Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

peterj/istio-traffic-management

Name: istio-traffic-management
Author: peterj

skills/istio-traffic-management/SKILL.md

npx skillsauth add peterj/skills istio-traffic-management

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Istio Traffic Management Configuration

Quick start

Keep traffic cluster-local (multicluster)

Use MeshConfig.serviceSettings to prevent cross-cluster load balancing:

# Per service
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "mysvc.myns.svc.cluster.local"

# Per namespace
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*.myns.svc.cluster.local"

# Global (all services)
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*"

Combine global cluster-local with exceptions:

serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*"
- settings:
    clusterLocal: false
  hosts:
  - "*.myns.svc.cluster.local"

Set protocol explicitly on a Service

kind: Service
metadata:
  name: myservice
spec:
  ports:
  - port: 3306
    name: database
    appProtocol: https
  - port: 80
    name: http-web

Configure trusted proxies for correct client IP

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      gatewayTopology:
        numTrustedProxies: 2

Key concepts

Multicluster traffic

Cluster-local traffic: Use MeshConfig.serviceSettings with clusterLocal: true to keep traffic within a cluster.
Partitioning by cluster: Use DestinationRule.subsets with label topology.istio.io/cluster to create per-cluster subsets, then route with VirtualService.
Subset-based routing mixes service-level and topology-level policy — use only when granular cluster-based control is needed.

Protocol selection

Automatic: Istio auto-detects HTTP and HTTP/2. Undetected traffic is treated as TCP. Server-first protocols (e.g., MySQL) are incompatible with auto-detection.
Explicit: Set via port name (name: <protocol>[-<suffix>]) or appProtocol field. appProtocol takes precedence.
Supported protocols: http, http2, https, tcp, tls, grpc, grpc-web, mongo, mysql, redis (last three are experimental).
Gateway behavior: Gateways default to forwarding as HTTP/1.1 unless explicit protocol is set. Use useClientProtocol in DestinationRule to match incoming protocol.

TLS configuration

PeerAuthentication: Controls what mTLS traffic a sidecar accepts (PERMISSIVE, STRICT, DISABLE).
DestinationRule: Controls what TLS traffic a sidecar/gateway sends (DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL).
Auto mTLS: Sidecars automatically use mTLS for mesh-internal traffic and plaintext for non-mesh workloads, unless a DestinationRule explicitly overrides.
Gateway inbound: Configured via Gateway resource — set protocol (HTTP, HTTPS, TLS, TCP) and TLS mode (PASSTHROUGH, MUTUAL, etc.).
Gateway outbound: Configured via DestinationRule TLS settings or auto mTLS. Watch for double encryption when Gateway uses PASSTHROUGH and DestinationRule originates TLS.

Gateway network topology

numTrustedProxies: Number of trusted proxies in front of the Istio gateway. Controls X-Envoy-External-Address extraction from X-Forwarded-For.
forwardClientCertDetails: Controls XFCC header handling. Values: SANITIZE, FORWARD_ONLY, APPEND_FORWARD, SANITIZE_SET (default for gateways), ALWAYS_FORWARD_ONLY.
PROXY protocol: For TCP-only traffic. Enabled via gatewayTopology.proxyProtocol: {}. Not for L7 traffic or behind L7 load balancers.

Additional resources

For multicluster traffic patterns and partitioning, see references/multicluster.md
For gateway topology, TLS, and protocol details, see references/gateway-and-tls.md

peterj/istio-traffic-management

skills/istio-traffic-management/SKILL.md

Configures Istio traffic management including multicluster traffic control, gateway network topology (XFF/XFCC headers, PROXY protocol), protocol selection, and TLS configuration. Use when working with Istio service mesh traffic routing, multicluster setups, gateway configuration, protocol detection, mTLS settings, or when troubleshooting TLS/proxy header issues.

tools

Updated Apr 25, 2026

$ install --global

skillsauth

npx skillsauth add peterj/skills istio-traffic-management

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 25, 2026, 8:05 PM146.8s4 files scanned

SKILL.md

name:: istio-traffic-management
description:: Configures Istio traffic management including multicluster traffic control, gateway network topology (XFF/XFCC headers, PROXY protocol), protocol selection, and TLS configuration. Use when working with Istio service mesh traffic routing, multicluster setups, gateway configuration, protocol detection, mTLS settings, or when troubleshooting TLS/proxy header issues.

