--- id: wiki-2026-0508-service-mesh title: Service Mesh category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Service Mesh, Istio, Linkerd, sidecar mesh] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [microservices, kubernetes, networking, observability] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: yaml framework: kubernetes --- # Service Mesh ## 매 한 줄 > **"매 service-to-service 통신을 매 platform layer로 매 외부화"**. mTLS, retry, traffic split, observability를 매 application code 변경 없이. 2026년에는 매 Istio Ambient Mode (sidecar-less)와 Linkerd (Rust)가 매 표준이며, 매 eBPF-based Cilium Service Mesh가 매 빠르게 확산. ## 매 핵심 ### 매 핵심 기능 - **mTLS**: 매 서비스 간 매 암호화 + 매 identity. - **Traffic mgmt**: canary, A/B, retry, timeout, circuit-break. - **Observability**: 매 metrics, traces, access log 매 자동. - **Policy**: 매 authz, 매 rate limit. ### 매 architecture - **Data plane**: 매 proxy (Envoy/linkerd2-proxy/eBPF) — 매 traffic 매 가로챔. - **Control plane**: 매 config 분배 (istiod, linkerd-controller). ### 매 응용 1. 매 다중 microservice K8s cluster. 2. 매 zero-trust networking. 3. 매 progressive delivery (Argo Rollouts + mesh). 4. 매 multi-cluster federation. ## 💻 패턴 ### 매 Istio Ambient (2026, no sidecar) ```yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: ambient meshConfig: accessLogFile: /dev/stdout ``` ```bash istioctl install --set profile=ambient kubectl label namespace prod istio.io/dataplane-mode=ambient ``` ### 매 Traffic split (canary) ```yaml apiVersion: networking.istio.io/v1 kind: VirtualService metadata: { name: orders } spec: hosts: [orders] http: - route: - { destination: { host: orders, subset: v1 }, weight: 90 } - { destination: { host: orders, subset: v2 }, weight: 10 } ``` ### 매 Retry + timeout ```yaml apiVersion: networking.istio.io/v1 kind: VirtualService metadata: { name: payments } spec: hosts: [payments] http: - timeout: 2s retries: attempts: 3 perTryTimeout: 500ms retryOn: 5xx,reset,connect-failure ``` ### 매 mTLS strict ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: { name: default, namespace: prod } spec: mtls: { mode: STRICT } ``` ### 매 AuthorizationPolicy ```yaml apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: { name: orders-allow-checkout } spec: selector: { matchLabels: { app: orders } } rules: - from: [{ source: { principals: ["cluster.local/ns/prod/sa/checkout"] } }] to: [{ operation: { methods: [POST], paths: ["/place"] } }] ``` ### 매 Linkerd (간단 + Rust proxy) ```bash linkerd install --crds | kubectl apply -f - linkerd install | kubectl apply -f - kubectl annotate ns prod linkerd.io/inject=enabled ``` ### 매 Cilium Service Mesh (eBPF) ```yaml apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: { name: cilium } spec: valuesContent: | serviceMesh: enabled: true kubeProxyReplacement: true ingressController: enabled: true ``` ### 매 Observability — Tempo/Grafana 연동 ```yaml # 매 Istio가 매 자동으로 매 Jaeger/Tempo로 trace 송신 meshConfig: defaultProviders: tracing: [tempo] extensionProviders: - name: tempo zipkin: { service: tempo.observability.svc, port: 9411 } ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | 매 < 10 service | Mesh 매 over-kill. 매 lib (resilience4j) 충분. | | 매 10+ service + K8s | Mesh 가치 ↑. | | 매 latency 매 critical | Linkerd (Rust, 가벼움). | | 매 feature-rich | Istio Ambient. | | 매 eBPF + CNI 통합 | Cilium Mesh. | | 매 multi-cluster | Istio multi-primary. | **기본값**: K8s 표준 + Istio Ambient. 매 가벼움 우선이면 Linkerd. ## 🔗 Graph - 부모: [[Microservices]] · [[Kubernetes]] - 응용: [[Istio]] · [[Linkerd]] · [[Cilium]] · [[Envoy]] - Adjacent: [[mTLS]] · [[Zero Trust]] · [[Circuit Breaker]] · [[Observability]] ## 🤖 LLM 활용 **언제**: 매 service 수 매 폭증, 매 zero-trust 의무화, 매 progressive delivery. **언제 X**: 매 monolith, 매 < 5 service, 매 platform 팀 부재. ## ❌ 안티패턴 - **매 mesh 매 도입하고 매 lib retry 그대로**: 매 double retry → 매 storm. - **매 sidecar 마다 매 큰 resource**: 매 ambient mode 미사용. - **매 mTLS 미적용**: 매 mesh 본질 미활용. - **매 mesh 가 매 모든 문제 해결한다고 가정**: 매 application bug는 별개. ## 🧪 검증 / 중복 - Verified (Istio docs 1.24+, Linkerd docs 2.16+, Cilium docs 1.16+). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — Istio Ambient + Linkerd + Cilium 2026 patterns |