Master Service Mesh with Istio: Deploy, Manage Traffic, and Monitor on Kubernetes

Service Mesh

Service Mesh ("服务网格") is an infrastructure layer that handles communication between services, providing reliable network requests for cloud‑native applications and implementing core microservice components such as service discovery, load balancing, monitoring, traffic management, and access control. In practice it is deployed as a set of lightweight sidecar proxies that are transparent to the application.

Service Mesh has four main characteristics:

Independent governance (Sidecar)

Application‑agnostic

Infrastructure layer for service communication

Decouples retries, timeouts, monitoring, tracing, and service discovery from the application

By separating business modules from service governance, the control plane and data plane are isolated. Each application is paired with a sidecar that intercepts outbound requests, and the control plane pushes governance policies to the sidecar, allowing independent upgrades of business logic and governance rules.

Key governance concepts:

Decoupling microservice governance from business logic via sidecar processes.

Unified governance for heterogeneous systems, easing multi‑language deployments.

Value: observability, traffic control, high security (mTLS, authentication, policy enforcement), and robustness (fault injection, resilience testing).

1. Istio Overview

Istio is the most popular Service Mesh implementation, offering rich features and high maturity. Linkerd was the first Service Mesh product. Official site: https://istio.io

Connect

Traffic Management

Load Balancing

Canary Releases

Secure (authentication, authorization)

Control (rate limiting, ACL)

Observe (monitoring, tracing)

Istio is typically used together with Kubernetes, where K8s manages service lifecycles and Istio provides the full suite of service‑mesh capabilities.

2. Istio Architecture and Components

Istio separates the control plane (Pilot, Citadel, Galley) from the data plane (Envoy sidecars). The control plane distributes policies and configuration to sidecars, which enforce them at runtime.

Performance Summary

A benchmark with 1,000 services and 2,000 sidecars achieved 70,000 QPS. Results:

When Envoy handled 1,000 QPS, it used 0.5 vCPU and 50 MB memory.

The telemetry service used 0.6 vCPU at 1,000 total QPS.

Pilot consumed 1 vCPU and 1.5 GB memory.

90 % of cases added only 6.3 ms latency per request.

3. Deploy Istio on Kubernetes

Install Istio 1.6.2 (demo profile) and verify components:

<code># wget https://github.com/istio/istio/releases/download/1.6.2/istio-1.6.2-linux-amd64.tar.gz
# tar -zxvf istio-1.6.2-linux-amd64.tar.gz -C /data/
# cd /data/istio-1.6.2/
# mv bin/istioctl /usr/bin
# istioctl profile list
Istio configuration profiles:
  default
  demo
  empty
  minimal
  preview
  remote
# istioctl install --set profile=demo
# kubectl get pods -n istio-system
</code>

Uninstall with:

<code>istioctl manifest generate --set profile=demo | kubectl delete -f -</code>

4. Application Demo (Bookinfo)

4.1 Sidecar Injection

<code># Manual injection
kubectl apply -f <(istioctl kube-inject -f xxx.yaml)
# Automatic injection
kubectl label namespace xxx istio-injection=enabled
</code>

4.2 Service Gateway

Istio’s ingressgateway acts as the entry point for external traffic, providing L4‑L6 load balancing and mTLS termination.

<code>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        port:
          number: 8000
</code>

4.3 Deploy Bookinfo Microservice

Bookinfo consists of four services: productpage, details, reviews, and ratings. The reviews service has three versions (v1, v2, v3) with different rating display styles.

<code># Enable automatic sidecar injection in the default namespace
kubectl label namespace default istio-injection=enabled
# Deploy Bookinfo
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
# Deploy the Bookinfo gateway
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
# Retrieve the ingress address
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo http://$GATEWAY_URL/productpage
</code>

Access the URL to see the Bookinfo UI; Kiali will display the real‑time service mesh topology.

5. Visualization and Monitoring

Istio ships with three monitoring tools:

Grafana – metrics such as error rate, latency, request size.

Kiali – service topology, RPS, error rates, pod logs, and live configuration editing.

Jaeger – distributed tracing, request/response details, and latency analysis.

<code># Show available dashboards
istioctl dashboard -h
# Open specific dashboards, e.g.:
istioctl dashboard grafana
istioctl dashboard kiali
istioctl dashboard jaeger
</code>

To expose these dashboards externally, a custom Istio Gateway (monitor‑gateway) and corresponding VirtualServices are created for Grafana, Kiali, Jaeger, and Zipkin.

<code>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: monitor-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
# Example VirtualService for Grafana
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grafana
  namespace: istio-system
spec:
  hosts:
  - "grafana.istio.double.com"
  gateways:
  - monitor-gateway
  http:
  - route:
    - destination:
        host: grafana
        port:
          number: 3000
</code>

After applying the gateway configuration, the monitoring UIs become reachable via the defined hostnames.

6. Traffic Shifting for Bookinfo

<code>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "bookinfo.istio.double.com"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
</code>

Binding the hostname to the gateway allows access to the Bookinfo application, and Kiali visualizes traffic routing and weight‑based control in real time.

Monitoring dashboards show request rates, latency, and error metrics, demonstrating the observability advantages of Istio over other service‑mesh solutions.