<< All versions
Skill v1.0.1
currentAutomated scan100/100majiayu000/claude-skill-registry-data/service-mesh-implementation
3 files
──Details
PublishedMay 15, 2026 at 07:15 AM
Content Hashsha256:d3f11bdd37132a3d...
Git SHA01042ae58061
Bump Typepatch
──Files
Files (1 file, 9.1 KB)
SKILL.md9.1 KBactive
SKILL.md · 422 lines · 9.1 KB
version: "1.0.1" name: service-mesh-implementation description: Implement service mesh (Istio, Linkerd) for service-to-service communication, traffic management, security, and observability.
Service Mesh Implementation
Overview
Deploy and configure a service mesh to manage microservice communication, enable advanced traffic management, implement security policies, and provide comprehensive observability across distributed systems.
When to Use
- Microservice communication management
- Cross-cutting security policies
- Traffic splitting and canary deployments
- Service-to-service authentication
- Request routing and retries
- Distributed tracing integration
- Circuit breaker patterns
- Mutual TLS between services
Implementation Examples
1. Istio Core Setup
yaml
# istio-setup.yamlapiVersion: v1kind: Namespacemetadata:name: istio-systemlabels:istio-injection: enabled---apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:name: istio-confignamespace: istio-systemspec:profile: productionrevision: "1-13"components:pilot:k8s:resources:requests:cpu: 500mmemory: 2048Milimits:cpu: 2000mmemory: 4096MireplicaCount: 3ingressGateways:- name: istio-ingressgatewayenabled: truek8s:resources:requests:cpu: 100mmemory: 128Milimits:cpu: 2000mmemory: 1024Miservice:type: LoadBalancerports:- port: 80targetPort: 8080name: http2- port: 443targetPort: 8443name: httpsegressGateways:- name: istio-egressgatewayenabled: truemeshConfig:enableAutoMTLS: trueoutboundTrafficPolicy:mode: ALLOW_ANYaccessLogFile: /dev/stdoutaccessLogFormat: |[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT%"%DURATION%" "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"---# Enable sidecar injection for namespaceapiVersion: v1kind: Namespacemetadata:name: productionlabels:istio-injection: enabled
2. Virtual Service and Destination Rule
yaml
# virtual-service-config.yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:name: api-servicenamespace: productionspec:hosts:- api-service- api-service.production.svc.cluster.localhttp:# Canary: 10% to v2, 90% to v1- match:- uri:prefix: /api/v1route:- destination:host: api-servicesubset: v1weight: 90- destination:host: api-servicesubset: v2weight: 10timeout: 30sretries:attempts: 3perTryTimeout: 10s# API v2 for testing- match:- headers:user-agent:regex: ".*Chrome.*"route:- destination:host: api-servicesubset: v2timeout: 30s# Default route- route:- destination:host: api-servicesubset: v1weight: 100timeout: 30sretries:attempts: 3perTryTimeout: 10s---apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:name: api-servicenamespace: productionspec:host: api-servicetrafficPolicy:connectionPool:tcp:maxConnections: 100http:http1MaxPendingRequests: 100maxRequestsPerConnection: 2h2UpgradePolicy: UPGRADEoutlierDetection:consecutive5xxErrors: 5interval: 30sbaseEjectionTime: 30smaxEjectionPercent: 50minRequestVolume: 10subsets:- name: v1labels:version: v1trafficPolicy:connectionPool:http:http1MaxPendingRequests: 50- name: v2labels:version: v2trafficPolicy:connectionPool:http:http1MaxPendingRequests: 100
3. Security Policies
yaml
# security-config.yamlapiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata:name: defaultnamespace: istio-systemspec:mtls:mode: STRICT # Enforce mTLS for all workloads---apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: api-service-authznamespace: productionspec:selector:matchLabels:app: api-serviceaction: ALLOWrules:- from:- source:principals: ["cluster.local/ns/production/sa/web-service"]to:- operation:methods: ["GET", "POST"]paths: ["/api/v1/*"]# Allow health checks- to:- operation:methods: ["GET"]paths: ["/health"]---apiVersion: security.istio.io/v1beta1kind: RequestAuthenticationmetadata:name: api-service-authnnamespace: productionspec:selector:matchLabels:app: api-servicejwtRules:- issuer: https://auth.mycompany.comjwksUri: https://auth.mycompany.com/.well-known/jwks.jsonaudiences: api-service
4. Observability Configuration
yaml
# observability-config.yamlapiVersion: telemetry.istio.io/v1alpha1kind: Telemetrymetadata:name: custom-loggingnamespace: productionspec:metrics:- providers:- name: prometheusdimensions:- request.path- response.code- destination.service.name---apiVersion: telemetry.istio.io/v1alpha1kind: Telemetrymetadata:name: custom-tracingnamespace: productionspec:tracing:- providers:- name: jaegerrandomSamplingPercentage: 100.0useRequestIdForTraceSampling: true---# Grafana Dashboard ConfigMapapiVersion: v1kind: ConfigMapmetadata:name: istio-dashboardnamespace: monitoringdata:istio-mesh.json: |{"dashboard": {"title": "Istio Mesh","panels": [{"title": "Request Rate","targets": [{"expr": "rate(istio_requests_total[5m])"}]},{"title": "Error Rate","targets": [{"expr": "rate(istio_requests_total{response_code=~\"5..\"}[5m])"}]},{"title": "Latency P95","targets": [{"expr": "histogram_quantile(0.95, rate(istio_request_duration_milliseconds_bucket[5m]))"}]}]}}
5. Service Mesh Deployment Script
bash
#!/bin/bash# deploy-istio.sh - Install and configure Istioset -euo pipefailVERSION="1.13.0"NAMESPACE="istio-system"echo "Installing Istio $VERSION..."# Download Istioif [ ! -d "istio-$VERSION" ]; thenecho "Downloading Istio..."curl -L https://istio.io/downloadIstio | ISTIO_VERSION=$VERSION sh -ficd "istio-$VERSION"# Add istioctl to PATHexport PATH=$PWD/bin:$PATH# Verify clusterecho "Verifying cluster compatibility..."istioctl analyze# Install Istioecho "Installing Istio on cluster..."istioctl install --set profile=production -y# Verify installationecho "Verifying installation..."kubectl get ns $NAMESPACEkubectl get pods -n $NAMESPACE# Label namespaces for sidecar injectionecho "Configuring sidecar injection..."kubectl label namespace production istio-injection=enabled --overwrite# Wait for sidecarsecho "Waiting for sidecars to be injected..."kubectl rollout restart deployment -n productionecho "Istio installation complete!"# Show statusistioctl version
Service Mesh Patterns
Traffic Management
- Canary Deployments: Gradually shift traffic
- A/B Testing: Route based on headers
- Circuit Breaking: Fail fast with outlier detection
- Rate Limiting: Control request flow
Security
- mTLS: Mutual authentication
- Authorization Policies: Fine-grained access control
- JWT Validation: Token verification
- Encryption: Automatic in-transit encryption
Best Practices
✅ DO
- Enable mTLS for all workloads
- Implement proper authorization policies
- Use virtual services for traffic management
- Enable distributed tracing
- Monitor resource usage (CPU, memory)
- Use appropriate sampling rates for tracing
- Implement circuit breakers
- Use namespace isolation
❌ DON'T
- Disable mTLS in production
- Allow permissive traffic policies
- Ignore observability setup
- Deploy without resource requests/limits
- Skip sidecar injection validation
- Use 100% sampling in high-traffic systems
- Mix service versions without proper routing
- Neglect authorization policies