service-mesh-implementation
Implement service mesh (Istio, Linkerd) for service-to-service communication, traffic management, security, and observability.
Best use case
service-mesh-implementation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement service mesh (Istio, Linkerd) for service-to-service communication, traffic management, security, and observability.
Teams using service-mesh-implementation should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/service-mesh-implementation/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How service-mesh-implementation Compares
| Feature / Agent | service-mesh-implementation | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement service mesh (Istio, Linkerd) for service-to-service communication, traffic management, security, and observability.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Service Mesh Implementation
## Overview
Deploy and configure a service mesh to manage microservice communication, enable advanced traffic management, implement security policies, and provide comprehensive observability across distributed systems.
## When to Use
- Microservice communication management
- Cross-cutting security policies
- Traffic splitting and canary deployments
- Service-to-service authentication
- Request routing and retries
- Distributed tracing integration
- Circuit breaker patterns
- Mutual TLS between services
## Implementation Examples
### 1. **Istio Core Setup**
```yaml
# istio-setup.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-injection: enabled
---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-config
namespace: istio-system
spec:
profile: production
revision: "1-13"
components:
pilot:
k8s:
resources:
requests:
cpu: 500m
memory: 2048Mi
limits:
cpu: 2000m
memory: 4096Mi
replicaCount: 3
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
service:
type: LoadBalancer
ports:
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
egressGateways:
- name: istio-egressgateway
enabled: true
meshConfig:
enableAutoMTLS: true
outboundTrafficPolicy:
mode: ALLOW_ANY
accessLogFile: /dev/stdout
accessLogFormat: |
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT%
"%DURATION%" "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
---
# Enable sidecar injection for namespace
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
istio-injection: enabled
```
### 2. **Virtual Service and Destination Rule**
```yaml
# virtual-service-config.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: api-service
namespace: production
spec:
hosts:
- api-service
- api-service.production.svc.cluster.local
http:
# Canary: 10% to v2, 90% to v1
- match:
- uri:
prefix: /api/v1
route:
- destination:
host: api-service
subset: v1
weight: 90
- destination:
host: api-service
subset: v2
weight: 10
timeout: 30s
retries:
attempts: 3
perTryTimeout: 10s
# API v2 for testing
- match:
- headers:
user-agent:
regex: ".*Chrome.*"
route:
- destination:
host: api-service
subset: v2
timeout: 30s
# Default route
- route:
- destination:
host: api-service
subset: v1
weight: 100
timeout: 30s
retries:
attempts: 3
perTryTimeout: 10s
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: api-service
namespace: production
spec:
host: api-service
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 100
maxRequestsPerConnection: 2
h2UpgradePolicy: UPGRADE
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minRequestVolume: 10
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
connectionPool:
http:
http1MaxPendingRequests: 50
- name: v2
labels:
version: v2
trafficPolicy:
connectionPool:
http:
http1MaxPendingRequests: 100
```
### 3. **Security Policies**
```yaml
# security-config.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT # Enforce mTLS for all workloads
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-service-authz
namespace: production
spec:
selector:
matchLabels:
app: api-service
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/web-service"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
# Allow health checks
- to:
- operation:
methods: ["GET"]
paths: ["/health"]
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: api-service-authn
namespace: production
spec:
selector:
matchLabels:
app: api-service
jwtRules:
- issuer: https://auth.mycompany.com
jwksUri: https://auth.mycompany.com/.well-known/jwks.json
audiences: api-service
```
### 4. **Observability Configuration**
```yaml
# observability-config.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: custom-logging
namespace: production
spec:
metrics:
- providers:
- name: prometheus
dimensions:
- request.path
- response.code
- destination.service.name
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: custom-tracing
namespace: production
spec:
tracing:
- providers:
- name: jaeger
randomSamplingPercentage: 100.0
useRequestIdForTraceSampling: true
---
# Grafana Dashboard ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-dashboard
namespace: monitoring
data:
istio-mesh.json: |
{
"dashboard": {
"title": "Istio Mesh",
"panels": [
{
"title": "Request Rate",
"targets": [
{
"expr": "rate(istio_requests_total[5m])"
}
]
},
{
"title": "Error Rate",
"targets": [
{
"expr": "rate(istio_requests_total{response_code=~\"5..\"}[5m])"
}
]
},
{
"title": "Latency P95",
"targets": [
{
"expr": "histogram_quantile(0.95, rate(istio_request_duration_milliseconds_bucket[5m]))"
}
]
}
]
}
}
```
### 5. **Service Mesh Deployment Script**
```bash
#!/bin/bash
# deploy-istio.sh - Install and configure Istio
set -euo pipefail
VERSION="1.13.0"
NAMESPACE="istio-system"
echo "Installing Istio $VERSION..."
