Skip to content

Personal Knowledge Base

Operations

Operations¶

Scope

Production deployment patterns, traffic management, mTLS configuration, Ambient mesh, and troubleshooting for Istio.

Deployment Patterns¶

Installation Profiles¶

Profile	Components	Use Case
`default`	istiod + ingress gateway	Standard production
`demo`	istiod + ingress + egress + tracing	Demos and testing
`minimal`	istiod only	Control plane, no gateways
`ambient`	ztunnel + waypoint	Sidecar-less mesh (Istio 1.24+)

# Production install with istioctl
istioctl install --set profile=default \
  --set meshConfig.accessLogFile=/dev/stdout \
  --set meshConfig.enableAutoMtls=true \
  --set values.pilot.resources.requests.memory=2Gi

# Enable sidecar injection for a namespace
kubectl label namespace default istio-injection=enabled

Ambient Mesh (Sidecar-less)¶

# Install ambient mode
istioctl install --set profile=ambient

# Add namespace to ambient mesh
kubectl label namespace default istio.io/dataplane-mode=ambient

# Deploy waypoint proxy for L7 (optional)
istioctl waypoint apply --namespace default

Traffic Management¶

Canary Deployment¶

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
  - reviews
  http:
  - match:
    - headers:
        end-user:
          exact: jason
    route:
    - destination:
        host: reviews
        subset: v3
  - route:
    - destination:
        host: reviews
        subset: v2
      weight: 90
    - destination:
        host: reviews
        subset: v3
      weight: 10

Circuit Breaking¶

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: backend
spec:
  host: backend
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: DEFAULT
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
      maxEjectionPercent: 50

Security¶

Peer Authentication (mTLS)¶

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT  # STRICT | PERMISSIVE | DISABLE

Troubleshooting¶

Symptom	Diagnosis	Fix
Sidecar not injected	Check namespace labels	`kubectl label ns <ns> istio-injection=enabled`
503 errors	`istioctl analyze`	Check DestinationRule, VirtualService
mTLS handshake fail	`istioctl proxy-config cluster`	Check PeerAuthentication mode
High latency	`istioctl proxy-status`	Check Envoy proxy resource limits
Config rejected	`istioctl validate -f config.yaml`	Fix YAML syntax, check apiVersion

# Debug toolkit
istioctl analyze --namespace default
istioctl proxy-status
istioctl proxy-config routes <pod>
istioctl proxy-config listeners <pod>
kubectl logs -l app=istiod -n istio-system

Resource Requirements¶

Component	CPU Request	Memory Request	Notes
istiod	500m	2Gi	Scales with config complexity
Sidecar (Envoy)	100m	128Mi	Per pod overhead
Ingress Gateway	1000m	1Gi	Scales with traffic
ztunnel (Ambient)	50m	64Mi	Per node, replaces sidecar

Commands & Recipes¶

Installation (Ambient Mode)¶

# Install istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-1.29.0/bin:$PATH

# Install Ambient profile
istioctl install --set profile=ambient -y

# Enable ambient for a namespace
kubectl label namespace default istio.io/dataplane-mode=ambient

# Verify
istioctl version
kubectl get pods -n istio-system

Traffic Management¶

# Canary deployment (90/10 split)
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: myapp-canary
spec:
  parentRefs:
    - name: mesh
      kind: Service
  rules:
    - backendRefs:
        - name: myapp-v1
          port: 8080
          weight: 90
        - name: myapp-v2
          port: 8080
          weight: 10

# Waypoint proxy (opt-in L7 for a namespace)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
  namespace: default
  labels:
    istio.io/waypoint-for: service
spec:
  gatewayClassName: istio-waypoint
  listeners:
    - name: mesh
      port: 15008
      protocol: HBONE

Security¶

# PeerAuthentication — require mTLS
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

# AuthorizationPolicy — L7 rules
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
spec:
  selector:
    matchLabels:
      app: backend
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/frontend"]
      to:
        - operation:
            methods: ["GET"]
            paths: ["/api/*"]

Diagnostics¶

# Proxy status
istioctl proxy-status

# Analyze configuration issues
istioctl analyze -A

# Debug Envoy config for a pod
istioctl proxy-config routes deploy/myapp
istioctl proxy-config clusters deploy/myapp

# View ztunnel logs
kubectl logs -n istio-system -l app=ztunnel -f

Sources¶

istioctl Reference