--- id: wiki-2026-0508-istio title: Istio category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Istio Service Mesh, Istio Ambient] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [service-mesh, kubernetes, observability, traffic-management] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: yaml framework: kubernetes --- # Istio ## 매 한 줄 > **"매 Kubernetes 위 의 zero-code service mesh"**. 2017 Google/IBM/Lyft 출시, mTLS + traffic routing + observability 를 매 application code 변경 없이 제공. 2026 의 dominant mode 는 **Ambient Mesh** (sidecar-less, ztunnel + waypoint proxy) — sidecar Istio 의 resource overhead 와 operational complexity 를 줄임. ## 매 핵심 ### 매 architecture (Ambient, 2026 default) - **ztunnel**: 매 node-level L4 proxy (Rust). mTLS + identity (SPIFFE). - **Waypoint proxy**: 매 namespace/service-level L7 proxy (Envoy). 매 optional, L7 policy 필요 시만. - **istiod**: control plane — config distribution, certificate management. - **CNI plugin**: 매 pod traffic 의 ztunnel redirect. ### 매 Sidecar mode (legacy, still supported) - 매 pod 마다 Envoy sidecar inject. - 매 더 mature, fine-grained per-pod control. - 매 resource overhead 의 매 pod 마다 ~50-100 MB. ### 매 핵심 capabilities 1. **mTLS**: 매 service 간 자동 암호화 + identity verification. 2. **Traffic management**: VirtualService, DestinationRule, canary, A/B, circuit breaker. 3. **Observability**: Prometheus metrics, distributed tracing (OTel), access logs. 4. **Authorization**: AuthorizationPolicy (L4/L7). 5. **Multi-cluster**: cross-cluster service discovery, federated mesh. ## 💻 패턴 ### 1. Install (Ambient mode, 2026) ```bash # istioctl 1.24+ (2026 LTS) istioctl install --set profile=ambient -y # Enable namespace for ambient kubectl label namespace prod istio.io/dataplane-mode=ambient ``` ### 2. mTLS strict mode ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: default namespace: istio-system spec: mtls: mode: STRICT ``` ### 3. Canary deployment (VirtualService) ```yaml apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: reviews spec: hosts: [reviews] http: - match: - headers: x-canary: { exact: "true" } route: - destination: { host: reviews, subset: v2 } - route: - destination: { host: reviews, subset: v1 } weight: 90 - destination: { host: reviews, subset: v2 } weight: 10 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: { name: reviews } spec: host: reviews subsets: - name: v1 labels: { version: v1 } - name: v2 labels: { version: v2 } ``` ### 4. AuthorizationPolicy (zero-trust) ```yaml apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: reviews-allow namespace: prod spec: selector: matchLabels: { app: reviews } rules: - from: - source: principals: ["cluster.local/ns/prod/sa/productpage"] to: - operation: methods: ["GET"] paths: ["/reviews/*"] ``` ### 5. Circuit breaker ```yaml apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: { name: reviews-cb } spec: host: reviews trafficPolicy: connectionPool: tcp: { maxConnections: 100 } http: http1MaxPendingRequests: 50 maxRequestsPerConnection: 10 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 60s ``` ### 6. Waypoint proxy (L7 in Ambient) ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: reviews-waypoint namespace: prod spec: gatewayClassName: istio-waypoint listeners: - name: mesh port: 15008 protocol: HBONE --- # Then attach via label # kubectl label svc reviews istio.io/use-waypoint=reviews-waypoint ``` ### 7. Telemetry (custom metrics) ```yaml apiVersion: telemetry.istio.io/v1 kind: Telemetry metadata: { name: prom-tags } spec: metrics: - providers: [{ name: prometheus }] overrides: - match: { metric: REQUEST_COUNT } tagOverrides: tenant: { value: 'request.headers["x-tenant"]' } ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | New install, K8s native | Istio Ambient (sidecar-less). | | Existing sidecar deployment | Stay on sidecar 또는 gradual migration. | | Simple use case (<10 services, mTLS only) | Linkerd (lighter). | | Multi-cluster federation | Istio multi-primary. | | Edge/non-K8s | Consul Connect 또는 Cilium Service Mesh. | | eBPF-native preference | Cilium Service Mesh. | **기본값**: K8s service mesh 신규 도입 시 매 Istio Ambient. 매 small mesh 는 Linkerd 의 simplicity 가 win. ## 🔗 Graph - 부모: [[Service Mesh]] · [[Kubernetes]] - 변형: [[Istio Ambient]] · [[Linkerd]] - 응용: [[mTLS]] · [[Circuit Breaker]] - Adjacent: [[SPIFFE]] ## 🤖 LLM 활용 **언제**: zero-trust microservice security, traffic shaping, multi-cluster federation, observability without code change. **언제 X**: monolith, <5 services (overhead > value), 매 단순 ingress 만 필요 (Gateway API only). ## ❌ 안티패턴 - **Sidecar everywhere by default**: 매 2026 에서 Ambient 가 default — sidecar 의 매 50-100MB/pod overhead 불필요. - **Strict mTLS without migration**: 매 PERMISSIVE 단계 없이 STRICT 적용 시 매 plain-text legacy client 의 instant outage. - **VirtualService catch-all 누락**: 매 match rule 의 fallback 없으면 매 traffic black hole. - **istiod single replica**: 매 control plane SPOF — 매 minimum 2 replicas + PDB. - **No circuit breaker**: 매 cascading failure 의 매 mesh-wide outage. ## 🧪 검증 / 중복 - Verified (istio.io official docs, KubeCon 2025 Ambient GA announcement). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — Ambient mesh as 2026 default + sidecar legacy positioning |