Service Mesh

Status

Master Plan - Comprehensive init.md complete, ready for SKILL.md implementation

Service meshes provide foundational infrastructure for cloud-native applications with zero-trust security, advanced traffic control, and observability. This skill covers Istio, Linkerd, and Cilium patterns for production deployments.

Scope

This skill teaches:

Architecture Decisions - Sidecar vs sidecar-less (ambient mode, eBPF)
Security Patterns - mTLS, authorization policies, zero-trust architecture
Traffic Management - Routing, retries, timeouts, circuit breaking
Progressive Delivery - Canary deployments, blue/green, A/B testing
Observability Integration - Prometheus, Jaeger, Grafana
Multi-Cluster Scenarios - Cross-cluster communication, mesh federation
Gateway Configuration - Ingress/egress patterns

Key Components

Service Mesh Comparison (2025)

Istio

Architecture: Control plane (Istiod) + Data plane (Envoy sidecars or ambient ztunnel)
Maturity: Enterprise-grade, production-proven
Performance: 166% latency increase (sidecar mTLS), 8% with ambient mode
Ambient Mode: Now stable, L4 ztunnel + optional L7 waypoint proxies
Best For: Feature-rich requirements, enterprise compliance, multi-cloud
Context7: 7,796 code snippets, Trust Score: 91/100

Linkerd

Architecture: Control plane + Rust-based micro-proxies (linkerd2-proxy)
Maturity: Production-ready, simplicity-focused
Performance: 33% latency increase (lowest sidecar overhead)
Best For: Small-medium teams, simplicity, low resource consumption
Context7: 2,457 code snippets, Trust Score: High

Cilium

Architecture: eBPF-based, sidecar-less by design
Maturity: Growing adoption, eBPF-native networking
Performance: 99% latency increase (eBPF overhead vs sidecar)
Best For: Kernel-level performance, advanced networking, future-proof eBPF
Context7: 4,511 code snippets, Trust Score: 83.5/100

Architecture Trends (2025)

Sidecar-less is Growing:

Istio Ambient Mode: L4 security via ztunnel (per-node), L7 via waypoint (optional)
Cilium: Native sidecar-less using eBPF in kernel
Performance: Ambient mode reduces latency from 166% to 8% (Istio)
Resource Efficiency: No sidecar = lower CPU/memory per pod

When to Use:

Sidecar: Per-pod isolation, fine-grained L7 control, legacy compatibility
Sidecar-less: Lower overhead, simpler operations, kernel-level performance

Security Best Practices

Zero-Trust Architecture:

Never trust, always verify every request
Default-deny authorization policies
Identity-based access control (not IP-based)
Micro-segmentation at service level

mTLS Configuration:

Automatic mTLS: Service mesh handles cert lifecycle
Strict mode: Reject plaintext connections
Certificate rotation: Automate with cert-manager or mesh CA
SPIFFE/SPIRE: Industry standard for workload identity

Authorization Policies:

Least privilege: Grant minimum required permissions
Granular policies: Namespace, workload, route-level controls
Mesh-wide defaults: Start with deny-all, add allow rules
Audit logging: Track policy violations and access patterns

Traffic Management Patterns

Istio Patterns:

VirtualService: L7 routing rules (path, headers, weights)
DestinationRule: Traffic policies (connection pools, circuit breakers, TLS)
Gateway: Ingress/egress control
ServiceEntry: External service integration

Progressive Delivery:

Canary: Gradual traffic shift (10% → 50% → 100%)
Blue/Green: Instant switch between versions
A/B Testing: Header/cookie-based routing
Traffic Mirroring: Shadow traffic for testing

Decision Framework

Which Service Mesh?

Team size & experience?
  Small team / new to mesh → Linkerd (simplicity)
  Large team / enterprise → Istio (features)

Performance critical?
  YES → Sidecar-less needed?
          YES → Cilium (eBPF) OR Istio Ambient
          NO → Linkerd (lowest sidecar overhead)

Feature requirements?
  Basic (mTLS, routing) → Linkerd
  Advanced (WAF, complex routing) → Istio
  Network-level control → Cilium

Future-proofing?
  YES → eBPF-native → Cilium
        OR Istio Ambient (sidecar-less evolution)

Sidecar vs Sidecar-less?

Per-pod isolation required?
  YES → Sidecar (Istio traditional, Linkerd)

Low latency critical?
  YES → Sidecar-less (Istio Ambient, Cilium)

Resource constraints?
  YES → Sidecar-less (lower memory/CPU)

Complex L7 policies?
  YES → Sidecar OR Ambient waypoint (optional L7)

Tool Recommendations

Service Mesh Options

Mesh	Architecture	Latency Overhead	Best For
Istio Ambient	Sidecar-less (ztunnel)	8%	Low overhead, enterprise features
Linkerd	Rust sidecars	33%	Simplicity, lightweight
Cilium	eBPF (sidecar-less)	99%	Kernel-level, advanced networking
Istio Sidecar	Envoy sidecars	166%	Legacy, fine-grained L7

Observability Stack

Metrics: Prometheus + Grafana Tracing: Jaeger or Zipkin Logs: Fluentd or Loki Visualization: Kiali (Istio), Linkerd Viz, Hubble (Cilium)

Integration Points

With Other Skills:

operating-kubernetes - Cluster setup, network policies, ingress
security-hardening - mTLS, certificate management, zero-trust
implementing-observability - Distributed tracing, metrics, logging
load-balancing-patterns - Traffic routing, global load balancing
writing-infrastructure-code - Helm charts, Terraform for mesh deployment

Workflow Example:

K8s Cluster → Service Mesh → Applications
     │             │              │
     ▼             ▼              ▼
  Deploy       Configure      Automatic
  Istio/       mTLS +          mTLS,
  Linkerd/     policies        routing,
  Cilium                       observability

Learn More

Full Master Plan (init.md)
Related: operating-kubernetes, security-hardening, implementing-observability

Scope​

Key Components​

Service Mesh Comparison (2025)​

Architecture Trends (2025)​

Security Best Practices​

Traffic Management Patterns​

Decision Framework​

Tool Recommendations​

Service Mesh Options​

Observability Stack​

Integration Points​

Learn More​