Tech Study Guide

Istio Service Mesh Examples

Practical Istio examples for VirtualService traffic splitting, DestinationRule subsets, and AuthorizationPolicy.

examples istio service-mesh

Istio Service Mesh Examples

These examples complement Istio, traffic management, and security, mTLS, and policy.

Istio Examples

Traffic split with a VirtualService:

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: example-api
  namespace: apps
spec:
  hosts:
    - example-api.apps.svc.cluster.local
  http:
    - route:
        - destination:
            host: example-api.apps.svc.cluster.local
            subset: stable
          weight: 90
        - destination:
            host: example-api.apps.svc.cluster.local
            subset: canary
          weight: 10

DestinationRule subsets:

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: example-api
  namespace: apps
spec:
  host: example-api.apps.svc.cluster.local
  subsets:
    - name: stable
      labels:
        version: stable
    - name: canary
      labels:
        version: canary

AuthorizationPolicy that allows only one namespace:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: example-api-allow-ingress
  namespace: apps
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: example-api
  action: ALLOW
  rules:
    - from:
        - source:
            namespaces:
              - ingress

Study Cards

Question

What does a VirtualService traffic split control?

Answer

It controls the percentage of matching traffic sent to each destination route.

Question

Why does DestinationRule define subsets?

Answer

Subsets map routing names such as stable and canary to workload labels.

Question

What does AuthorizationPolicy add beyond mTLS identity?

Answer

It decides which authenticated source identities or namespaces are allowed to reach a workload.

References