101
0/273
Loading content...
We've explored Kubernetes' native networking primitives—Services, Ingress, Network Policies, and DNS. These tools provide a solid foundation for container networking, but as organizations scale to hundreds of microservices, new challenges emerge:
Kubernetes doesn't answer these questions natively. Enter the service mesh—an infrastructure layer that handles service-to-service communication with features that go far beyond what Kubernetes provides out of the box.
By the end of this page, you will understand service mesh architecture, how meshes integrate with Kubernetes networking, key features (mTLS, traffic management, observability), and how to evaluate whether your organization needs a service mesh.
A service mesh is an infrastructure layer that mediates all service-to-service communication within a cluster. It transparently intercepts network traffic through sidecar proxies, adding capabilities without requiring application code changes.
Without Service Mesh:
┌────────────┐ ┌────────────┐
│ Service A │ ──HTTP────▶ │ Service B │
└────────────┘ └────────────┘
With Service Mesh:
┌─────────────────────────┐ ┌─────────────────────────┐
│ Pod │ │ Pod │
│ ┌───────────┐ │ │ ┌───────────┐ │
│ │ Service A │──▶┐ │ │ ┌──▶│ Service B │ │
│ └───────────┘ │ │ │ │ └───────────┘ │
│ ▼ │ │ │ │
│ ┌─────────┐ │ │ ┌─────────┐ │
│ │ Sidecar │───┼──┼──▶│ Sidecar │ │
│ │ Proxy │ │ │ │ Proxy │ │
│ └─────────┘ │ │ └─────────┘ │
└─────────────────────────┘ └─────────────────────────┘
│ │
└──────┬─────────────┘
▼
┌──────────────┐
│ Control Plane │
└──────────────┘
Data Plane: The sidecar proxies (typically Envoy) that handle actual traffic. They intercept all ingress and egress from application containers.
Control Plane: The management component that configures and coordinates the proxies. It distributes configuration, certificates, and policies.
| Mesh | Proxy | Strengths | Considerations |
|---|---|---|---|
| Istio | Envoy | Feature-rich, wide adoption, strong traffic management | Resource overhead, complexity |
| Linkerd | linkerd2-proxy (Rust) | Lightweight, simple, low latency | Fewer features than Istio |
| Consul Connect | Envoy/Built-in | Multi-platform, HashiCorp ecosystem integration | Requires Consul service discovery |
| AWS App Mesh | Envoy | Native AWS integration | AWS-only |
| Cilium Service Mesh | eBPF/Envoy | No sidecars (eBPF), high performance | Requires newer kernels, maturing |
| Kuma | Envoy | Multi-zone (Kubernetes + VMs), simple UX | Smaller community |
Envoy Proxy (created by Lyft) is the de facto data plane for most service meshes. Its programmability through xDS APIs makes it ideal for dynamic mesh environments. Understanding Envoy concepts translates across Istio, App Mesh, Consul, and others.
Service meshes transparently intercept traffic using iptables rules or eBPF programs. Understanding this mechanism is crucial for debugging and understanding mesh behavior.
12345678910111213141516171819202122232425
# When a Pod with a sidecar makes an outbound request: 1. Application container sends request to Service B (ClusterIP:Port)2. iptables rules REDIRECT traffic to the sidecar proxy (localhost:15001)3. Sidecar proxy receives the request4. Proxy applies policies (mTLS, retries, timeout)5. Proxy establishes connection to destination Pod's sidecar6. Destination sidecar receives traffic, applies policies7. Destination sidecar forwards to application container # Actual iptables rules (Istio example):iptables -t nat -L -n Chain ISTIO_OUTPUT# Redirect all outbound TCP to Envoy-A ISTIO_OUTPUT -j REDIRECT --to-ports 15001 Chain ISTIO_REDIRECT# Redirect all inbound TCP to Envoy-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15006 # Visual flow:App → localhost:15001 (outbound proxy) → Remote Pod:15006 (inbound proxy) → App ↑ ↑ iptables REDIRECT iptables REDIRECTSidecars are typically injected automatically via Kubernetes admission webhooks. When a Pod is created, the mesh's mutating admission webhook modifies the Pod spec to add the sidecar container and init container (for iptables setup).
