Istio is the most popular service mesh for Kubernetes. It adds traffic management, security (mTLS), and observability to your microservices without changing application code.
What You Get for Free
- mTLS everywhere — automatic encryption between all services
- Traffic management — canary deploys, A/B testing, circuit breakers
- Observability — distributed tracing, metrics, access logs
- Rate limiting — protect services from overload
- Authorization policies — fine-grained access control
- Fault injection — test resilience without code changes
Install
istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled
Every pod in labeled namespaces gets an Envoy sidecar automatically.
Traffic Splitting (Canary)
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-service
spec:
hosts: [my-service]
http:
- route:
- destination:
host: my-service
subset: v1
weight: 90
- destination:
host: my-service
subset: v2
weight: 10
Istio vs Linkerd
| Feature | Istio | Linkerd |
|---|---|---|
| Complexity | Higher | Lower |
| Features | More complete | Lighter |
| Resources | Heavier | Lighter |
Tips
- Try ambient mesh (no sidecars) in Istio 1.22+
- Use Kiali for visualization
- Enable access logging only in staging
Need microservices architecture help? Check my work on GitHub or email spinov001@gmail.com for consulting.
Top comments (0)