How istio works in k8s?

Considering a traffic request towards one specific service in k8s:

  • Resolve DNS destination host via Core-DNS (the DNS server is specified in /etc/resolv.conf on each container)
  • The DNS would be resolved to service IP
  • The TCP request towards the service IP would be handled by IPVS

When we turn to use istio, I have the below questions:

  1. Does istio bypass the IPVS?
  2. Since the application is unaware of the sidecar, then how the sidecar (envoy) associate the outgoing traffic with the destination service? For example, the app sends a TCP packet with dest hostname “foobar”, the “foobar” would be resolved first before hijacked by sidecar, how the sidecar figure out which dest send to? Use inverse DNS resolve? Or, the host is a header of HTTP? But how about HTTP2 and gRPC? authority header?