12345678910111213141516171819202122232425262728
# Enable automatic sidecar injection for a namespace (Istio)kubectl label namespace production istio-injection=enabled # Alternatively, annotate individual PodsapiVersion: v1kind: Podmetadata: name: my-app annotations: sidecar.istio.io/inject: "true" # Enable injection sidecar.istio.io/proxyCPU: "100m" # Sidecar resource requests sidecar.istio.io/proxyMemory: "128Mi"spec: containers: - name: my-app image: myapp:latest # After injection, the Pod has additional containers:# - istio-init: Init container that sets up iptables# - istio-proxy: The Envoy sidecar # View injected Pod:kubectl get pod my-app -o yaml# containers:# - name: my-app # Your application# - name: istio-proxy # Injected sidecar# initContainers:# - name: istio-init # Sets up traffic interceptionEach sidecar consumes CPU and memory. In Istio, the default is ~100m CPU and ~128Mi memory per sidecar. For a cluster with 1,000 Pods, that's ~100 CPU cores and ~128GB of memory just for sidecars. Plan capacity accordingly.
Mutual TLS (mTLS) is one of the most compelling service mesh features. It encrypts all service-to-service traffic and provides cryptographic identity verification for both ends of every connection.
12345678910111213141516171819202122232425
# mTLS Handshake between Service A and Service B: 1. Service A's sidecar initiates connection to Service B2. Service A's sidecar presents its certificate: - Identity: spiffe://cluster.local/ns/production/sa/service-a - Signed by: Mesh CA (Istiod, Linkerd Identity)3. Service B's sidecar verifies: - Certificate is valid and not expired - Signed by trusted CA - Identity matches expected caller (AuthorizationPolicy)4. Service B's sidecar presents its certificate (mutual verification)5. Service A's sidecar verifies Service B's identity6. Encrypted channel established (TLS 1.3)7. Application traffic flows encrypted # Certificate Identity (SPIFFE format):spiffe://cluster.local/ns/<namespace>/sa/<service-account> # Example:spiffe://cluster.local/ns/production/sa/user-service # This cryptographically proves:# - The workload is in the 'production' namespace# - The workload runs as ServiceAccount 'user-service'# - The mesh CA has validated this identity123456789101112131415161718192021222324252627282930313233343536373839404142
# Enable strict mTLS for a namespace (Istio)apiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata: name: default namespace: productionspec: mtls: mode: STRICT # STRICT, PERMISSIVE, or DISABLE # STRICT: Reject non-mTLS connections # PERMISSIVE: Accept both mTLS and plaintext (for migration) # DISABLE: No mTLS ---# Enable strict mTLS mesh-wideapiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata: name: default namespace: istio-system # Mesh-wide defaultspec: mtls: mode: STRICT ---# Destination rule to enforce client-side mTLSapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: enable-mtls namespace: productionspec: host: "*.production.svc.cluster.local" trafficPolicy: tls: mode: ISTIO_MUTUAL # Use mesh certificates ---# Verify mTLS is working# Check if connection is encrypted:kubectl exec -n production deploy/service-a -c istio-proxy -- \ openssl s_client -connect service-b:80 -showcertsService meshes provide sophisticated traffic management capabilities that go far beyond what Kubernetes Services offer. This enables canary deployments, A/B testing, traffic mirroring, and resilience patterns.
