Istio Service Mesh on Kubernetes: A Production Guide

Install Istio using `istioctl install --set profile=default`. This deploys istiod (the control plane) and configures automatic sidecar injection for namespaces labeled with `istio-injection=enabled`. When a pod is created in a labeled namespace, a Mutating Admission Webhook injects an Envoy sidecar container. All traffic in and out of the pod flows through this sidecar, giving Istio full control over the network. The `default` profile includes the ingress gateway; the `minimal` profile skips it if you use your own ingress controller.

Istio enables mutual TLS (mTLS) between all services by default in strict mode. Every service gets a cryptographic identity (SPIFFE ID) and a certificate issued by istiod's built-in certificate authority. Traffic between services is encrypted and mutually authenticated without application changes. This implements zero-trust networking: even if an attacker gains access to the cluster network, they cannot impersonate a service or intercept traffic. Use PeerAuthentication resources to enforce strict mTLS cluster-wide and AuthorizationPolicy to control which services can communicate.

Istio VirtualService and DestinationRule resources provide fine-grained traffic control. Route 5% of traffic to a canary deployment to validate a new version before full rollout. Mirror production traffic to a shadow deployment for testing without affecting users. Inject faults (delays, HTTP errors) to test resilience: `fault.delay.fixedDelay: 5s` simulates a slow upstream. Retries, timeouts, and circuit breakers are configured declaratively, moving reliability logic out of application code and into the mesh.

Istio sidecars automatically emit metrics (request rate, latency, error rate) in Prometheus format, generate distributed traces compatible with Jaeger and Zipkin, and produce access logs. Deploy Kiali, the Istio dashboard, to visualize the service topology, traffic flow, and health status in real time. Kiali shows which services talk to each other, the success rate of each edge, and highlights misconfigurations. Combined with Grafana dashboards fed by Istio's Prometheus metrics, you get full observability without instrumenting your application.