Istio Service Mesh

Istio: enough to see what mesh does; not enough to operate one.

Step 1: Install Istio

The demo profile is the right starting point. It enables every feature for learning; production profiles strip back what you do not use.

• Install. istioctl install --set profile=demo deploys the control plane and ingress gateway.
• Wait. Pods come up across istio-system; expect 30 to 90 seconds depending on cluster size.
• Label namespace. kubectl label namespace default istio-injection=enabled turns on automatic sidecar injection.
• Verify. istioctl verify-install confirms the mesh is healthy before you deploy workloads.

Step 2: Deploy bookinfo

• kubectl apply -f bookinfo.yaml (sample app from Istio docs).
• Pods come up with sidecars (2 containers each).

Step 3: Observe traffic

The mesh's value lands when you watch traffic graphed live. Kiali is the canonical dashboard; Grafana and Jaeger plug in alongside.

• Kiali. istioctl dashboard kiali opens the live service graph; nodes are services, edges are calls.
• mTLS visibility. Lock icons on edges show mTLS is active between sidecars; missing locks signal misconfiguration.
• Latency overlay. Per-edge p50/p99 show which call paths dominate the request budget.
• Tracing. Sidecars emit spans; Jaeger or Tempo stitches them into end-to-end traces with no app code change.

Step 4: Apply policy

Mesh policy is declarative YAML applied through kubectl. Two policies cover most early use cases: mTLS strict and traffic shifting.

• mTLS strict. kubectl apply -f mtls-strict.yaml rejects plaintext traffic between meshed services.
• Traffic shifting. A VirtualService routing 10% to v2 and 90% to v1 is the canary primitive.
• AuthorizationPolicy. Allow-list which services can call which; default-deny is the production posture.
• Rollback. kubectl delete on the policy object reverts within seconds; policies are not stateful.

Antipatterns

• Istio in production without ops planning. Steep learning curve.
• Sidecars on stateful workloads. Restart issues.
• Default settings without tuning. Resource overhead.

What to do this week

Three moves. (1) Run the tutorial end-to-end on your own laptop / sandbox. (2) Apply the pattern to one production workload. (3) Document the variations you needed; share with the team.