--- title: "Istio Service Mesh: Traffic Management, Security, and Observability" description: "Install Istio on Kubernetes, configure traffic routing with VirtualServices and DestinationRules, enforce mTLS, set authorization policies, and integrate observability tools." url: https://agent-zone.ai/knowledge/kubernetes/istio-service-mesh/ section: knowledge date: 2026-02-22 categories: ["kubernetes"] tags: ["istio","service-mesh","traffic-management","mtls","observability"] skills: ["istio-installation","traffic-routing","mtls-configuration","canary-deployment"] tools: ["istioctl","helm","kubectl"] levels: ["intermediate"] word_count: 662 formats: json: https://agent-zone.ai/knowledge/kubernetes/istio-service-mesh/index.json html: https://agent-zone.ai/knowledge/kubernetes/istio-service-mesh/?format=html api: https://api.agent-zone.ai/api/v1/knowledge/search?q=Istio+Service+Mesh%3A+Traffic+Management%2C+Security%2C+and+Observability --- # Istio Service Mesh Istio adds a proxy sidecar (Envoy) to every pod in the mesh. These proxies handle traffic routing, mutual TLS, retries, circuit breaking, and telemetry without changing application code. The control plane (istiod) pushes configuration to all sidecars. ## When You Actually Need a Service Mesh You need Istio when you have multiple services requiring mTLS, fine-grained traffic control (canary releases, fault injection), or consistent observability across service-to-service communication. If you have fewer than five services, standard Kubernetes Services and NetworkPolicies are sufficient. A service mesh adds operational complexity -- more moving parts, higher memory usage per sidecar, and a learning curve for proxy-level debugging. ## Installation ### istioctl (Recommended for Getting Started) ```bash istioctl install --set profile=demo -y ``` Profiles: `minimal` (just istiod), `default` (istiod + ingress gateway), `demo` (everything). Use `default` for production. ### Helm (Better for GitOps) ```bash helm repo add istio https://istio-release.storage.googleapis.com/charts helm upgrade --install istio-base istio/base \ --namespace istio-system --create-namespace helm upgrade --install istiod istio/istiod \ --namespace istio-system --wait helm upgrade --install istio-ingress istio/gateway \ --namespace istio-ingress --create-namespace ``` ### Istio Operator ```yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: name: istio-control-plane namespace: istio-system spec: profile: default meshConfig: accessLogFile: /dev/stdout ``` ## Sidecar Injection Label the namespace for automatic injection. Existing pods must be restarted afterward. ```bash kubectl label namespace payments istio-injection=enabled kubectl rollout restart deployment -n payments ``` For selective injection, use manual mode: ```bash kubectl apply -f <(istioctl kube-inject -f deployment.yaml) ``` ## Traffic Management VirtualService defines routing rules. DestinationRule defines policies applied after routing (load balancing, connection pool, outlier detection). ```yaml apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: payments-api namespace: payments spec: host: payments-api subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: payments-api namespace: payments spec: hosts: - payments-api http: - route: - destination: host: payments-api subset: v1 weight: 90 - destination: host: payments-api subset: v2 weight: 10 retries: attempts: 3 perTryTimeout: 2s retryOn: "5xx,reset,connect-failure" ``` Both subsets point to the same Kubernetes Service but select different pod labels. Your v2 Deployment must have `version: v2` in its pod labels. ### Canary Release Workflow 1. Deploy the new version alongside the old one with a different `version` label. 2. Create a DestinationRule with subsets for both versions. 3. Shift VirtualService weights gradually: 95/5, 80/20, 50/50, then 100 to the new version. 4. Monitor error rates at each step. Roll back by shifting weight to v1. ```bash kubectl patch virtualservice payments-api -n payments --type merge -p ' spec: http: - route: - destination: host: payments-api subset: v1 weight: 50 - destination: host: payments-api subset: v2 weight: 50' ``` ## Mutual TLS (mTLS) PeerAuthentication controls mTLS. With `STRICT`, only mTLS connections are accepted -- pods outside the mesh cannot reach pods inside. Use `PERMISSIVE` during migration. ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: default namespace: payments spec: mtls: mode: STRICT ``` Apply in `istio-system` namespace to enforce mesh-wide. ## Authorization Policies L7 access control -- the service mesh equivalent of NetworkPolicies but with HTTP method and path awareness. ```yaml apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: payments-api-policy namespace: payments spec: selector: matchLabels: app: payments-api action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/frontend/sa/frontend-sa"] to: - operation: methods: ["GET", "POST"] paths: ["/api/payments/*"] - from: - source: principals: ["cluster.local/ns/monitoring/sa/prometheus"] to: - operation: methods: ["GET"] paths: ["/metrics"] ``` The `principals` field uses SPIFFE identities assigned based on service accounts. Everything not explicitly allowed is denied. ## Observability Istio sidecars emit metrics, traces, and access logs automatically. ```bash # Kiali - service mesh dashboard with traffic graph kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/kiali.yaml # Jaeger - distributed tracing kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/jaeger.yaml # Prometheus + Grafana with pre-built Istio dashboards kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/prometheus.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/grafana.yaml ``` For tracing to work across services, your application must propagate trace headers (`x-request-id`, `x-b3-traceid`, etc.). Istio only creates spans at the proxy level. ## Debugging Istio Issues ```bash # Verify proxy configuration across the mesh istioctl proxy-status # Check for configuration conflicts istioctl analyze -n payments # View Envoy access logs kubectl logs -c istio-proxy -n payments ``` The most common issue is sidecar not being injected -- verify the namespace label and that pods were restarted. The second most common is VirtualService host not matching the actual Kubernetes Service name.