k8s-service-mesh
SKILL.md
Kubernetes Service Mesh (Istio)
Traffic management, security, and observability using kubectl-mcp-server's Istio/Kiali tools.
When to Apply
Use this skill when:
- User mentions: "Istio", "service mesh", "mTLS", "VirtualService", "traffic shifting"
- Operations: traffic management, canary deployments, security policies
- Keywords: "sidecar", "proxy", "traffic split", "mutual TLS"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect Istio installation first | CRITICAL | istio_detect_tool |
| 2 | Run analyze before changes | HIGH | istio_analyze_tool |
| 3 | Check proxy status for sync | HIGH | istio_proxy_status_tool |
| 4 | Verify sidecar injection | MEDIUM | istio_sidecar_status_tool |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| Detect Istio | istio_detect_tool |
istio_detect_tool() |
| Analyze config | istio_analyze_tool |
istio_analyze_tool(namespace) |
| Proxy status | istio_proxy_status_tool |
istio_proxy_status_tool() |
| List VirtualServices | istio_virtualservices_list_tool |
istio_virtualservices_list_tool(namespace) |
Quick Status Check
Detect Istio Installation
istio_detect_tool()
Check Proxy Status
istio_proxy_status_tool()
istio_sidecar_status_tool(namespace)
Analyze Configuration
istio_analyze_tool(namespace)
Traffic Management
VirtualServices
List and inspect:
istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
See TRAFFIC-SHIFTING.md for canary and blue-green patterns.
DestinationRules
istio_destinationrules_list_tool(namespace)
Gateways
istio_gateways_list_tool(namespace)
Traffic Shifting Patterns
Canary Release (Weight-Based)
VirtualService for 90/10 split:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service
http:
- route:
- destination:
host: my-service
subset: stable
weight: 90
- destination:
host: my-service
subset: canary
weight: 10
Apply and verify:
kubectl_apply(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)
Header-Based Routing
Route beta users:
http:
- match:
- headers:
x-user-type:
exact: beta
route:
- destination:
host: my-service
subset: canary
- route:
- destination:
host: my-service
subset: stable
Security (mTLS)
See MTLS.md for detailed mTLS configuration.
PeerAuthentication (mTLS Mode)
istio_peerauthentications_list_tool(namespace)
AuthorizationPolicy
istio_authorizationpolicies_list_tool(namespace)
Observability
Proxy Metrics
istio_proxy_status_tool()
Hubble (Cilium Integration)
If using Cilium with Istio:
hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)
Troubleshooting
Sidecar Not Injected
istio_sidecar_status_tool(namespace)
Traffic Not Routing
istio_analyze_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
istio_destinationrules_list_tool(namespace)
istio_proxy_status_tool()
mTLS Failures
istio_peerauthentications_list_tool(namespace)
Common Issues
| Symptom | Check | Resolution |
|---|---|---|
| 503 errors | istio_analyze_tool() |
Fix VirtualService/DestinationRule |
| No sidecar | istio_sidecar_status_tool() |
Label namespace |
| Config not applied | istio_proxy_status_tool() |
Wait for sync or restart pod |
Multi-Cluster Service Mesh
Istio multi-cluster setup:
istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")
istio_proxy_status_tool(context="remote")
Prerequisites
- Istio: Required for all Istio tools
istioctl install --set profile=demo
Related Skills
- k8s-deploy - Deployment with traffic shifting
- k8s-security - Authorization policies
Weekly Installs
5
Repository
rohitg00/kubect…p-serverGitHub Stars
849
First Seen
Feb 7, 2026
Security Audits
Installed on
amp5
gemini-cli5
github-copilot5
codex5
kimi-cli5
opencode5