2nd/10_Wiki/Topics/Architecture/Istio.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-istio	Istio	10_Wiki/Topics	verified	self	Istio Service Mesh Istio Ambient	none	A	0.9	applied	service-mesh kubernetes observability traffic-management		2026-05-10	pending	language framework yaml kubernetes

Istio

매 한 줄

"매 Kubernetes 위 의 zero-code service mesh". 2017 Google/IBM/Lyft 출시, mTLS + traffic routing + observability 를 매 application code 변경 없이 제공. 2026 의 dominant mode 는 Ambient Mesh (sidecar-less, ztunnel + waypoint proxy) — sidecar Istio 의 resource overhead 와 operational complexity 를 줄임.

매 핵심

매 architecture (Ambient, 2026 default)

• ztunnel: 매 node-level L4 proxy (Rust). mTLS + identity (SPIFFE).
• Waypoint proxy: 매 namespace/service-level L7 proxy (Envoy). 매 optional, L7 policy 필요 시만.
• istiod: control plane — config distribution, certificate management.
• CNI plugin: 매 pod traffic 의 ztunnel redirect.

매 Sidecar mode (legacy, still supported)

• 매 pod 마다 Envoy sidecar inject.
• 매 더 mature, fine-grained per-pod control.
• 매 resource overhead 의 매 pod 마다 ~50-100 MB.

매 핵심 capabilities

1. mTLS: 매 service 간 자동 암호화 + identity verification.
2. Traffic management: VirtualService, DestinationRule, canary, A/B, circuit breaker.
3. Observability: Prometheus metrics, distributed tracing (OTel), access logs.
4. Authorization: AuthorizationPolicy (L4/L7).
5. Multi-cluster: cross-cluster service discovery, federated mesh.

💻 패턴

1. Install (Ambient mode, 2026)

# istioctl 1.24+ (2026 LTS)
istioctl install --set profile=ambient -y

# Enable namespace for ambient
kubectl label namespace prod istio.io/dataplane-mode=ambient

2. mTLS strict mode

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

3. Canary deployment (VirtualService)

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts: [reviews]
  http:
    - match:
        - headers:
            x-canary: { exact: "true" }
      route:
        - destination: { host: reviews, subset: v2 }
    - route:
        - destination: { host: reviews, subset: v1 }
          weight: 90
        - destination: { host: reviews, subset: v2 }
          weight: 10
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata: { name: reviews }
spec:
  host: reviews
  subsets:
    - name: v1
      labels: { version: v1 }
    - name: v2
      labels: { version: v2 }

4. AuthorizationPolicy (zero-trust)

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: reviews-allow
  namespace: prod
spec:
  selector:
    matchLabels: { app: reviews }
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/prod/sa/productpage"]
      to:
        - operation:
            methods: ["GET"]
            paths: ["/reviews/*"]

5. Circuit breaker

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata: { name: reviews-cb }
spec:
  host: reviews
  trafficPolicy:
    connectionPool:
      tcp: { maxConnections: 100 }
      http:
        http1MaxPendingRequests: 50
        maxRequestsPerConnection: 10
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 60s

6. Waypoint proxy (L7 in Ambient)

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: reviews-waypoint
  namespace: prod
spec:
  gatewayClassName: istio-waypoint
  listeners:
    - name: mesh
      port: 15008
      protocol: HBONE
---
# Then attach via label
# kubectl label svc reviews istio.io/use-waypoint=reviews-waypoint

7. Telemetry (custom metrics)

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata: { name: prom-tags }
spec:
  metrics:
    - providers: [{ name: prometheus }]
      overrides:
        - match: { metric: REQUEST_COUNT }
          tagOverrides:
            tenant: { value: 'request.headers["x-tenant"]' }

매 결정 기준

상황	Approach
New install, K8s native	Istio Ambient (sidecar-less).
Existing sidecar deployment	Stay on sidecar 또는 gradual migration.
Simple use case (<10 services, mTLS only)	Linkerd (lighter).
Multi-cluster federation	Istio multi-primary.
Edge/non-K8s	Consul Connect 또는 Cilium Service Mesh.
eBPF-native preference	Cilium Service Mesh.

기본값: K8s service mesh 신규 도입 시 매 Istio Ambient. 매 small mesh 는 Linkerd 의 simplicity 가 win.

🔗 Graph

• 부모: Service Mesh · Kubernetes
• 변형: Istio Ambient · Linkerd
• 응용: mTLS · Circuit Breaker
• Adjacent: SPIFFE

🤖 LLM 활용

언제: zero-trust microservice security, traffic shaping, multi-cluster federation, observability without code change. 언제 X: monolith, <5 services (overhead > value), 매 단순 ingress 만 필요 (Gateway API only).

❌ 안티패턴

• Sidecar everywhere by default: 매 2026 에서 Ambient 가 default — sidecar 의 매 50-100MB/pod overhead 불필요.
• Strict mTLS without migration: 매 PERMISSIVE 단계 없이 STRICT 적용 시 매 plain-text legacy client 의 instant outage.
• VirtualService catch-all 누락: 매 match rule 의 fallback 없으면 매 traffic black hole.
• istiod single replica: 매 control plane SPOF — 매 minimum 2 replicas + PDB.
• No circuit breaker: 매 cascading failure 의 매 mesh-wide outage.

🧪 검증 / 중복

• Verified (istio.io official docs, KubeCon 2025 Ambient GA announcement).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — Ambient mesh as 2026 default + sidecar legacy positioning