alexsusanu@docs:Istio - Service Mesh Overview $
alexsusanu@docs
:~$ cat Istio - Service Mesh Overview.md

HomeNOTES → Istio - Service Mesh Overview

Istio - Service Mesh Overview

category: Kubernetes
tags: istio, service-mesh, kubernetes, microservices, security, observability

Main Topic 1

Istio is an open-source service mesh that helps manage service-to-service communication within a Kubernetes cluster (and beyond). It provides advanced traffic control, security, and observability without requiring changes to the application code.

Subtopic A: What is a Service Mesh?

  • Definition - A service mesh is a dedicated infrastructure layer that handles communication between microservices.
  • Purpose - Offloads operational complexities such as retries, monitoring, encryption, and policy enforcement from your application logic.

Subtopic B: Core Features of Istio

  • Traffic Management - Fine-grained control over traffic routing, including load balancing, A/B testing, and canary deployments.
  • Security - Automatic mTLS encryption, authentication, and authorization policies.
  • Observability - Built-in support for telemetry data collection, distributed tracing, and metrics.
  • Policy Enforcement - Centralized configuration to enforce security and resource policies.

Main Topic 2

Code Example (if applicable)

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
  - my-service
  http:
  - route:
    - destination:
        host: my-service
        subset: v1
      weight: 80
    - destination:
        host: my-service
        subset: v2
      weight: 20

This VirtualService routes 80% of traffic to version v1 and 20% to version v2.

Commands (if applicable)

# Enable automatic sidecar injection
kubectl label namespace default istio-injection=enabled

# Apply configuration
kubectl apply -f virtual-service.yaml

Key Concepts Summary

  • Sidecar Proxy - Envoy proxy is injected into each pod to intercept traffic.
  • Istiod - Control plane that manages configuration and certificates.
  • VirtualService & DestinationRule - Istio CRDs to control traffic routing.
  • Telemetry - Collected automatically via sidecars.
  • mTLS - Mutual TLS for encrypted communication.

Best Practices / Tips

  1. Start small - Apply Istio to a small subset of services first.
  2. Monitor resource usage - Sidecars can increase memory and CPU overhead.
  3. Use Kiali and Grafana - Visualize traffic and monitor telemetry data.
  4. Understand CRDs - Learn Istio-specific resources like Gateway, VirtualService, etc.
  5. Secure by default - Enable mTLS cluster-wide for secure communication.
Last updated: 2025-08-26 20:00 UTC