AgentSkillsCN

k8s-service-mesh

通过Istio服务网格,实现流量管理、安全保障与可观测性提升。无论是流量切换、金丝雀发布、mTLS加密,还是服务网格的故障排查,这一功能都能助你游刃有余。

SKILL.md
--- frontmatter
name: k8s-service-mesh
description: Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.

Kubernetes Service Mesh (Istio)

Traffic management, security, and observability using kubectl-mcp-server's Istio/Kiali tools.

Quick Status Check

Detect Istio Installation

code
istio_detect_tool()

Check Proxy Status

code
istio_proxy_status_tool()  # All proxies
istio_sidecar_status_tool(namespace)  # Namespace injection status

Analyze Configuration

code
istio_analyze_tool(namespace)  # Find configuration issues

Traffic Management

VirtualServices

List and inspect:

code
istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)

See TRAFFIC-SHIFTING.md for canary and blue-green patterns.

DestinationRules

code
istio_destinationrules_list_tool(namespace)

Gateways

code
istio_gateways_list_tool(namespace)

Traffic Shifting Patterns

Canary Release (Weight-Based)

VirtualService for 90/10 split:

yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
  - my-service
  http:
  - route:
    - destination:
        host: my-service
        subset: stable
      weight: 90
    - destination:
        host: my-service
        subset: canary
      weight: 10

Apply and verify:

code
apply_manifest(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)

Header-Based Routing

Route beta users:

yaml
http:
- match:
  - headers:
      x-user-type:
        exact: beta
  route:
  - destination:
      host: my-service
      subset: canary
- route:
  - destination:
      host: my-service
      subset: stable

Security (mTLS)

See MTLS.md for detailed mTLS configuration.

PeerAuthentication (mTLS Mode)

code
istio_peerauthentications_list_tool(namespace)

Modes:

  • STRICT: Require mTLS
  • PERMISSIVE: Accept both
  • DISABLE: No mTLS

AuthorizationPolicy

code
istio_authorizationpolicies_list_tool(namespace)

Example deny-all policy:

yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: my-namespace
spec:
  {}  # Empty spec = deny all

Observability

With Kiali

If Kiali is installed:

  • Access Kiali dashboard for service graph
  • Traffic flow visualization
  • Configuration validation

Proxy Metrics

code
# Check proxy sync status
istio_proxy_status_tool()

Hubble (Cilium Integration)

If using Cilium with Istio:

code
hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)

Troubleshooting

Sidecar Not Injected

code
istio_sidecar_status_tool(namespace)
# Check namespace label: istio-injection=enabled

Traffic Not Routing

code
1. istio_analyze_tool(namespace)  # Find issues
2. istio_virtualservice_get_tool(name, namespace)  # Check VS
3. istio_destinationrules_list_tool(namespace)  # Check DR
4. istio_proxy_status_tool()  # Check proxy sync

mTLS Failures

code
1. istio_peerauthentications_list_tool(namespace)
2. Check mode matches between services
3. Verify certificates are valid

Common Issues

SymptomCheckResolution
503 errorsistio_analyze_tool()Fix VirtualService/DestinationRule
No sidecaristio_sidecar_status_tool()Label namespace
Config not appliedistio_proxy_status_tool()Wait for sync or restart pod

Multi-Cluster Service Mesh

Istio multi-cluster setup:

code
# Primary cluster
istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")

# Remote cluster
istio_proxy_status_tool(context="remote")

Related Skills