Skill-Datei

Managing Istio

Name: Managing Istio
Author: cloudthinker-ai

Use when working with Istio — istio service mesh management for Kubernetes. Covers virtual services, destination rules, gateway configuration, traffic management, mTLS policies, sidecar injection, telemetry, and fault injection. Use when managing service mesh traffic routing, debugging connectivity issues, reviewing mTLS status, or configuring Istio policies.

cloudthinker-ai0 Sterne23.03.2026

Beruf
Kategorien: Container

Skill-Inhalt

Istio Service Mesh Skill

Manage Istio service mesh configuration, traffic routing, security policies, and observability.

Core Helper Functions

#!/bin/bash

# Istioctl wrapper
istio_cmd() {
    istioctl "$@" 2>/dev/null
}

# Get Istio CRDs via kubectl
istio_get() {
    local resource="$1"
    local ns="${2:---all-namespaces}"
    if [ "$ns" = "--all-namespaces" ]; then
        kubectl get "$resource" -A -o json 2>/dev/null
    else
        kubectl get "$resource" -n "$ns" -o json 2>/dev/null
    fi
}

# Analyze mesh configuration
istio_analyze() {
    local ns="${1:---all-namespaces}"
    istioctl analyze "$ns" 2>/dev/null
}

MANDATORY: Discovery-First Pattern

Always discover mesh status and resources before modifying configurations.

Phase 1: Discovery

Verwandte Skills

Managing Istio | Skills Pool

#!/bin/bash

echo "=== Istio Version ==="
istioctl version --short 2>/dev/null

echo ""
echo "=== Istio Control Plane Status ==="
kubectl get pods -n istio-system -o json 2>/dev/null | jq -r '
    .items[] | "\(.metadata.name)\t\(.status.phase)\t\(.status.containerStatuses[0].restartCount // 0) restarts"
' | column -t

echo ""
echo "=== Mesh Overview ==="
istioctl proxy-status 2>/dev/null | head -30

echo ""
echo "=== Injected Namespaces ==="
kubectl get namespaces -l istio-injection=enabled -o json 2>/dev/null | jq -r '.items[].metadata.name'

echo ""
echo "=== Istio Resources Summary ==="
for res in virtualservices destinationrules gateways serviceentries sidecars peerauthentications; do
    COUNT=$(kubectl get "$res" -A --no-headers 2>/dev/null | wc -l | tr -d ' ')
    echo "$res: $COUNT"
done

#!/bin/bash
NS="${1:---all-namespaces}"

echo "=== Virtual Services ==="
istio_get virtualservices "$NS" | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.hosts | join(","))\t\(.spec.http | length) routes"
' | column -t | head -20

echo ""
echo "=== Destination Rules ==="
istio_get destinationrules "$NS" | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.host)\t\(.spec.trafficPolicy.connectionPool // "default")"
' | column -t | head -20

echo ""
echo "=== Gateways ==="
istio_get gateways "$NS" | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.servers[] | "\(.port.number)/\(.port.protocol)\t\(.hosts | join(","))")"
' | column -t | head -15

#!/bin/bash
echo "=== mTLS Mesh-Wide Policy ==="
kubectl get peerauthentication -A -o json 2>/dev/null | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.mtls.mode // "UNSET")"
' | column -t

echo ""
echo "=== Authorization Policies ==="
kubectl get authorizationpolicies -A -o json 2>/dev/null | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.action // "ALLOW")\t\(.spec.rules | length) rules"
' | column -t | head -15

echo ""
echo "=== TLS Status per Service ==="
istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway 2>/dev/null \
    | grep -E "ADDR|0.0.0.0" | head -15

echo ""
echo "=== Mesh Analysis Warnings ==="
istioctl analyze -A 2>/dev/null | head -20

