Mustafa CavusogluMC

Command Palette

Search for a command to run...

AboutExperiencesProjects
Linux3Docker7Git4Kubernetes7Network2uv1Miniconda1OpenShift4
Back to Home
Kubernetes

Istio service mesh: traffic management, observability, security and sidecar architecture

istioservice-meshenvoysidecarvirtualservicedestinationrulegatewaymtlstraffic-management

Istio Service Mesh

Service mesh for microservices: traffic management, security, and observability.

What is Istio?

Istio adds a sidecar proxy (Envoy) to each pod, providing:

  • Traffic Management: Routing, load balancing, retries, circuit breaking
  • Security: mTLS, authorization policies
  • Observability: Metrics, tracing, logging (without code changes)

Architecture

  • Control Plane (istiod): Pilot (routing config), Citadel (certs & mTLS), Galley (config validation)
  • Data Plane: Envoy sidecar proxy injected into each Pod
  • Traffic Flow: Client → Envoy (Pod A) → Envoy (Pod B) → App Container

istiod pushes routing rules and certificates to all Envoy sidecars via xDS API. Envoy intercepts all inbound/outbound traffic transparently.

Installation

# Install istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-*/bin:$PATH

# Install Istio (demo profile)
istioctl install --set profile=demo -y

# Enable sidecar injection for namespace
kubectl label namespace default istio-injection=enabled

# Verify
istioctl verify-install
kubectl get pods -n istio-system

Sidecar Injection

# Automatic (namespace label)
kubectl label namespace my-ns istio-injection=enabled

# Manual injection
istioctl kube-inject -f deployment.yaml | kubectl apply -f -

# Check sidecar
kubectl get pods -o jsonpath='{.items[*].spec.containers[*].name}'

Gateway

Entry point for external traffic into the mesh.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: app-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
        - "app.example.com"
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: tls-secret
      hosts:
        - "api.example.com"

VirtualService

Defines traffic routing rules.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: backend-routing
spec:
  hosts:
    - "api.example.com"
  gateways:
    - app-gateway
  http:
    # Canary: route 90/10
    - match:
        - uri:
            prefix: /api/v2
      route:
        - destination:
            host: backend
            subset: v2
          weight: 10
        - destination:
            host: backend
            subset: v1
          weight: 90

    # Header-based routing (test traffic)
    - match:
        - headers:
            x-env:
              exact: canary
      route:
        - destination:
            host: backend
            subset: v2

    # Default route
    - route:
        - destination:
            host: backend
            subset: v1

DestinationRule

Defines subsets and traffic policies.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: backend
spec:
  host: backend
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: DEFAULT
        http1MaxPendingRequests: 100
    loadBalancer:
      simple: ROUND_ROBIN
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 60s
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2

Retry & Timeout

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: backend
spec:
  hosts:
    - backend
  http:
    - route:
        - destination:
            host: backend
      timeout: 10s
      retries:
        attempts: 3
        perTryTimeout: 3s
        retryOn: 5xx,reset,connect-failure

Circuit Breaker

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: backend
spec:
  host: backend
  trafficPolicy:
    outlierDetection:
      consecutive5xxErrors: 3
      interval: 10s
      baseEjectionTime: 30s
      maxEjectionPercent: 50
    connectionPool:
      tcp:
        maxConnections: 50
      http:
        http1MaxPendingRequests: 50
        http2MaxRequests: 100
        maxRequestsPerConnection: 10

mTLS (Mutual TLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

Authorization Policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: backend-policy
spec:
  selector:
    matchLabels:
      app: backend
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/frontend"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]

Observability

# Kiali (service mesh dashboard)
istioctl dashboard kiali

# Jaeger (distributed tracing)
istioctl dashboard jaeger

# Grafana (metrics)
istioctl dashboard grafana

# Prometheus
istioctl dashboard prometheus

# Envoy proxy config
istioctl proxy-config routes <pod-name>
istioctl proxy-config clusters <pod-name>
istioctl proxy-config listeners <pod-name>

Debugging

# Analyze mesh config
istioctl analyze

# Check proxy status
istioctl proxy-status

# Debug specific pod
istioctl proxy-config all <pod-name> -o json

# Check mTLS status
istioctl authn tls-check <pod-name>

# Envoy access logs
kubectl logs <pod-name> -c istio-proxy