kserve:v0.15.0" -n kcm-system

Verify service template

kubectl get servicetemplates -A
# NAMESPACE    NAME                            VALID
# kcm-system   istio-base-1-27-1               true
# kcm-system   istiod-1-27-1                   true
# kcm-system   istio-gateway-1-27-1            true
# kcm-system   cert-manager-1-18-2             true
# kcm-system   knative-operator-1-17-4         true
# kcm-system   kserve-crd-v0-15-0              true
# kcm-system   kserve-v0-15-0                  true

Deploy service template

apiVersion: k0rdent.mirantis.com/v1beta1
kind: MultiClusterService
metadata:
  name: kserve
spec:
  clusterSelector:
    matchLabels:
      group: demo
  serviceSpec:
    services:
    - template: istio-base-1-27-1
      name: istio-base
      namespace: kserve
    - template: istiod-1-27-1
      name: istiod
      namespace: kserve
    - template: istio-gateway-1-27-1
      name: istio-gateway
      namespace: kserve
    - template: cert-manager-1-18-2
      name: cert-manager
      namespace: kserve
      values: |
        cert-manager:
          crds:
            enabled: true
    - template: knative-operator-1-17-4
      name: knative-operator
      namespace: kserve
    - template: kserve-crd-v0-15-0
      name: kserve-crd
      namespace: kserve
    - template: kserve-v0-15-0
      name: kserve
      namespace: kserve
      values: |
        kserve:
          controller:
            deploymentMode: RawDeployment # Serverless
          modelmesh:
            enabled: false