#!/bin/bash
POD="${1:?Pod name required}"
NS="${2:-default}"

echo "=== Proxy Status: $POD ==="
istioctl proxy-status "$POD.$NS" 2>/dev/null

echo ""
echo "=== Proxy Config Summary ==="
istioctl proxy-config cluster "$POD" -n "$NS" 2>/dev/null | head -20

echo ""
echo "=== Active Routes ==="
istioctl proxy-config routes "$POD" -n "$NS" 2>/dev/null | head -20

echo ""
echo "=== Listeners ==="
istioctl proxy-config listeners "$POD" -n "$NS" 2>/dev/null | head -15

echo ""
echo "=== Config Sync Issues ==="
istioctl proxy-config bootstrap "$POD" -n "$NS" -o json 2>/dev/null | jq '.bootstrap.node.id'

#!/bin/bash
SERVICE="${1:?Service name required}"
NS="${2:-default}"

echo "=== Current Routing for $SERVICE ==="
kubectl get virtualservice -n "$NS" -o json 2>/dev/null | jq --arg svc "$SERVICE" '
    .items[] | select(.spec.hosts[] | contains($svc)) | {
        name: .metadata.name,
        hosts: .spec.hosts,
        routes: [.spec.http[]?.route[]? | {destination: .destination.host, subset: .destination.subset, weight: .weight}]
    }'

echo ""
echo "=== Destination Subsets ==="
kubectl get destinationrule -n "$NS" -o json 2>/dev/null | jq --arg svc "$SERVICE" '
    .items[] | select(.spec.host | contains($svc)) | {
        host: .spec.host,
        subsets: [.spec.subsets[]? | {name: .name, labels: .labels}],
        traffic_policy: .spec.trafficPolicy
    }'

echo ""
echo "=== Active Endpoints ==="
istioctl proxy-config endpoints deploy/"$SERVICE" -n "$NS" 2>/dev/null | grep HEALTHY | head -15

#!/bin/bash
echo "=== Service Entries ==="
kubectl get serviceentries -A -o json 2>/dev/null | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.hosts | join(","))\t\(.spec.location // "MESH_EXTERNAL")\t\(.spec.resolution)"
' | column -t | head -20

echo ""
echo "=== Egress Configuration ==="
kubectl get sidecar -A -o json 2>/dev/null | jq -r '
    .items[] | "\(.metadata.name)\t\(.metadata.namespace)\t\(.spec.egress[0].hosts | join(","))"
' | column -t | head -15

Managing Istio Report
═════════════════════
Resources discovered: [count]

Resource       Status    Key Metric    Issues
──────────────────────────────────────────────
[name]         [ok/warn] [value]       [findings]

Summary: [total] resources | [ok] healthy | [warn] warnings | [crit] critical
Action Items: [list of prioritized findings]

Shortcut	Counter	Why
"I'll skip discovery and check known resources"	Always run Phase 1 discovery first	Resource names change, new resources appear — assumed names cause errors
"The user only asked for a quick check"	Follow the full discovery → analysis flow	Quick checks miss critical issues; structured analysis catches silent failures
"Default configuration is probably fine"	Audit configuration explicitly	Defaults often leave logging, security, and optimization features disabled
"Metrics aren't needed for this"	Always check relevant metrics when available	API/CLI responses show current state; metrics reveal trends and intermittent issues
"I don't have access to that"	Try the command and report the actual error	Assumed permission failures prevent useful investigation; actual errors are informative

Managing Istio

Istio Service Mesh Skill

Core Helper Functions

MANDATORY: Discovery-First Pattern

Phase 1: Discovery

Managing Istio

Istio Service Mesh Skill

Core Helper Functions

MANDATORY: Discovery-First Pattern

Phase 1: Discovery

Output Rules

Common Operations

Traffic Management Overview

mTLS Status & Security

Proxy Debugging

Traffic Shifting & Canary

Service Entry & External Traffic

Safety Rules

Output Format

Anti-Hallucination Rules

Counter-Rationalizations

Common Pitfalls

Helm Chart Scaffolding

Python Observability

K8s Manifest Generator

Istio Traffic Management

Secrets Management

Gitops Workflow