sawrus/service-mesh
areas/devops/networking/skills/service-mesh/SKILL.md
Implement service mesh for mTLS, traffic management, and observability — Istio and Linkerd patterns for Kubernetes.
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides service-meshInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:23 AM94.2s1 file scanned
SKILL.md
- name:
- service-mesh
- type:
- skill
- description:
- Implement service mesh for mTLS, traffic management, and observability — Istio and Linkerd patterns for Kubernetes.
- allowed-tools:
- Read, Write, Edit, Bash
Skill: Service Mesh
Expertise: Istio and Linkerd installation, mTLS enforcement, traffic shifting, circuit breakers, retry policies, observability.
When to load
When implementing service-to-service mTLS, traffic shifting for canary deploys, circuit breakers, or setting up mesh-level observability.
Linkerd (lightweight — recommended for bare-metal K8s)
# Install Linkerd CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
# Pre-flight check
linkerd check --pre
# Install Linkerd (cert-manager manages control plane certs)
linkerd install --crds | kubectl apply -f -
linkerd install \
--set identity.externalCA=true \
--set identity.issuer.scheme=kubernetes.io/tls \
| kubectl apply -f -
# Install observability extension (Prometheus + Grafana)
linkerd viz install | kubectl apply -f -
# Verify
linkerd check
Linkerd: Inject Sidecar
# Namespace-level injection (all pods in namespace get sidecar)
metadata:
annotations:
linkerd.io/inject: enabled
# Per-deployment injection
spec:
template:
metadata:
annotations:
linkerd.io/inject: enabled
# Skip injection for a specific pod (e.g., database, cronjob)
metadata:
annotations:
linkerd.io/inject: disabled
Linkerd: Traffic Policies
# Retry policy (retry on 5xx up to 3 times)
apiVersion: policy.linkerd.io/v1beta3
kind: HTTPRoute
metadata:
name: order-service-retries
namespace: production
spec:
parentRefs:
- name: order-service
kind: Service
group: core
port: 8080
rules:
- filters:
- type: RequestRedirect # or RequestMirror, URLRewrite
backendRefs:
- name: order-service
port: 8080
---
# Timeout policy
apiVersion: policy.linkerd.io/v1alpha1
kind: ServiceProfile
metadata:
name: order-service.production.svc.cluster.local
namespace: production
spec:
routes:
- name: POST /orders
condition:
method: POST
pathRegex: /orders
timeout: 5s
retryBudget:
retryRatio: 0.2 # retry up to 20% of requests
minRetriesPerSecond: 10
ttl: 10s
Istio (full-featured — more complex)
# Install Istio with minimal profile (no telemetry addons)
istioctl install --set profile=minimal -y
# Verify
istioctl verify-install
kubectl get pods -n istio-system
# Enable sidecar injection for namespace
kubectl label namespace production istio-injection=enabled
# Strict mTLS (reject plaintext between injected services)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT # STRICT | PERMISSIVE | DISABLE
---
# AuthorizationPolicy: only allow order-service → payment-service
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: payment-service-authz
namespace: production
spec:
selector:
matchLabels: { app: payment-service }
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/order-service"]
to:
- operation:
methods: ["POST"]
paths: ["/charge"]
# Istio: traffic shifting (canary)
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: order-service
namespace: production
spec:
hosts: [order-service]
http:
- route:
- destination:
host: order-service
subset: stable
weight: 90
- destination:
host: order-service
subset: canary
weight: 10
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: order-service
namespace: production
spec:
host: order-service
subsets:
- name: stable
labels: { version: stable }
- name: canary
labels: { version: canary }
trafficPolicy:
connectionPool:
tcp: { maxConnections: 100 }
outlierDetection:
consecutiveGatewayErrors: 5
interval: 10s
baseEjectionTime: 30s # circuit breaker: eject after 5 errors
Mesh Observability
# Linkerd: live traffic stats
linkerd viz stat deploy -n production
linkerd viz top deploy/order-service -n production
linkerd viz tap deploy/order-service -n production
# Linkerd: service topology
linkerd viz edges deployment -n production
# Istio: traffic analysis
istioctl analyze -n production
kubectl exec -it <pod> -c istio-proxy -n production -- pilot-agent request GET stats | grep upstream_cx
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026