Skip to content

Istio — Operations

Scope

Production deployment patterns, traffic management, mTLS configuration, Ambient mesh, and troubleshooting for Istio.

Deployment Patterns

Installation Profiles

Profile Components Use Case
default istiod + ingress gateway Standard production
demo istiod + ingress + egress + tracing Demos and testing
minimal istiod only Control plane, no gateways
ambient ztunnel + waypoint Sidecar-less mesh (Istio 1.24+) 
# Production install with istioctl
istioctl install --set profile=default \
  --set meshConfig.accessLogFile=/dev/stdout \
  --set meshConfig.enableAutoMtls=true \
  --set values.pilot.resources.requests.memory=2Gi

# Enable sidecar injection for a namespace
kubectl label namespace default istio-injection=enabled

Ambient Mesh (Sidecar-less)

# Install ambient mode
istioctl install --set profile=ambient

# Add namespace to ambient mesh
kubectl label namespace default istio.io/dataplane-mode=ambient

# Deploy waypoint proxy for L7 (optional)
istioctl waypoint apply --namespace default

Traffic Management

Canary Deployment

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
  - reviews
  http:
  - match:
    - headers:
        end-user:
          exact: jason
    route:
    - destination:
        host: reviews
        subset: v3
  - route:
    - destination:
        host: reviews
        subset: v2
      weight: 90
    - destination:
        host: reviews
        subset: v3
      weight: 10

Circuit Breaking

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: backend
spec:
  host: backend
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: DEFAULT
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
      maxEjectionPercent: 50

Security

Peer Authentication (mTLS)

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT  # STRICT | PERMISSIVE | DISABLE

Troubleshooting

Symptom Diagnosis Fix
Sidecar not injected Check namespace labels kubectl label ns <ns> istio-injection=enabled
503 errors istioctl analyze Check DestinationRule, VirtualService
mTLS handshake fail istioctl proxy-config cluster Check PeerAuthentication mode
High latency istioctl proxy-status Check Envoy proxy resource limits
Config rejected istioctl validate -f config.yaml Fix YAML syntax, check apiVersion 
# Debug toolkit
istioctl analyze --namespace default
istioctl proxy-status
istioctl proxy-config routes <pod>
istioctl proxy-config listeners <pod>
kubectl logs -l app=istiod -n istio-system

Resource Requirements

Component CPU Request Memory Request Notes
istiod 500m 2Gi Scales with config complexity
Sidecar (Envoy) 100m 128Mi Per pod overhead
Ingress Gateway 1000m 1Gi Scales with traffic
ztunnel (Ambient) 50m 64Mi Per node, replaces sidecar