Native sidecar mode for Istio-based service mesh add-on in Azure Kubernetes Service (AKS)

2025-10-22

Kubernetes sidecar containers feature aims to provide a more robust and user-friendly way to incorporate sidecar patterns into Kubernetes applications, improving efficiency, reliability, and simplicity.

Native sidecar is well-suited for Istio. It offers several benefits, including simplified sidecar management, improved reliability, and enhanced coordination. In native sidecar mode, the sidecar always starts before the main application. It also shuts down gracefully after the main app. This behavior removes the need for manual workarounds to handle container lifecycle or Pod termination issues.

Starting from Kubernetes version 1.29, sidecar containers feature is turned on for AKS. With this change, Istio native sidecar mode can be used with the Istio add-on for AKS.

Native sidecar mode became the default for Istio starting in version 1.27. The Istio-based service mesh on AKS aligns with this behavior with minimal interruption for existing customers.

Default behavior

Existing clusters with Istio add-on using the preview IstioNativeSidecarModePreview feature flag retain their current native sidecar status regardless of cluster version or Istio add-on revision.

Starting with AKS 1.33 and Istio add-on asm-1-28, AKS service mesh add-on uses native sidecar by default for the Envoy proxy. This setting applies based on your cluster version, the ASM add-on revision, and whether the add-on was newly installed or upgraded

AKS Version	ASM Version	Add-on Install Behavior	Upgrade Behavior
< 1.33	Any	Disabled	Disabled
1.33+	< `asm-1-27`	Disabled	Disabled
1.33+	`asm-1-27`	Enabled (transition release)	Disabled (upgrade does not auto-enable)
1.33+	`asm-1-28`+	Enabled	Enabled (by mesh or cluster upgrade to required versions)

New clusters

When creating a new AKS cluster with the az aks create command, choose version 1.33 or newer and Istio asm-1-27 or newer. The new cluster has native sidecar mode enabled automatically.

az aks create \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER \
    --enable-asm \
    --kubernetes-version 1.33 \
    --revision asm-1-27 \
    --generate-ssh-keys    
    ...

For a new service mesh installation on an existing cluster >= version AKS 1.33, select asm-1-27 or newer during installation.

Existing clusters

This section describes how to check native sidecar feature status or enable it on an existing cluster.

Check feature status

When native sidecar mode is enabled, environment variable ENABLE_NATIVE_SIDECARS appears with value true in Istio's control plane pod template. Use the following command to check istiod deployment.

kubectl get deployment -l app=istiod -n aks-istio-system -o json | jq '.items[].spec.template.spec.containers[].env[] | select(.name=="ENABLE_NATIVE_SIDECARS")'

If native sidecar mode is successfully enabled, the istio-proxy container is shown as an init container. Use the following command to check sidecar injection:

kubectl get pods -o "custom-columns=NAME:.metadata.name,INIT:.spec.initContainers[*].name,CONTAINERS:.spec.containers[*].name"

The istio-proxy container should be shown as an init container.

NAME                     INIT                     CONTAINERS
sleep-7656cf8794-5b5j4   istio-init,istio-proxy   sleep

Check prerequisites

If native sidecar is not enabled, it is likely one of the version prerequisites was not met.

Check that the AKS cluster's Kubernetes control plane version is 1.33 or higher using az aks show.
```
az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER --query "kubernetesVersion" -o tsv
```
If the control plane version is too old, you can upgrade Kubernetes control plane.
Ensure node pools run version 1.33 or newer and the power state is running.
```
az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER --query "agentPoolProfiles[].{name:name,currentOrchestratorVersion:currentOrchestratorVersion,powerState:powerState.code}" -o table
```
Caution

Native sidecar mode by default requires both Kubernetes control plane and data plane on version 1.33 or higher. Ensure all your nodes are version 1.33 or newer before enabling the service mesh add-on. Otherwise, native sidecar will not be enabled by default.

If any node pool version is too old, upgrade the node image to version 1.33 or newer.
If service mesh add-on is enabled, check the installed revision:
```
az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER --query "serviceMeshProfile.istio.revisions" -o tsv
```
To upgrade into native sidecar support, upgrade your mesh revision to asm-1-28 or newer.

Next steps

Deploy external or internal ingresses for Istio service mesh add-on.