# Download Istio
if [ ! -d "istio-$VERSION" ]; then
echo "Downloading Istio..."
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=$VERSION sh -
fi
cd "istio-$VERSION"
# Add istioctl to PATH
export PATH=$PWD/bin:$PATH
# Verify cluster
echo "Verifying cluster compatibility..."
istioctl analyze
# Install Istio
echo "Installing Istio on cluster..."
istioctl install --set profile=production -y
# Verify installation
echo "Verifying installation..."
kubectl get ns $NAMESPACE
kubectl get pods -n $NAMESPACE
# Label namespaces for sidecar injection
echo "Configuring sidecar injection..."
kubectl label namespace production istio-injection=enabled --overwrite
# Wait for sidecars
echo "Waiting for sidecars to be injected..."
kubectl rollout restart deployment -n production
echo "Istio installation complete!"
# Show status
istioctl version
```
## Service Mesh Patterns
### Traffic Management
- **Canary Deployments**: Gradually shift traffic
- **A/B Testing**: Route based on headers
- **Circuit Breaking**: Fail fast with outlier detection
- **Rate Limiting**: Control request flow
### Security
- **mTLS**: Mutual authentication
- **Authorization Policies**: Fine-grained access control
- **JWT Validation**: Token verification
- **Encryption**: Automatic in-transit encryption
## Best Practices
### ✅ DO
- Enable mTLS for all workloads
- Implement proper authorization policies
- Use virtual services for traffic management
- Enable distributed tracing
- Monitor resource usage (CPU, memory)
- Use appropriate sampling rates for tracing
- Implement circuit breakers
- Use namespace isolation
### ❌ DON'T
- Disable mTLS in production
- Allow permissive traffic policies
- Ignore observability setup
- Deploy without resource requests/limits
- Skip sidecar injection validation
- Use 100% sampling in high-traffic systems
- Mix service versions without proper routing
- Neglect authorization policies
## Resources
- [Istio Official Documentation](https://istio.io/latest/docs/)
- [Linkerd Documentation](https://linkerd.io/2/overview/)
- [Service Mesh Interface (SMI)](https://smi-spec.io/)
- [Istio Security Best Practices](https://istio.io/latest/docs/concepts/security/)Related Skills
dozu-ui-service-skills
Index of AI agent skills and how to use them when implementing features in this repo.
cqrs-implementation
Implement Command Query Responsibility Segregation for scalable architectures. Use when separating read and write models, optimizing query performance, or building event-sourced systems.
analyze-japan-debt-service-tax-burden
以日本公債殖利率變化為觸發,量化「政府利息支出 / 稅收」負擔(含情境壓力測試),並判斷是否進入債務利息螺旋風險區。
agent-ops-implementation
Implement only after a validated/approved plan. Use for coding: small diffs, frequent tests, no refactors, stop on ambiguity.
acc-create-domain-service
Generates DDD Domain Services for PHP 8.5. Creates stateless services for business logic that doesn't belong to entities or value objects. Includes unit tests.
u08983-ethical-dilemma-navigation-for-multilingual-translation-services
Operate the "Ethical Dilemma Navigation for multilingual translation services" capability in production for multilingual translation services workflows. Use when mission execution explicitly requires this capability and outcomes must be reproducible, policy-gated, and handoff-ready.
linear-iterate-on-implementation
Iteratively refine a feature implementation by identifying and fixing bugs, edge cases, and improvements
freshservice-automation
Automate Freshservice ITSM tasks via Rube MCP (Composio): create/update tickets, bulk operations, service requests, and outbound emails. Always search tools first for current schemas.
slo-implementation
Define and implement Service Level Indicators (SLIs) and Service Level Objectives (SLOs) with error budgets and alerting. Use when establishing reliability targets, implementing SRE practices, or m...
service-website-generator
Orchestrates automated service-based website generation with local SEO optimization. Creates 200+ service+location pages using parallel agents, Unsplash images via Jina AI, NextJS with dynamic routing, and PostgreSQL database. Use when building service business websites (plumbers, electricians, pressure washing, HVAC, etc.) targeting multiple locations.
Product Analytics Implementation
Product Analytics Implementation enables systematic tracking, measurement, and analysis of product usage data to drive data-driven product decisions. This capability is essential for understanding use
Microservices Communication
Thiết kế kiến trúc giao tiếp Microservices (gRPC, message queues, event-driven pattern).