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
# Istio VirtualService for traffic splittingapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: reviews namespace: productionspec: hosts: - reviews # The service to configure http: - match: - headers: end-user: exact: "jason" # Route test user to v3 route: - destination: host: reviews subset: v3 - route: - destination: host: reviews subset: v1 weight: 90 # 90% to v1 - destination: host: reviews subset: v2 weight: 10 # 10% to v2 (canary) ---# DestinationRule defines subsets (versions)apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: reviews namespace: productionspec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3123456789101112131415161718192021222324252627282930313233343536373839404142
# VirtualService with retries and timeoutsapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: ratings namespace: productionspec: hosts: - ratings http: - route: - destination: host: ratings retries: attempts: 3 # Retry up to 3 times perTryTimeout: 2s # Timeout per attempt retryOn: 5xx,reset,connect-failure,refused-stream timeout: 10s # Total request timeout ---# DestinationRule with circuit breakerapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata: name: ratings namespace: productionspec: host: ratings trafficPolicy: connectionPool: tcp: maxConnections: 100 # Max connections to service http: h2UpgradePolicy: UPGRADE http1MaxPendingRequests: 100 http2MaxRequests: 1000 outlierDetection: # Circuit breaker consecutive5xxErrors: 5 # Trip after 5 errors interval: 30s # Analysis window baseEjectionTime: 30s # Initial ejection time maxEjectionPercent: 50 # Max % of hosts to eject minHealthPercent: 30 # Min healthy hosts before trippingMirror production traffic to test new versions without affecting users:
12345678910111213141516171819202122
apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: ratingsspec: hosts: - ratings http: - route: - destination: host: ratings subset: v1 weight: 100 # 100% to v1 (production) mirror: host: ratings subset: v2 # Mirror copy to v2 mirrorPercentage: value: 100.0 # Mirror 100% of traffic # Traffic flow:# Client → ratings-v1 (responds to client)# ↘ ratings-v2 (response discarded, but logs/metrics captured)Service meshes enable sophisticated progressive delivery strategies:
Tools like Flagger and Argo Rollouts integrate with meshes for automated progressive delivery.
While Kubernetes Network Policies operate at L3/L4 (IPs and ports), service mesh authorization works at L7, enabling identity-based access control with understanding of HTTP methods, paths, and headers.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
# Deny all traffic by default (zero trust)apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: deny-all namespace: productionspec: {} # Empty spec = deny all ---# Allow specific service-to-service communicationapiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: allow-frontend-to-api namespace: productionspec: selector: matchLabels: app: api-gateway action: ALLOW rules: - from: - source: principals: - "cluster.local/ns/production/sa/frontend" # SPIFFE identity to: - operation: methods: ["GET", "POST"] paths: ["/api/v1/*"] ---# Allow based on JWT claims (end-user identity)apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: require-jwt namespace: productionspec: selector: matchLabels: app: orders action: ALLOW rules: - from: - source: requestPrincipals: ["https://auth.example.com/*"] # JWT issuer when: - key: request.auth.claims[groups] values: ["admin", "order-managers"] ---# Deny access from specific namespacesapiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: deny-untrusted namespace: productionspec: selector: matchLabels: app: database action: DENY rules: - from: - source: namespaces: ["development", "testing"]| Aspect | Network Policy | Service Mesh AuthZ |
|---|---|---|
| Layer | L3/L4 (IP, Port) | L7 (HTTP, gRPC) |
| Identity | Labels, Namespaces | Cryptographic (mTLS/JWT) |
| Granularity | Pod-level | Request-level (method, path) |
| JWT Support | No | Yes |
| Logging | Limited | Rich audit logging |
| Enforcement | CNI/iptables | Sidecar proxy |
| Overhead | Minimal | Sidecar resources |
Service meshes provide consistent observability across all services without requiring application instrumentation. The sidecar proxies emit metrics, traces, and logs for every request.
