Istio Cheatsheet

Top commands.

Overview

Istio adds a uniform layer of traffic management, security, and observability to Kubernetes workloads via Envoy sidecars. Five primitives carry most operational use: the sidecar proxy itself, VirtualService and DestinationRule for routing, mTLS for service-to-service authentication, the built-in telemetry surface, and istioctl for inspection and validation.

• Sidecar proxy. Envoy attached to every pod. Uniform behaviour across the mesh: retries, timeouts, mTLS, telemetry.
• VirtualService and DestinationRule. Routing rules and traffic policies. Path, host, header, and weight-based routing without app changes.
• Automatic mTLS. Service-to-service mutual TLS by default. Zero-trust networking inside the cluster comes free.
• Telemetry plus istioctl. Prometheus metrics, distributed traces, access logs uniform across services; istioctl for validation and inspection.

The approach

Five commands carry most operational weight. Memorising them moves the team from staring at sidecars to debugging mesh configuration confidently.

• istioctl analyze. Validate mesh configuration before applying. Catches conflicts and missing references.
• istioctl proxy-status. Show sidecar sync status. Stale-config issues surface quickly.
• istioctl proxy-config. Inspect what an Envoy sidecar is actually doing. The debugging command of last resort.
• VirtualService for routing plus PeerAuthentication for mTLS. Path, host, and header routing for canaries; per-namespace mTLS policy for zero-trust enforcement.

Why this compounds

Each service that joins the mesh inherits the same observability, security, and traffic-management primitives. The team’s networking expertise deepens uniformly; new services drop into the existing patterns instead of recreating them.

• Uniform observability. Metrics, traces, and logs identical shape across services. Investigation reaches the same dashboards every time.
• Security by default. mTLS everywhere shrinks the attack surface for east-west traffic.
• Traffic management without code changes. VirtualService changes apply without redeploys. Canary and rollback patterns live in YAML.
• Year-one investment, year-two habit. First year is heavy lift. By year two, mesh patterns are settled and onboarding new services is routine.