Istio — Commands & Recipes
Installation (Ambient Mode)
# Install istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-1.29.0/bin:$PATH
# Install Ambient profile
istioctl install --set profile=ambient -y
# Enable ambient for a namespace
kubectl label namespace default istio.io/dataplane-mode=ambient
# Verify
istioctl version
kubectl get pods -n istio-system
Traffic Management
# Canary deployment (90/10 split)
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: myapp-canary
spec:
parentRefs:
- name: mesh
kind: Service
rules:
- backendRefs:
- name: myapp-v1
port: 8080
weight: 90
- name: myapp-v2
port: 8080
weight: 10
# Waypoint proxy (opt-in L7 for a namespace)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: waypoint
namespace: default
labels:
istio.io/waypoint-for: service
spec:
gatewayClassName: istio-waypoint
listeners:
- name: mesh
port: 15008
protocol: HBONE
Security
# PeerAuthentication — require mTLS
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
# AuthorizationPolicy — L7 rules
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
spec:
selector:
matchLabels:
app: backend
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/frontend"]
to:
- operation:
methods: ["GET"]
paths: ["/api/*"]
Diagnostics
# Proxy status
istioctl proxy-status
# Analyze configuration issues
istioctl analyze -A
# Debug Envoy config for a pod
istioctl proxy-config routes deploy/myapp
istioctl proxy-config clusters deploy/myapp
# View ztunnel logs
kubectl logs -n istio-system -l app=ztunnel -f
Sources