Recipe
Istio Service Mesh
Deploy a zero-trust service mesh with mTLS, traffic splitting, and observability across your Kubernetes clusters.
Prerequisites
- Kubernetes 1.26+ cluster with admin access
- istioctl CLI installed and in PATH
- Helm 3.12+ for optional addon management
Step 1 — Install Istio
istioctl install --set profile=default -y
The default profile ships Pilot, Citadel, and the ingress gateway. Enable the sidecar injector namespace label next.
kubectl label namespace default istio-injection=enabled
Step 2 — Enforce mTLS
Apply a PeerAuthentication policy to require mutual TLS across the entire mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
Step 3 — Traffic Splitting
Route 90% of traffic to the stable version and 10% to a canary release using a VirtualService.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: myapp
spec:
hosts:
- myapp
http:
- route:
- destination:
host: myapp
subset: v1
weight: 90
- destination:
host: myapp
subset: v2
weight: 10
Step 4 — Observability
Deploy Kiali, Jaeger, and Prometheus addons for dashboards and distributed tracing.
kubectl apply -f samples/addons
Access Kiali via istioctl dashboard kiali.
Pro tip: Combine DestinationRules with consistentHash load balancing for sticky sessions when migrating stateful workloads onto the mesh.