Source from repo
Kubernetes Specialist

Deploy and manage Kubernetes workloads: manifests, RBAC, Helm charts, service mesh, GitOps, and troubleshooting.
jeffallanGitHub jeffallanSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
129.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/service-mesh.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown460 linesFree
references/service-mesh.md
1# Service Mesh
2 
3---
4 
5## Istio Installation
6 
7```bash
8# Install Istio CLI
9curl -L https://istio.io/downloadIstio | sh -
10export PATH=$PWD/istio-*/bin:$PATH
11 
12# Install Istio with default profile
13istioctl install --set profile=default -y
14 
15# Enable sidecar injection for namespace
16kubectl label namespace production istio-injection=enabled
17 
18# Verify installation
19istioctl verify-install
20kubectl get pods -n istio-system
21```
22 
23## Istio Profiles
24 
25```bash
26# Minimal - only control plane
27istioctl install --set profile=minimal
28 
29# Default - control plane + ingress gateway
30istioctl install --set profile=default
31 
32# Demo - includes egress gateway, extra features
33istioctl install --set profile=demo
34 
35# Production - tuned for production
36istioctl install --set profile=default \
37  --set values.global.proxy.resources.requests.cpu=100m \
38  --set values.global.proxy.resources.requests.memory=128Mi \
39  --set values.global.proxy.resources.limits.cpu=500m \
40  --set values.global.proxy.resources.limits.memory=256Mi
41```
42 
43## VirtualService
44 
45```yaml
46apiVersion: networking.istio.io/v1beta1
47kind: VirtualService
48metadata:
49  name: myapp
50  namespace: production
51spec:
52  hosts:
53    - myapp
54    - myapp.example.com
55  gateways:
56    - mesh                    # Internal mesh traffic
57    - myapp-gateway           # External gateway
58  http:
59    # Route based on headers
60    - match:
61        - headers:
62            x-version:
63              exact: "v2"
64      route:
65        - destination:
66            host: myapp
67            subset: v2
68 
69    # Canary release (90/10 split)
70    - match:
71        - uri:
72            prefix: /api
73      route:
74        - destination:
75            host: myapp
76            subset: v1
77          weight: 90
78        - destination:
79            host: myapp
80            subset: v2
81          weight: 10
82 
83    # Default route
84    - route:
85        - destination:
86            host: myapp
87            subset: v1
88      timeout: 30s
89      retries:
90        attempts: 3
91        perTryTimeout: 10s
92        retryOn: connect-failure,refused-stream,503
93```
94 
95## DestinationRule
96 
97```yaml
98apiVersion: networking.istio.io/v1beta1
99kind: DestinationRule
100metadata:
101  name: myapp
102  namespace: production
103spec:
104  host: myapp
105  trafficPolicy:
106    connectionPool:
107      tcp:
108        maxConnections: 100
109        connectTimeout: 5s
110      http:
111        h2UpgradePolicy: UPGRADE
112        http1MaxPendingRequests: 100
113        http2MaxRequests: 1000
114        maxRequestsPerConnection: 100
115    loadBalancer:
116      simple: LEAST_REQUEST
117    outlierDetection:
118      consecutive5xxErrors: 5
119      interval: 10s
120      baseEjectionTime: 30s
121      maxEjectionPercent: 50
122  subsets:
123    - name: v1
124      labels:
125        version: v1
126      trafficPolicy:
127        loadBalancer:
128          simple: ROUND_ROBIN
129    - name: v2
130      labels:
131        version: v2
132```
133 
134## Gateway
135 
136```yaml
137apiVersion: networking.istio.io/v1beta1
138kind: Gateway
139metadata:
140  name: myapp-gateway
141  namespace: production
142spec:
143  selector:
144    istio: ingressgateway
145  servers:
146    - port:
147        number: 80
148        name: http
149        protocol: HTTP
150      hosts:
151        - myapp.example.com
152      tls:
153        httpsRedirect: true
154    - port:
155        number: 443
156        name: https
157        protocol: HTTPS
158      hosts:
159        - myapp.example.com
160      tls:
161        mode: SIMPLE
162        credentialName: myapp-tls-secret
163```
164 
165## Traffic Mirroring (Shadow Traffic)
166 
167```yaml
168apiVersion: networking.istio.io/v1beta1
169kind: VirtualService
170metadata:
171  name: myapp-mirror
172  namespace: production
173spec:
174  hosts:
175    - myapp
176  http:
177    - route:
178        - destination:
179            host: myapp
180            subset: v1
181      mirror:
182        host: myapp
183        subset: v2
184      mirrorPercentage:
185        value: 100.0
186```
187 
188## mTLS Configuration
189 
190```yaml
191# Strict mTLS for namespace
192apiVersion: security.istio.io/v1beta1
193kind: PeerAuthentication
194metadata:
195  name: default
196  namespace: production
197spec:
198  mtls:
199    mode: STRICT
200---
201# Per-workload mTLS
202apiVersion: security.istio.io/v1beta1
203kind: PeerAuthentication
204metadata:
205  name: legacy-service
206  namespace: production
207spec:
208  selector:
209    matchLabels:
210      app: legacy-service
211  mtls:
212    mode: PERMISSIVE  # Allow both mTLS and plaintext
213---
214# Mesh-wide mTLS policy
215apiVersion: security.istio.io/v1beta1
216kind: PeerAuthentication
217metadata:
218  name: default
219  namespace: istio-system
220spec:
221  mtls:
222    mode: STRICT
223```
224 
225## Authorization Policy
226 
227```yaml
228apiVersion: security.istio.io/v1beta1
229kind: AuthorizationPolicy
230metadata:
231  name: myapp-authz
232  namespace: production
233spec:
234  selector:
235    matchLabels:
236      app: myapp
237  action: ALLOW
238  rules:
239    # Allow from specific service accounts
240    - from:
241        - source:
242            principals:
243              - "cluster.local/ns/production/sa/frontend"
244              - "cluster.local/ns/production/sa/api-gateway"
245      to:
246        - operation:
247            methods: ["GET", "POST"]
248            paths: ["/api/*"]
249 
250    # Allow health checks from anywhere
251    - to:
252        - operation:
253            methods: ["GET"]
254            paths: ["/health", "/ready"]
255 
256    # Deny all other traffic (implicit deny when rules exist)
257```
258 
259## Circuit Breaker
260 
261```yaml
262apiVersion: networking.istio.io/v1beta1
263kind: DestinationRule
264metadata:
265  name: myapp-circuit-breaker
266  namespace: production
267spec:
268  host: myapp
269  trafficPolicy:
270    connectionPool:
271      tcp:
272        maxConnections: 50
273      http:
274        http1MaxPendingRequests: 100
275        http2MaxRequests: 100
276        maxRequestsPerConnection: 10
277    outlierDetection:
278      consecutive5xxErrors: 3
279      interval: 10s
280      baseEjectionTime: 30s
281      maxEjectionPercent: 100
282      minHealthPercent: 0
283```
284 
285## Fault Injection (Testing)
286 
287```yaml
288apiVersion: networking.istio.io/v1beta1
289kind: VirtualService
290metadata:
291  name: myapp-fault
292  namespace: production
293spec:
294  hosts:
295    - myapp
296  http:
297    - match:
298        - headers:
299            x-test-fault:
300              exact: "inject"
301      fault:
302        delay:
303          percentage:
304            value: 50
305          fixedDelay: 5s
306        abort:
307          percentage:
308            value: 10
309          httpStatus: 503
310      route:
311        - destination:
312            host: myapp
313    - route:
314        - destination:
315            host: myapp
316```
317 
318## Linkerd Installation
319 
320```bash
321# Install Linkerd CLI
322curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
323export PATH=$HOME/.linkerd2/bin:$PATH
324 
325# Validate cluster
326linkerd check --pre
327 
328# Install CRDs
329linkerd install --crds | kubectl apply -f -
330 
331# Install control plane
332linkerd install | kubectl apply -f -
333 
334# Check installation
335linkerd check
336 
337# Enable injection for namespace
338kubectl annotate namespace production linkerd.io/inject=enabled
339 
340# Inject existing deployments
341kubectl get deploy -n production -o yaml | linkerd inject - | kubectl apply -f -
342```
343 
344## Linkerd Service Profile
345 
346```yaml
347apiVersion: linkerd.io/v1alpha2
348kind: ServiceProfile
349metadata:
350  name: myapp.production.svc.cluster.local
351  namespace: production
352spec:
353  routes:
354    - name: GET /api/users
355      condition:
356        method: GET
357        pathRegex: /api/users
358      responseClasses:
359        - condition:
360            status:
361              min: 500
362              max: 599
363          isFailure: true
364      timeout: 5s
365 
366    - name: POST /api/orders
367      condition:
368        method: POST
369        pathRegex: /api/orders
370      isRetryable: true
371      timeout: 10s
372 
373  retryBudget:
374    retryRatio: 0.2
375    minRetriesPerSecond: 10
376    ttl: 10s
377```
378 
379## Linkerd Traffic Split (Canary)
380 
381```yaml
382apiVersion: split.smi-spec.io/v1alpha1
383kind: TrafficSplit
384metadata:
385  name: myapp-canary
386  namespace: production
387spec:
388  service: myapp
389  backends:
390    - service: myapp-v1
391      weight: 900m    # 90%
392    - service: myapp-v2
393      weight: 100m    # 10%
394```
395 
396## Multi-Cluster Mesh (Istio)
397 
398```yaml
399# Primary cluster - create remote secret
400istioctl x create-remote-secret \
401  --context=cluster1 \
402  --name=cluster1 | kubectl apply -f - --context=cluster2
403 
404# Enable endpoint discovery
405apiVersion: install.istio.io/v1alpha1
406kind: IstioOperator
407spec:
408  values:
409    global:
410      meshID: mesh1
411      multiCluster:
412        clusterName: cluster1
413      network: network1
414```
415 
416## Kiali Dashboard
417 
418```bash
419# Install Kiali
420kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/kiali.yaml
421 
422# Access dashboard
423istioctl dashboard kiali
424```
425 
426## Jaeger Tracing
427 
428```bash
429# Install Jaeger
430kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/jaeger.yaml
431 
432# Access dashboard
433istioctl dashboard jaeger
434```
435 
436## Service Mesh Comparison
437 
438| Feature | Istio | Linkerd |
439|---------|-------|---------|
440| Sidecar | Envoy | linkerd2-proxy (Rust) |
441| Resource usage | Higher | Lower |
442| Features | More extensive | Focused/simpler |
443| mTLS | Built-in | Built-in |
444| Traffic management | Advanced | Basic (SMI) |
445| Multi-cluster | Native support | Requires setup |
446| Learning curve | Steeper | Gentler |
447 
448## Best Practices
449 
4501. **Start with permissive mTLS**, migrate to strict gradually
4512. **Use circuit breakers** to prevent cascade failures
4523. **Set reasonable timeouts** and retry budgets
4534. **Enable distributed tracing** for observability
4545. **Test with fault injection** before production
4556. **Monitor sidecar resource usage** and tune accordingly
4567. **Use traffic mirroring** to validate new versions safely
4578. **Implement authorization policies** for zero-trust
4589. **Keep service mesh version updated** for security patches
45910. **Document traffic routing decisions** in VirtualServices
460
Preparing the source view

Kubernetes Specialist

references/service-mesh.md