Proxies automatically generate RED metrics (Rate, Errors, Duration) for all traffic:
12345678910111213141516171819202122232425262728293031323334
# Istio generates Prometheus metrics automatically: # Request rate by source/destination:istio_requests_total{ source_workload="frontend", destination_workload="api", response_code="200"} # Request latency histogram:istio_request_duration_milliseconds_bucket{ source_workload="frontend", destination_workload="api", le="100"} # TCP bytes:istio_tcp_sent_bytes_totalistio_tcp_received_bytes_total # Example Prometheus queries: # Request rate per service:sum(rate(istio_requests_total[5m])) by (destination_workload) # P99 latency:histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket[5m])) by (destination_workload, le)) # Error rate:sum(rate(istio_requests_total{response_code=~"5.*"}[5m])) / sum(rate(istio_requests_total[5m]))Service meshes integrate with tracing backends (Jaeger, Zipkin, Datadog) to provide request-level visibility:
1234567891011121314151617181920212223242526272829
# Istio telemetry configuration for tracingapiVersion: telemetry.istio.io/v1alpha1kind: Telemetrymetadata: name: mesh-default namespace: istio-systemspec: tracing: - randomSamplingPercentage: 100.0 # Sample 100% in dev; 1-5% in prod providers: - name: jaeger customTags: environment: literal: value: "production" ---# Applications must propagate trace headers:# x-request-id# x-b3-traceid# x-b3-spanid# x-b3-parentspanid# x-b3-sampled# x-b3-flags# x-ot-span-context # Or for W3C Trace Context:# traceparent# tracestateMesh observability tools visualize service dependencies and traffic flow:
The mesh provides the four golden signals of monitoring without any application changes:
• Latency: istio_request_duration_milliseconds • Traffic: istio_requests_total • Errors: istio_requests_total{response_code=~"5.*"} • Saturation: Connection pool exhaustion, queue depth
Build dashboards and alerts around these metrics for comprehensive SLO monitoring.
Service meshes work alongside Kubernetes networking, not as a replacement. Understanding how they integrate helps you design effective architectures.
| Component | Kubernetes Native | With Service Mesh |
|---|---|---|
| Service Discovery | ClusterIP + DNS | ClusterIP + DNS (mesh uses this) |
| Load Balancing | kube-proxy (L4) | Sidecar (L7, advanced algorithms) |
| External Traffic | Ingress Controller | Mesh Gateway (Istio Gateway) or Ingress |
| Network Security | Network Policies (L3/L4) | Network Policies + AuthZ Policies (L7) |
| TLS | Application or Ingress | Automatic mTLS everywhere |
| Traffic Management | None | VirtualServices, DestinationRules |
| Observability | Application-implemented | Automatic (proxy-generated) |
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
# Istio Gateway replaces/complements Ingress for mesh trafficapiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata: name: main-gateway namespace: istio-systemspec: selector: istio: ingressgateway # Use Istio's ingress gateway deployment servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: main-tls-secret hosts: - "*.example.com" - port: number: 80 name: http protocol: HTTP hosts: - "*.example.com" tls: httpsRedirect: true # Redirect HTTP to HTTPS ---# VirtualService binds Gateway to internal servicesapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: api-routing namespace: productionspec: hosts: - "api.example.com" gateways: - istio-system/main-gateway # Reference the Gateway http: - match: - uri: prefix: /v1 route: - destination: host: api-v1 port: number: 80 - match: - uri: prefix: /v2 route: - destination: host: api-v2 port: number: 80Even with a service mesh, keep Kubernetes Network Policies as defense-in-depth. Network Policies operate at the CNI level (before traffic reaches sidecars) and provide coarse-grained segmentation. Mesh authorization adds fine-grained L7 controls on top.
Service meshes add significant value but also complexity and resource overhead. The decision to adopt one should be based on your specific requirements.
If you need only some mesh features, consider lighter-weight alternatives:
| Need | Mesh-Free Alternative |
|---|---|
| mTLS | SPIFFE/SPIRE with native app support |
| Observability | OpenTelemetry SDK in applications |
| Retries/Timeouts | Client libraries (resilience4j, Polly) |
| Canary Deployments | Argo Rollouts, Flagger with Ingress |
| Rate Limiting | API Gateway (Kong, Ambassador) |
| Circuit Breakers | Client libraries or sidecar-less options |
Don't adopt a service mesh preemptively. Start with Kubernetes native networking. As your architecture grows and requirements emerge, evaluate if mesh benefits outweigh the complexity. Many successful organizations run hundreds of services without a mesh, relying on client libraries and API gateways.
We've comprehensively covered service mesh integration with Kubernetes networking. Let's consolidate the key takeaways:
Module Complete:
You've now completed the Kubernetes Networking module. We covered:
With this knowledge, you can design, implement, and troubleshoot networking for production Kubernetes clusters at any scale.
Congratulations! You now have a comprehensive understanding of Kubernetes networking—from native primitives through service mesh integration. You can design secure, scalable, and observable networking architectures for containerized applications. Continue to the next module to explore Kubernetes storage!