Istio Traffic Management Configuration

Quick start

Keep traffic cluster-local (multicluster)

Use MeshConfig.serviceSettings to prevent cross-cluster load balancing:

# Per service
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "mysvc.myns.svc.cluster.local"

# Per namespace
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*.myns.svc.cluster.local"

# Global (all services)
serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*"

Combine global cluster-local with exceptions:

serviceSettings:
- settings:
    clusterLocal: true
  hosts:
  - "*"
- settings:
    clusterLocal: false
  hosts:
  - "*.myns.svc.cluster.local"

Set protocol explicitly on a Service

kind: Service
metadata:
  name: myservice
spec:
  ports:
  - port: 3306
    name: database
    appProtocol: https
  - port: 80
    name: http-web

Configure trusted proxies for correct client IP

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      gatewayTopology:
        numTrustedProxies: 2

Key concepts

Multicluster traffic

Cluster-local traffic: Use MeshConfig.serviceSettings with clusterLocal: true to keep traffic within a cluster.
Partitioning by cluster: Use DestinationRule.subsets with label topology.istio.io/cluster to create per-cluster subsets, then route with VirtualService.
Subset-based routing mixes service-level and topology-level policy — use only when granular cluster-based control is needed.

Protocol selection

Automatic: Istio auto-detects HTTP and HTTP/2. Undetected traffic is treated as TCP. Server-first protocols (e.g., MySQL) are incompatible with auto-detection.
Explicit: Set via port name (name: <protocol>[-<suffix>]) or appProtocol field. appProtocol takes precedence.
Supported protocols: http, http2, https, tcp, tls, grpc, grpc-web, mongo, mysql, redis (last three are experimental).
Gateway behavior: Gateways default to forwarding as HTTP/1.1 unless explicit protocol is set. Use useClientProtocol in DestinationRule to match incoming protocol.

TLS configuration

PeerAuthentication: Controls what mTLS traffic a sidecar accepts (PERMISSIVE, STRICT, DISABLE).
DestinationRule: Controls what TLS traffic a sidecar/gateway sends (DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL).
Auto mTLS: Sidecars automatically use mTLS for mesh-internal traffic and plaintext for non-mesh workloads, unless a DestinationRule explicitly overrides.
Gateway inbound: Configured via Gateway resource — set protocol (HTTP, HTTPS, TLS, TCP) and TLS mode (PASSTHROUGH, MUTUAL, etc.).
Gateway outbound: Configured via DestinationRule TLS settings or auto mTLS. Watch for double encryption when Gateway uses PASSTHROUGH and DestinationRule originates TLS.

Gateway network topology

numTrustedProxies: Number of trusted proxies in front of the Istio gateway. Controls X-Envoy-External-Address extraction from X-Forwarded-For.
forwardClientCertDetails: Controls XFCC header handling. Values: SANITIZE, FORWARD_ONLY, APPEND_FORWARD, SANITIZE_SET (default for gateways), ALWAYS_FORWARD_ONLY.
PROXY protocol: For TCP-only traffic. Enabled via gatewayTopology.proxyProtocol: {}. Not for L7 traffic or behind L7 load balancers.

Additional resources

For multicluster traffic patterns and partitioning, see references/multicluster.md
For gateway topology, TLS, and protocol details, see references/gateway-and-tls.md

Related Skills

peterj/spire

development

VerifiedTrustedCommunity

Guide for installing, configuring, and deploying SPIRE servers and agents. Use when working with SPIRE, SPIFFE, workload identity, trust domains, node attestation, workload attestation, service identity, or X.509/JWT SVIDs on Kubernetes or Linux.

SKILL.mdUpdated Apr 25, 2026

peterj/istio-troubleshooting

development

VerifiedTrustedCommunity

Diagnoses and resolves common Istio service mesh problems across traffic management, security, observability, and upgrades. Use when debugging Istio networking issues (503 errors, route rules not working, TLS mismatches, gateway 404s), security problems (authorization policies, mTLS, JWT authentication), observability gaps (missing traces, Grafana output issues), EnvoyFilter breakage, or when upgrading Istio and migrating from EnvoyFilter to first-class APIs.

SKILL.mdUpdated Apr 25, 2026

peterj/istio-troubleshooting

peterj/istio-ambient-mode

development

VerifiedTrustedCommunity

Guide for installing, deploying, debugging, and cleaning up Istio's ambient mode mesh. Use when working with Istio ambient mode, ztunnel proxies, ambient mesh traffic redirection, istio-cni, HBONE encryption, Bookinfo sample application deployment, or istioctl commands for ambient profile setup and teardown.

SKILL.mdUpdated Apr 25, 2026

peterj/istio-ambient-mode

peterj/argocd-pagerduty-notifications

development

VerifiedTrustedCommunity

Configures PagerDuty v1 and v2 notification services for Argo CD. Use when setting up PagerDuty incident creation or event triggering from Argo CD notifications, including secrets, ConfigMaps, templates, and annotations for PagerDuty integrations.

SKILL.mdUpdated Apr 25, 2026

peterj/argocd-pagerduty-notifications

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/peterj/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/istio-traffic-management ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

peterj/skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT