2nd/10_Wiki/Topics/Architecture/Istio.md

---
id: wiki-2026-0508-istio
title: Istio
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Istio Service Mesh, Istio Ambient]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [service-mesh, kubernetes, observability, traffic-management]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: yaml
  framework: kubernetes
---

# Istio

## 매 한 줄
> **"매 Kubernetes 위 의 zero-code service mesh"**. 2017 Google/IBM/Lyft 출시, mTLS + traffic routing + observability 를 매 application code 변경 없이 제공. 2026 의 dominant mode 는 **Ambient Mesh** (sidecar-less, ztunnel + waypoint proxy) — sidecar Istio 의 resource overhead 와 operational complexity 를 줄임.

## 매 핵심

### 매 architecture (Ambient, 2026 default)
- **ztunnel**: 매 node-level L4 proxy (Rust). mTLS + identity (SPIFFE).
- **Waypoint proxy**: 매 namespace/service-level L7 proxy (Envoy). 매 optional, L7 policy 필요 시만.
- **istiod**: control plane — config distribution, certificate management.
- **CNI plugin**: 매 pod traffic 의 ztunnel redirect.

### 매 Sidecar mode (legacy, still supported)
- 매 pod 마다 Envoy sidecar inject.
- 매 더 mature, fine-grained per-pod control.
- 매 resource overhead 의 매 pod 마다 ~50-100 MB.

### 매 핵심 capabilities
1. **mTLS**: 매 service 간 자동 암호화 + identity verification.
2. **Traffic management**: VirtualService, DestinationRule, canary, A/B, circuit breaker.
3. **Observability**: Prometheus metrics, distributed tracing (OTel), access logs.
4. **Authorization**: AuthorizationPolicy (L4/L7).
5. **Multi-cluster**: cross-cluster service discovery, federated mesh.

## 💻 패턴

### 1. Install (Ambient mode, 2026)
```bash
# istioctl 1.24+ (2026 LTS)
istioctl install --set profile=ambient -y

# Enable namespace for ambient
kubectl label namespace prod istio.io/dataplane-mode=ambient
```

### 2. mTLS strict mode
```yaml
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
```

### 3. Canary deployment (VirtualService)
```yaml
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts: [reviews]
  http:
    - match:
        - headers:
            x-canary: { exact: "true" }
      route:
        - destination: { host: reviews, subset: v2 }
    - route:
        - destination: { host: reviews, subset: v1 }
          weight: 90
        - destination: { host: reviews, subset: v2 }
          weight: 10
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata: { name: reviews }
spec:
  host: reviews
  subsets:
    - name: v1
      labels: { version: v1 }
    - name: v2
      labels: { version: v2 }
```

### 4. AuthorizationPolicy (zero-trust)
```yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: reviews-allow
  namespace: prod
spec:
  selector:
    matchLabels: { app: reviews }
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/prod/sa/productpage"]
      to:
        - operation:
            methods: ["GET"]
            paths: ["/reviews/*"]
```

### 5. Circuit breaker
```yaml
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata: { name: reviews-cb }
spec:
  host: reviews
  trafficPolicy:
    connectionPool:
      tcp: { maxConnections: 100 }
      http:
        http1MaxPendingRequests: 50
        maxRequestsPerConnection: 10
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 60s
```

### 6. Waypoint proxy (L7 in Ambient)
```yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: reviews-waypoint
  namespace: prod
spec:
  gatewayClassName: istio-waypoint
  listeners:
    - name: mesh
      port: 15008
      protocol: HBONE
---
# Then attach via label
# kubectl label svc reviews istio.io/use-waypoint=reviews-waypoint
```

### 7. Telemetry (custom metrics)
```yaml
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata: { name: prom-tags }
spec:
  metrics:
    - providers: [{ name: prometheus }]
      overrides:
        - match: { metric: REQUEST_COUNT }
          tagOverrides:
            tenant: { value: 'request.headers["x-tenant"]' }
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| New install, K8s native | Istio Ambient (sidecar-less). |
| Existing sidecar deployment | Stay on sidecar 또는 gradual migration. |
| Simple use case (<10 services, mTLS only) | Linkerd (lighter). |
| Multi-cluster federation | Istio multi-primary. |
| Edge/non-K8s | Consul Connect 또는 Cilium Service Mesh. |
| eBPF-native preference | Cilium Service Mesh. |

**기본값**: K8s service mesh 신규 도입 시 매 Istio Ambient. 매 small mesh 는 Linkerd 의 simplicity 가 win.

## 🔗 Graph
- 부모: [[Service Mesh]] · [[Kubernetes]]
- 변형: [[Istio Ambient]] · [[Linkerd]]
- 응용: [[mTLS]] · [[Circuit Breaker]]
- Adjacent: [[SPIFFE]]

## 🤖 LLM 활용
**언제**: zero-trust microservice security, traffic shaping, multi-cluster federation, observability without code change.
**언제 X**: monolith, <5 services (overhead > value), 매 단순 ingress 만 필요 (Gateway API only).

## ❌ 안티패턴
- **Sidecar everywhere by default**: 매 2026 에서 Ambient 가 default — sidecar 의 매 50-100MB/pod overhead 불필요.
- **Strict mTLS without migration**: 매 PERMISSIVE 단계 없이 STRICT 적용 시 매 plain-text legacy client 의 instant outage.
- **VirtualService catch-all 누락**: 매 match rule 의 fallback 없으면 매 traffic black hole.
- **istiod single replica**: 매 control plane SPOF — 매 minimum 2 replicas + PDB.
- **No circuit breaker**: 매 cascading failure 의 매 mesh-wide outage.

## 🧪 검증 / 중복
- Verified (istio.io official docs, KubeCon 2025 Ambient GA announcement).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — Ambient mesh as 2026 default + sidecar legacy positioning |