bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95cd8bb891bf94ea5dd50e4a490ee17d5707ecf2
2nd/10_Wiki/Topics/Architecture/Service Mesh.md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

178 lines
4.8 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-service-mesh
title: Service Mesh
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Service Mesh, Istio, Linkerd, sidecar mesh]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [microservices, kubernetes, networking, observability]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: yaml
framework: kubernetes
---
# Service Mesh
## 매 한 줄
> **"매 service-to-service 통신을 매 platform layer로 매 외부화"**. mTLS, retry, traffic split, observability를 매 application code 변경 없이. 2026년에는 매 Istio Ambient Mode (sidecar-less)와 Linkerd (Rust)가 매 표준이며, 매 eBPF-based Cilium Service Mesh가 매 빠르게 확산.
## 매 핵심
### 매 핵심 기능
- **mTLS**: 매 서비스 간 매 암호화 + 매 identity.
- **Traffic mgmt**: canary, A/B, retry, timeout, circuit-break.
- **Observability**: 매 metrics, traces, access log 매 자동.
- **Policy**: 매 authz, 매 rate limit.
### 매 architecture
- **Data plane**: 매 proxy (Envoy/linkerd2-proxy/eBPF) — 매 traffic 매 가로챔.
- **Control plane**: 매 config 분배 (istiod, linkerd-controller).
### 매 응용
1. 매 다중 microservice K8s cluster.
2. 매 zero-trust networking.
3. 매 progressive delivery (Argo Rollouts + mesh).
4. 매 multi-cluster federation.
## 💻 패턴
### 매 Istio Ambient (2026, no sidecar)
```yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: ambient
meshConfig:
accessLogFile: /dev/stdout
```
```bash
istioctl install --set profile=ambient
kubectl label namespace prod istio.io/dataplane-mode=ambient
```
### 매 Traffic split (canary)
```yaml
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata: { name: orders }
spec:
hosts: [orders]
http:
- route:
- { destination: { host: orders, subset: v1 }, weight: 90 }
- { destination: { host: orders, subset: v2 }, weight: 10 }
```
### 매 Retry + timeout
```yaml
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata: { name: payments }
spec:
hosts: [payments]
http:
- timeout: 2s
retries:
attempts: 3
perTryTimeout: 500ms
retryOn: 5xx,reset,connect-failure
```
### 매 mTLS strict
```yaml
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata: { name: default, namespace: prod }
spec:
mtls: { mode: STRICT }
```
### 매 AuthorizationPolicy
```yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata: { name: orders-allow-checkout }
spec:
selector: { matchLabels: { app: orders } }
rules:
- from: [{ source: { principals: ["cluster.local/ns/prod/sa/checkout"] } }]
to: [{ operation: { methods: [POST], paths: ["/place"] } }]
```
### 매 Linkerd (간단 + Rust proxy)
```bash
linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
kubectl annotate ns prod linkerd.io/inject=enabled
```
### 매 Cilium Service Mesh (eBPF)
```yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata: { name: cilium }
spec:
valuesContent: |
serviceMesh:
enabled: true
kubeProxyReplacement: true
ingressController:
enabled: true
```
### 매 Observability — Tempo/Grafana 연동
```yaml
# 매 Istio가 매 자동으로 매 Jaeger/Tempo로 trace 송신
meshConfig:
defaultProviders:
tracing: [tempo]
extensionProviders:
- name: tempo
zipkin: { service: tempo.observability.svc, port: 9411 }
```
## 매 결정 기준
| 상황 | Approach |
|---|---|
| 매 < 10 service | Mesh 매 over-kill. 매 lib (resilience4j) 충분. |
| 매 10+ service + K8s | Mesh 가치 ↑. |
| 매 latency 매 critical | Linkerd (Rust, 가벼움). |
| 매 feature-rich | Istio Ambient. |
| 매 eBPF + CNI 통합 | Cilium Mesh. |
| 매 multi-cluster | Istio multi-primary. |
**기본값**: K8s 표준 + Istio Ambient. 매 가벼움 우선이면 Linkerd.
## 🔗 Graph
- 부모: [[Microservices]] · [[Kubernetes]]
- 응용: [[Istio]] · [[Linkerd]] · [[Cilium]] · [[Envoy]]
- Adjacent: [[mTLS]] · [[Zero Trust]] · [[Circuit Breaker]] · [[Observability]]
## 🤖 LLM 활용
**언제**: 매 service 수 매 폭증, 매 zero-trust 의무화, 매 progressive delivery.
**언제 X**: 매 monolith, 매 < 5 service, 매 platform 팀 부재.
## ❌ 안티패턴
- **매 mesh 매 도입하고 매 lib retry 그대로**: 매 double retry → 매 storm.
- **매 sidecar 마다 매 큰 resource**: 매 ambient mode 미사용.
- **매 mTLS 미적용**: 매 mesh 본질 미활용.
- **매 mesh 가 매 모든 문제 해결한다고 가정**: 매 application bug는 별개.
## 🧪 검증 / 중복
- Verified (Istio docs 1.24+, Linkerd docs 2.16+, Cilium docs 1.16+).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — Istio Ambient + Linkerd + Cilium 2026 patterns |
Reference in New Issue View Git Blame Copy Permalink