Files

T

Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update

2026-05-10 22:08:15 +09:00

4.9 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Service Mesh

매 한 줄

"매 service-to-service 통신을 매 platform layer로 매 외부화". mTLS, retry, traffic split, observability를 매 application code 변경 없이. 2026년에는 매 Istio Ambient Mode (sidecar-less)와 Linkerd (Rust)가 매 표준이며, 매 eBPF-based Cilium Service Mesh가 매 빠르게 확산.

매 핵심

매 핵심 기능

mTLS: 매 서비스 간 매 암호화 + 매 identity.
Traffic mgmt: canary, A/B, retry, timeout, circuit-break.
Observability: 매 metrics, traces, access log 매 자동.
Policy: 매 authz, 매 rate limit.

매 architecture

Data plane: 매 proxy (Envoy/linkerd2-proxy/eBPF) — 매 traffic 매 가로챔.
Control plane: 매 config 분배 (istiod, linkerd-controller).

매 응용

매 다중 microservice K8s cluster.
매 zero-trust networking.
매 progressive delivery (Argo Rollouts + mesh).
매 multi-cluster federation.

💻 패턴

매 Istio Ambient (2026, no sidecar)

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: ambient
  meshConfig:
    accessLogFile: /dev/stdout

istioctl install --set profile=ambient
kubectl label namespace prod istio.io/dataplane-mode=ambient

매 Traffic split (canary)

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata: { name: orders }
spec:
  hosts: [orders]
  http:
    - route:
        - { destination: { host: orders, subset: v1 }, weight: 90 }
        - { destination: { host: orders, subset: v2 }, weight: 10 }

매 Retry + timeout

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata: { name: payments }
spec:
  hosts: [payments]
  http:
    - timeout: 2s
      retries:
        attempts: 3
        perTryTimeout: 500ms
        retryOn: 5xx,reset,connect-failure

매 mTLS strict

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata: { name: default, namespace: prod }
spec:
  mtls: { mode: STRICT }

매 AuthorizationPolicy

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata: { name: orders-allow-checkout }
spec:
  selector: { matchLabels: { app: orders } }
  rules:
    - from: [{ source: { principals: ["cluster.local/ns/prod/sa/checkout"] } }]
      to: [{ operation: { methods: [POST], paths: ["/place"] } }]

매 Linkerd (간단 + Rust proxy)

linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
kubectl annotate ns prod linkerd.io/inject=enabled

매 Cilium Service Mesh (eBPF)

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata: { name: cilium }
spec:
  valuesContent: |
    serviceMesh:
      enabled: true
    kubeProxyReplacement: true
    ingressController:
      enabled: true

매 Observability — Tempo/Grafana 연동

# 매 Istio가 매 자동으로 매 Jaeger/Tempo로 trace 송신
meshConfig:
  defaultProviders:
    tracing: [tempo]
  extensionProviders:
    - name: tempo
      zipkin: { service: tempo.observability.svc, port: 9411 }

매 결정 기준

상황	Approach
매 < 10 service	Mesh 매 over-kill. 매 lib (resilience4j) 충분.
매 10+ service + K8s	Mesh 가치 ↑.
매 latency 매 critical	Linkerd (Rust, 가벼움).
매 feature-rich	Istio Ambient.
매 eBPF + CNI 통합	Cilium Mesh.
매 multi-cluster	Istio multi-primary.

기본값: K8s 표준 + Istio Ambient. 매 가벼움 우선이면 Linkerd.

🔗 Graph

부모: Microservices · Kubernetes
변형: Sidecar Pattern · Ambient Mesh · eBPF Mesh
응용: Istio · Linkerd · Cilium · Envoy
Adjacent: mTLS · Zero Trust · Circuit Breaker · Observability

🤖 LLM 활용

언제: 매 service 수 매 폭증, 매 zero-trust 의무화, 매 progressive delivery. 언제 X: 매 monolith, 매 < 5 service, 매 platform 팀 부재.

❌ 안티패턴

매 mesh 매 도입하고 매 lib retry 그대로: 매 double retry → 매 storm.
매 sidecar 마다 매 큰 resource: 매 ambient mode 미사용.
매 mTLS 미적용: 매 mesh 본질 미활용.
매 mesh 가 매 모든 문제 해결한다고 가정: 매 application bug는 별개.

🧪 검증 / 중복

Verified (Istio docs 1.24+, Linkerd docs 2.16+, Cilium docs 1.16+).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — Istio Ambient + Linkerd + Cilium 2026 patterns

4.9 KiB Raw Blame History