Environment:Kserve Kserve Istio Service Mesh

Overview

Istio 1.27.1 service mesh providing ingress routing, mTLS, and traffic management for KServe Serverless deployment mode.

Description

When KServe is deployed in Serverless mode, Istio provides the ingress gateway for routing external traffic to InferenceServices via VirtualService resources. KServe's IngressReconciler creates and manages Istio VirtualServices to route traffic based on hostname patterns. Istio is installed via Helm with proxy auto-injection disabled by default.

Usage

Use this environment when deploying KServe in Serverless mode with Knative Serving. Istio is not required for RawDeployment mode, which uses Kubernetes Ingress or Gateway API directly.

System Requirements

Dependencies

Helm Charts

• `istio/base` from `https://istio-release.storage.googleapis.com/charts`
• `istio/istiod` from same repository
• `istio/gateway` from same repository

Credentials

No additional credentials required.

Quick Install

# Install Istio via Helm (from quick_install.sh)
helm install istio-base istio/base -n istio-system --set defaultRevision=default --wait
helm install istiod istio/istiod -n istio-system \
    --set-string pilot.podAnnotations."cluster-autoscaler\.kubernetes\.io/safe-to-evict"=true --wait
helm install istio-ingressgateway istio/gateway -n istio-system --wait

Code Evidence

Istio version pinned in `kserve-deps.env:31`:

ISTIO_VERSION=1.27.1

VirtualService creation in `pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler.go`:

// IngressReconciler creates Istio VirtualService resources for traffic routing

Common Errors

Compatibility Notes

• OpenShift: Use OpenShift Service Mesh operator instead of upstream Istio
• RawDeployment: Istio is not needed; use Kubernetes Ingress or Gateway API
• Knative integration: Istio provides the local and ingress gateways for Knative Serving

Related Pages

• Implementation:Kserve_Kserve_IngressReconciler
• Implementation:Kserve_Kserve_InferenceServiceReconciler