Envoy Sidecar Memory Explosion

critical

Resource ContentionUpdated Jan 7, 2026

Envoy sidecar proxies consuming 2GB+ memory per pod, causing OOMKills and degraded service performance. This occurs when Istio pushes massive configurations to sidecars in large clusters or with poorly scoped routing rules.

Sources

Key Metrics to Monitor in AWS Fargate - Site24x7www.site24x7.com

Service Mesh Promised Observability. It Gave Us 40% CPU Overhead.blog.stackademic.com

Technologies:

IstioThe root cause of this issue originates in Istio

Envoy ProxySymptoms of this issue are visible in Envoy Proxy metrics and logs

How to detect:

Monitor istio_go_memstats_heap_allocated_size and istio_mesh_agent_go_memstats_heap_objects for sidecar containers. If memory usage exceeds 1GB per sidecar or grows continuously without stabilizing, configuration scope is too broad. Check for high values in istio_pilot_xds_eds_instances indicating too many endpoints being tracked.

Recommended action:

Implement Sidecar resources to limit configuration scope per namespace. Configure egress hosts to only include services the application actually communicates with. Review VirtualService and DestinationRule configurations to remove unused routes. Scale down sidecar memory requests if possible after scoping, or increase limits temporarily while fixing configuration.