Istio

Istio, in Solo.io's enterprise distribution, secures and routes traffic between Kubernetes and virtual-machine workloads from a single control plane. Its distinguishing mechanism is an ambient, sidecarless data plane built on a per-node ztunnel proxy, which enforces mutual TLS (mTLS) and Layer 7 policy without injecting a sidecar container into every pod, cutting the memory and operational cost of running the mesh at scale.

The platform authenticates every service-to-service connection using X.509 workload identities issued through SPIFFE and SPIRE, so traffic is encrypted and authorized by service identity rather than IP address and port. Authorization policies evaluate HTTP paths, gRPC methods, and workload claims through Common Expression Language (CEL) rules, while waypoint proxies apply Layer 7 egress controls that constrain outbound traffic. A federated multi-cluster service registry links meshes across clouds and on-premises data centers, and east-west gateways carry encrypted cross-cluster traffic that feeds flow telemetry. ECS, Lambda, and virtual-machine extensions bring non-Kubernetes workloads into the same mesh.

Solo.io maintains SOC 2 Type I and Type II attestations, and the platform ships FIPS-validated cryptographic builds of its supported Istio distribution, with daily CVE scanning and N-4 long-term support releases for regulated and mission-critical deployments, delivered through the Solo Enterprise for Istio support tier. Solo.io holds seats on the Istio Steering and Technical Oversight Committees and contributes to Cloud Native Computing Foundation (CNCF) projects including Istio, Envoy, and SPIFFE. Its users include T-Mobile, BMW, ADP, and Carfax.