k8s-service-mesh
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
Best use case
k8s-service-mesh is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
Teams using k8s-service-mesh should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/k8s-service-mesh/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How k8s-service-mesh Compares
| Feature / Agent | k8s-service-mesh | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Kubernetes Service Mesh (Istio)
Traffic management, security, and observability using kubectl-mcp-server's Istio/Kiali tools.
## When to Apply
Use this skill when:
- User mentions: "Istio", "service mesh", "mTLS", "VirtualService", "traffic shifting"
- Operations: traffic management, canary deployments, security policies
- Keywords: "sidecar", "proxy", "traffic split", "mutual TLS"
## Priority Rules
| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Detect Istio installation first | CRITICAL | `istio_detect_tool` |
| 2 | Run analyze before changes | HIGH | `istio_analyze_tool` |
| 3 | Check proxy status for sync | HIGH | `istio_proxy_status_tool` |
| 4 | Verify sidecar injection | MEDIUM | `istio_sidecar_status_tool` |
## Quick Reference
| Task | Tool | Example |
|------|------|---------|
| Detect Istio | `istio_detect_tool` | `istio_detect_tool()` |
| Analyze config | `istio_analyze_tool` | `istio_analyze_tool(namespace)` |
| Proxy status | `istio_proxy_status_tool` | `istio_proxy_status_tool()` |
| List VirtualServices | `istio_virtualservices_list_tool` | `istio_virtualservices_list_tool(namespace)` |
## Quick Status Check
### Detect Istio Installation
```python
istio_detect_tool()
```
### Check Proxy Status
```python
istio_proxy_status_tool()
istio_sidecar_status_tool(namespace)
```
### Analyze Configuration
```python
istio_analyze_tool(namespace)
```
## Traffic Management
### VirtualServices
List and inspect:
```python
istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
```
See [TRAFFIC-SHIFTING.md](TRAFFIC-SHIFTING.md) for canary and blue-green patterns.
### DestinationRules
```python
istio_destinationrules_list_tool(namespace)
```
### Gateways
```python
istio_gateways_list_tool(namespace)
```
## Traffic Shifting Patterns
### Canary Release (Weight-Based)
VirtualService for 90/10 split:
```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service
http:
- route:
- destination:
host: my-service
subset: stable
weight: 90
- destination:
host: my-service
subset: canary
weight: 10
```
Apply and verify:
```python
kubectl_apply(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)
```
### Header-Based Routing
Route beta users:
```yaml
http:
- match:
- headers:
x-user-type:
exact: beta
route:
- destination:
host: my-service
subset: canary
- route:
- destination:
host: my-service
subset: stable
```
## Security (mTLS)
See [MTLS.md](MTLS.md) for detailed mTLS configuration.
### PeerAuthentication (mTLS Mode)
```python
istio_peerauthentications_list_tool(namespace)
```
### AuthorizationPolicy
```python
istio_authorizationpolicies_list_tool(namespace)
```
## Observability
### Proxy Metrics
```python
istio_proxy_status_tool()
```
### Hubble (Cilium Integration)
If using Cilium with Istio:
```python
hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)
```
## Troubleshooting
### Sidecar Not Injected
```python
istio_sidecar_status_tool(namespace)
```
### Traffic Not Routing
```python
istio_analyze_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
istio_destinationrules_list_tool(namespace)
istio_proxy_status_tool()
```
### mTLS Failures
```python
istio_peerauthentications_list_tool(namespace)
```
### Common Issues
| Symptom | Check | Resolution |
|---------|-------|------------|
| 503 errors | `istio_analyze_tool()` | Fix VirtualService/DestinationRule |
| No sidecar | `istio_sidecar_status_tool()` | Label namespace |
| Config not applied | `istio_proxy_status_tool()` | Wait for sync or restart pod |
## Multi-Cluster Service Mesh
Istio multi-cluster setup:
```python
istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")
istio_proxy_status_tool(context="remote")
```
## Prerequisites
- **Istio**: Required for all Istio tools
```bash
istioctl install --set profile=demo
```
## Related Skills
- [k8s-deploy](../k8s-deploy/SKILL.md) - Deployment with traffic shifting
- [k8s-security](../k8s-security/SKILL.md) - Authorization policiesRelated Skills
k8s-vind
Manage vCluster (virtual Kubernetes clusters) instances using vind. Use when creating, managing, or operating lightweight virtual clusters for development, testing, or multi-tenancy.
k8s-troubleshoot
Debug Kubernetes pods, nodes, and workloads. Use when pods are failing, containers crash, nodes are unhealthy, or users mention debugging, troubleshooting, or diagnosing Kubernetes issues.
k8s-storage
Kubernetes storage management for PVCs, storage classes, and persistent volumes. Use when provisioning storage, managing volumes, or troubleshooting storage issues.
k8s-security
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
k8s-rollouts
Progressive delivery with Argo Rollouts and Flagger. Use when implementing canary deployments, blue-green deployments, or traffic shifting strategies.
k8s-policy
Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.
k8s-operations
kubectl operations for applying, patching, deleting, and executing commands on Kubernetes resources. Use when modifying resources, running commands in pods, or managing resource lifecycle.
k8s-networking
Kubernetes networking management for services, ingresses, endpoints, and network policies. Use when configuring connectivity, load balancing, or network isolation.
k8s-multicluster
Manage multiple Kubernetes clusters, switch contexts, and perform cross-cluster operations. Use when working with multiple clusters, comparing environments, or managing cluster lifecycle.
k8s-kubevirt
Virtual machine management with KubeVirt on Kubernetes. Use when creating, managing, or troubleshooting VMs running on Kubernetes clusters.
k8s-kind
Manage kind (Kubernetes IN Docker) local clusters. Use when creating, testing, or developing with local Kubernetes clusters in Docker containers.
k8s-incident
Respond to Kubernetes incidents with runbooks and diagnostics. Use for outages, pod failures, node issues, network problems, and emergency response.