patterntypescriptModerate
Istio service mesh basics: mutual TLS and traffic management without code changes
Viewed 0 times
Istio 1.20+
istioservice meshenvoymutual tlsmtlsvirtual servicedestination rulecanarytraffic management
Error Messages
Problem
Encrypting inter-service traffic, enforcing retry policies, and doing canary deployments requires coordinating changes across every service team. There is no consistent enforcement layer.
Solution
Deploy Istio. The control plane (istiod) pushes configuration to Envoy sidecars. Define VirtualService for traffic routing and PeerAuthentication for mTLS — no application code changes required.
# Canary: send 10% of traffic to v2
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: payment-vs
spec:
hosts: [payment-svc]
http:
- route:
- destination: {host: payment-svc, subset: v1}
weight: 90
- destination: {host: payment-svc, subset: v2}
weight: 10Why
The data plane (Envoy) handles retries, timeouts, mTLS, and observability transparently. Teams focus on business logic, the platform team owns the mesh policy.
Gotchas
- Istio adds latency per hop (typically 1-3 ms) — measure before and after installation
- The learning curve for CRDs (VirtualService, DestinationRule, ServiceEntry) is steep — start with a small subset of features
- Sidecar injection must be enabled per namespace with label
istio-injection: enabled - DestinationRule subsets must match pod labels exactly — a typo results in 503s with no obvious error
Context
Platform or SRE teams managing multiple microservices on Kubernetes needing consistent policy enforcement
Revisions (0)
No revisions yet.