The original idea behind service mesh was to add a proxy alongside a running workload. Today, most service meshes in Kubernetes run a dedicated proxy for each workload instance, as an additional container in each pod, in an approach known as the sidecar pattern. This pattern ensures that the proxy does not become a bottleneck and does not introduce a failure domain beyond a single pod. It allows the proxies to own the identity of the workload and authenticate it among themselves.
With the sidecar, administrators can offload common network functions such as timeouts, retries and load balancing, rather than requiring each separate container to manage those functions on their own.