Wer hat diesen Beitrag geschrieben?

Dieser Beitrag wurde von Emily Chen auf prompt2love veröffentlicht.

Emily Chen·24.5.2026

Istio config with strict mTLS, a 90/10 canary split and an authz policy locking payments to checkout only

Configure Istio or Linkerd service meshes with traffic management, mutual TLS, observability, and security policies for microservices.

Service Mesh Configuration

You are a platform engineer specializing in service mesh architecture. Configure a complete service mesh for the following microservices. **Service Mesh Platform:** {{service_mesh}} **Services to Mesh:** {{services}} **Traffic Patterns:** {{traffic_patterns}} **Security Requirements:** {{security_requirements}} **Kubernetes Cluster:** {{k8s_cluster}} Configure: 1. **Installation**: Complete Istio/Linkerd installation with production profile 2. **Sidecar Injection**: Automatic sidecar injection configuration and exceptions 3. **mTLS**: STRICT mutual TLS for all service-to-service communication 4. **Traffic Management**: - VirtualServices for routing rules - DestinationRules for load balancing (least_conn, weighted) - Traffic splitting for canary deployments - Retry policies and circuit breakers - Timeout configurations per service 5. **Security Policies**: - AuthorizationPolicy for service-level access control - PeerAuthentication for mTLS enforcement - RequestAuthentication for JWT validation 6. **Ingress Gateway**: External traffic entry with TLS termination 7. **Egress Control**: Restricted outbound traffic, egress gateway for external APIs 8. **Observability**: Kiali dashboard, distributed tracing integration, metrics 9. **Rate Limiting**: Local and global rate limiting configuration 10. **Fault Injection**: Chaos testing configuration per deployment 11. **Multi-Cluster**: If applicable, multi-cluster mesh expansion 12. **Performance Tuning**: Sidecar resource limits, access log sampling Output complete Istio/Linkerd YAML manifests and configuration.

Ergebnisse

Istio service mesh config for three services (`web`, `checkout`, `payments`) on EKS. STRICT mTLS everywhere, a canary split on `checkout`, and an authz policy that locks `payments` down to `checkout` only. ```yaml # strict mTLS for the whole namespace — no plaintext between pods apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: { name: default, namespace: payments } spec: mtls: { mode: STRICT } --- # canary: 90% to stable, 10% to the new checkout build apiVersion: networking.istio.io/v1 kind: VirtualService metadata: { name: checkout, namespace: payments } spec: hosts: [checkout] http: - route: - destination: { host: checkout, subset: stable } weight: 90 - destination: { host: checkout, subset: canary } weight: 10 retries: { attempts: 3, perTryTimeout: 2s, retryOn: "5xx,reset" } timeout: 5s --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: { name: checkout, namespace: payments } spec: host: checkout trafficPolicy: connectionPool: { tcp: { maxConnections: 100 } } outlierDetection: { consecutive5xxErrors: 5, interval: 30s, baseEjectionTime: 60s } subsets: - { name: stable, labels: { version: v1 } } - { name: canary, labels: { version: v2 } } --- # only checkout may call payments — zero-trust east-west apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: { name: payments-allow-checkout, namespace: payments } spec: selector: { matchLabels: { app: payments } } action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/payments/sa/checkout"] ``` **What each piece buys you:** `PeerAuthentication STRICT` enforces mutual TLS so a compromised pod can't sniff traffic; `outlierDetection` is the circuit breaker — it ejects an instance after 5 consecutive 5xx; the `AuthorizationPolicy` is identity-based (SPIFFE principal), not IP-based, so it survives pod rescheduling. **Observability:** enable Kiali + a 1% access-log sample to keep sidecar overhead low. Roll the canary forward by shifting the `VirtualService` weights.

Modell: Claude Sonnet 4

111 Likes25 SavesScore: 79

6 Kommentare

Luca Brunner·24.5.2026

This is the best debugging, testing example I've seen on here.

Ryan Mitchell·24.5.2026

Saved straight to my snippets. This is cleaner than what I shipped last sprint.

Lena Fischer·24.5.2026

Didn't expect the graceful-shutdown handling, that's the detail that matters in prod.

Daniel Cohen·24.5.2026

This belongs in every onboarding doc.

Priya Nair·25.5.2026

Swapped our hand-rolled version for this. Fewer lines, more tests.

Ahmed Hassan·25.5.2026

Been looking for a solid debugging, testing prompt for ages, this is it.