WTF is the Istio CNI?

A cardboard takeout box with an ethernet jack on the side. — Figure 1: Container with a network interface.

tl;dr - Istio is not a typical CNI plugin, the Istio CNI just sets up iptables redirection which forces all pod traffic through the sidecar proxy.

CNI and Plugins

The Container Network Interface is the standard by which a container runtime (like Docker or containerd) gives users control over how their containers get connected. A CNI plugin is any application which implements the CNI standard.

The workflow goes something like:

Something asks the runtime to launch a container.
Once the container starts, the runtime passes some information like the name of the network interface assigned to the container to the CNI plugin.
The CNI plugin executes and returns control to the container runtime.

Here's the important part: usually when the CNI plugin executes it is setting up network connectivity for the container, but not always.

The container runtime doesn't actually care if the plugin connected the container to the internet or anything else for that matter, it just cares that the plugin does not return an error. A CNI plugin could just echo "lol k8s sux" > /etc/motd for all the container runtime cares.

The Istio CNI

While the Istio CNI does implement the interface making it a valid CNI plugin it does not configure pod-to-pod networking the way other CNI plugins like Calico and Cilium do. All it does is add some iptables rules which force all the traffic going in or out of the main container in the pod to be redirected through the istio-proxy sidecar container which is where all the fancy service mesh stuff happens.

Istio assumes you already have a CNI plugin capable of configuring pod-to-pod networking and it just steps in after that plugin is finished to add the little bits that Istio needs in order to function.

But Why?

A meme with the words 'y tho' superimposed onto a painting of Pope Leon X painted by Fernando Botero.

The Istio CNI is totally optional, you can use all the cool features without it. If you do not deploy the Istio CNI what happens instead is that an init container gets added to every pod which has sidecar injection enabled and the init container sets up iptables redirection.

For some users however this is a problem because it means whoever or whaetver is putting pods into their cluster requires some highly privileged capabilities. The CNI solves that problem for those users. Instead of giving cluster users the ability to create highly privilged pods, the cluster admins deploy the Istio CNI and give it the necessary capabilities to set up iptables redirection. Now all their users have to do is create a pod with regular privileges and the Istio CNI handles the rest.