How to use service mesh with Kubernetes?

Short answer

A service mesh is a dedicated infrastructure layer that manages service-to-service communication. It adds features like mutual TLS, traffic routing, and observability without changing application code.

How it works

A service mesh deploys a sidecar proxy, such as Envoy, alongside each Pod. All traffic is intercepted by the proxy, which enforces policies, collects metrics, and encrypts traffic. The control plane configures the proxies.

Example

Install Linkerd:

linkerd install | kubectl apply -f -
linkerd inject deployment.yaml | kubectl apply -f -

Check the mesh status:

linkerd check
linkerd dashboard

Why it matters

Service meshes provide zero-trust security, fine-grained traffic control, and deep observability. They are invaluable for large microservices deployments where these concerns would be burdensome to implement in each service.

Key differences

• Istio: Feature-rich, heavier resource footprint.
• Linkerd: Lightweight, simpler to operate.
• Consul Connect: Integrates with HashiCorp Consul.

Common issues

• Sidecar injection can fail if admission webhooks are blocked.
• mTLS may break legacy protocols that do not support TLS.
• The control plane is a critical dependency; ensure it is highly available.