rohitg00/k8s-service-mesh

Kubernetes Service Mesh (Istio)

Traffic management, security, and observability using kubectl-mcp-server's Istio/Kiali tools.

When to Apply

Use this skill when:

• User mentions: "Istio", "service mesh", "mTLS", "VirtualService", "traffic shifting"
• Operations: traffic management, canary deployments, security policies
• Keywords: "sidecar", "proxy", "traffic split", "mutual TLS"

Priority Rules

| Priority | Rule | Impact | Tools | |----------|------|--------|-------| | 1 | Detect Istio installation first | CRITICAL | istio_detect_tool | | 2 | Run analyze before changes | HIGH | istio_analyze_tool | | 3 | Check proxy status for sync | HIGH | istio_proxy_status_tool | | 4 | Verify sidecar injection | MEDIUM | istio_sidecar_status_tool |

Quick Reference

| Task | Tool | Example | |------|------|---------| | Detect Istio | istio_detect_tool | istio_detect_tool() | | Analyze config | istio_analyze_tool | istio_analyze_tool(namespace) | | Proxy status | istio_proxy_status_tool | istio_proxy_status_tool() | | List VirtualServices | istio_virtualservices_list_tool | istio_virtualservices_list_tool(namespace) |

Quick Status Check

Detect Istio Installation

istio_detect_tool()

Check Proxy Status

istio_proxy_status_tool()
istio_sidecar_status_tool(namespace)

Analyze Configuration

istio_analyze_tool(namespace)

Traffic Management

VirtualServices

List and inspect:

istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)

See TRAFFIC-SHIFTING.md for canary and blue-green patterns.

DestinationRules

istio_destinationrules_list_tool(namespace)

Gateways

istio_gateways_list_tool(namespace)

Traffic Shifting Patterns

Canary Release (Weight-Based)

VirtualService for 90/10 split:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
  - my-service
  http:
  - route:
    - destination:
        host: my-service
        subset: stable
      weight: 90
    - destination:
        host: my-service
        subset: canary
      weight: 10

Apply and verify:

kubectl_apply(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)

Header-Based Routing

Route beta users:

http:
- match:
  - headers:
      x-user-type:
        exact: beta
  route:
  - destination:
      host: my-service
      subset: canary
- route:
  - destination:
      host: my-service
      subset: stable

Security (mTLS)

See MTLS.md for detailed mTLS configuration.

PeerAuthentication (mTLS Mode)

istio_peerauthentications_list_tool(namespace)

AuthorizationPolicy

istio_authorizationpolicies_list_tool(namespace)

Observability

Proxy Metrics

istio_proxy_status_tool()

Hubble (Cilium Integration)

If using Cilium with Istio:

hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)

Troubleshooting

Sidecar Not Injected

istio_sidecar_status_tool(namespace)

Traffic Not Routing

istio_analyze_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
istio_destinationrules_list_tool(namespace)
istio_proxy_status_tool()

mTLS Failures

istio_peerauthentications_list_tool(namespace)

Common Issues

| Symptom | Check | Resolution | |---------|-------|------------| | 503 errors | istio_analyze_tool() | Fix VirtualService/DestinationRule | | No sidecar | istio_sidecar_status_tool() | Label namespace | | Config not applied | istio_proxy_status_tool() | Wait for sync or restart pod |

Multi-Cluster Service Mesh

Istio multi-cluster setup:

istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")

istio_proxy_status_tool(context="remote")

Prerequisites

• Istio: Required for all Istio tools

  istioctl install --set profile=demo
  

Related Skills

• k8s-deploy - Deployment with traffic shifting
• k8s-security - Authorization policies