Networking advanced β± 55 minutes K8s 1.28+
Istio Traffic Management and Routing
Implement advanced traffic management with Istio service mesh including traffic splitting, fault injection, circuit breaking, and intelligent routing strategies
By kubernetes-recipes β’
Problem
You need advanced traffic management capabilities beyond basic Kubernetes Services including intelligent request routing, traffic splitting for canary deployments, fault injection for resilience testing, and circuit breaking for failure handling.
Solution
Use Istio service mesh to implement sophisticated traffic management with VirtualServices and DestinationRules, enabling fine-grained control over request routing, load balancing, and failure handling.
Architecture
flowchart TB
subgraph CP["βοΈ Istio Control Plane"]
ISTIOD["ποΈ Istiod<br/>Config"]
PILOT["π§ Pilot<br/>Discovery"]
CITADEL["π Citadel<br/>mTLS"]
end
CP -->|"Config Distribution"| V1
CP -->|"Config Distribution"| V2
CP -->|"Config Distribution"| V3
subgraph V1["π¦ Service Pod v1 - 90% traffic (stable)"]
ENV1["π· Envoy Sidecar"]
APP1["π± App Container"]
ENV1 --> APP1
end
subgraph V2["π¦ Service Pod v2 - 10% traffic (canary)"]
ENV2["π· Envoy Sidecar"]
APP2["π± App Container"]
ENV2 --> APP2
end
subgraph V3["π¦ Service Pod v3 - 0% traffic (future)"]
ENV3["π· Envoy Sidecar"]
APP3["π± App Container"]
ENV3 --> APP3
end
TRAFFIC["π Incoming Traffic"] --> V1
TRAFFIC -.->|"canary"| V2Step 1: Install Istio
Install Istio using istioctl:
# Download Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.20.0
export PATH=$PWD/bin:$PATH
# Install Istio with default profile
istioctl install --set profile=default -y
# Verify installation
kubectl get pods -n istio-system
# Enable sidecar injection for namespace
kubectl label namespace production istio-injection=enabledStep 2: Deploy Application with Multiple Versions
Deploy service with v1 and v2 versions:
# Service definition
apiVersion: v1
kind: Service
metadata:
name: product-service
namespace: production
labels:
app: product-service
spec:
ports:
- port: 8080
name: http
selector:
app: product-service
---
# Deployment v1 (stable)
apiVersion: apps/v1
kind: Deployment
metadata:
name: product-service-v1
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: product-service
version: v1
template:
metadata:
labels:
app: product-service
version: v1
spec:
containers:
- name: product-service
image: product-service:v1.0
ports:
- containerPort: 8080
---
# Deployment v2 (canary)
apiVersion: apps/v1
kind: Deployment
metadata:
name: product-service-v2
namespace: production
spec:
replicas: 1
selector:
matchLabels:
app: product-service
version: v2
template:
metadata:
labels:
app: product-service
version: v2
spec:
containers:
- name: product-service
image: product-service:v2.0
ports:
- containerPort: 8080Step 3: Traffic Splitting with VirtualService
Implement percentage-based traffic splitting:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: product-service
namespace: production
spec:
hosts:
- product-service
http:
- match:
- headers:
user-group:
exact: beta-testers
route:
- destination:
host: product-service
subset: v2
weight: 100
- route:
- destination:
host: product-service
subset: v1
weight: 90
- destination:
host: product-service
subset: v2
weight: 10
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: product-service
namespace: production
spec:
host: product-service
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2Step 4: Header-Based Routing
Route traffic based on request headers:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-routing
namespace: production
spec:
hosts:
- reviews
http:
# Route by user identity
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
# Route by geographic region
- match:
- headers:
x-region:
regex: "us-.*"
route:
- destination:
host: reviews
subset: us-version
# Route by client type
- match:
- headers:
user-agent:
prefix: "Mobile"
route:
- destination:
host: reviews
subset: mobile-optimized
# Default route
- route:
- destination:
host: reviews
subset: v1Step 5: URL Path-Based Routing
Route based on request URI:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: api-routing
namespace: production
spec:
hosts:
- api.example.com
http:
# Route /v2/* to new API version
- match:
- uri:
prefix: "/v2/"
rewrite:
uri: "/"
route:
- destination:
host: api-service
subset: v2
# Route /admin/* to admin service
- match:
- uri:
prefix: "/admin/"
route:
- destination:
host: admin-service
subset: v1
# Route /api/* to main API
- match:
- uri:
prefix: "/api/"
route:
- destination:
host: api-service
subset: v1
# Default route
- route:
- destination:
host: frontend-serviceStep 6: Fault Injection for Resilience Testing
Inject delays and errors to test resilience:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: fault-injection
namespace: production
spec:
hosts:
- payment-service
http:
- match:
- headers:
x-test-scenario:
exact: "latency"
fault:
delay:
percentage:
value: 100
fixedDelay: 7s
route:
- destination:
host: payment-service
- match:
- headers:
x-test-scenario:
exact: "error"
fault:
abort:
percentage:
value: 50
httpStatus: 500
route:
- destination:
host: payment-service
# Production traffic - inject small failure rate
- fault:
abort:
percentage:
value: 0.1 # 0.1% error rate
httpStatus: 503
route:
- destination:
host: payment-serviceStep 7: Circuit Breaking
Configure circuit breaker to prevent cascade failures:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: circuit-breaker
namespace: production
spec:
host: backend-service
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 50
http2MaxRequests: 100
maxRequestsPerConnection: 2
maxRetries: 3
outlierDetection:
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minHealthPercent: 40
loadBalancer:
simple: LEAST_REQUEST
subsets:
- name: v1
labels:
version: v1Step 8: Request Timeouts and Retries
Configure timeouts and retry policies:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: timeout-retry
namespace: production
spec:
hosts:
- api-service
http:
- route:
- destination:
host: api-service
timeout: 10s
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream,5xx
---
# More advanced retry configuration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: advanced-retry
namespace: production
spec:
hosts:
- external-api
http:
- route:
- destination:
host: external-api
timeout: 30s
retries:
attempts: 5
perTryTimeout: 5s
retryOn: 5xx,reset,connect-failure,refused-stream,retriable-4xx
retryRemoteLocalities: trueStep 9: Traffic Mirroring
Mirror production traffic to test environment:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: traffic-mirroring
namespace: production
spec:
hosts:
- api-service
http:
- route:
- destination:
host: api-service
subset: v1
weight: 100
mirror:
host: api-service
subset: v2-test
mirrorPercentage:
value: 10.0 # Mirror 10% of trafficStep 10: Load Balancing Strategies
Configure different load balancing algorithms:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: load-balancing
namespace: production
spec:
host: database-service
trafficPolicy:
# Options: ROUND_ROBIN, LEAST_REQUEST, RANDOM, PASSTHROUGH
loadBalancer:
consistentHash:
httpHeaderName: "x-user-id" # Sticky sessions
---
# Locality-based load balancing
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: locality-lb
namespace: production
spec:
host: api-service
trafficPolicy:
loadBalancer:
localityLbSetting:
enabled: true
distribute:
- from: us-east/*
to:
"us-east/*": 80
"us-west/*": 20
failover:
- from: us-east-1
to: us-east-2Verification
Test traffic splitting:
# Generate traffic and observe distribution
for i in {1..100}; do
kubectl exec -it curl-pod -- \
curl -s http://product-service:8080/version
done | sort | uniq -c
# Check with specific headers
kubectl exec -it curl-pod -- \
curl -H "user-group: beta-testers" \
http://product-service:8080/versionMonitor traffic metrics:
# Install Prometheus and Grafana
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
# Access Grafana
istioctl dashboard grafana
# View service graph
istioctl dashboard kiali
# Check Envoy stats
kubectl exec -it <pod-name> -c istio-proxy -- \
curl localhost:15000/stats/prometheusTest circuit breaker:
# Generate load to trigger circuit breaker
kubectl exec -it fortio-pod -- \
fortio load -c 5 -qps 0 -n 100 \
-loglevel Warning http://backend-service:8080/
# Check circuit breaker stats
kubectl exec -it <pod-name> -c istio-proxy -- \
curl localhost:15000/stats | grep outlierVerify fault injection:
# Test delay injection
kubectl exec -it curl-pod -- \
curl -H "x-test-scenario: latency" \
-w "@curl-format.txt" \
http://payment-service:8080/
# Test error injection
for i in {1..20}; do
kubectl exec -it curl-pod -- \
curl -s -o /dev/null -w "%{http_code}\n" \
-H "x-test-scenario: error" \
http://payment-service:8080/
doneBest Practices
- Start with simple rules and add complexity gradually
- Test traffic rules in non-production first
- Use meaningful subset names for clarity
- Monitor request latency when adding retries
- Set appropriate circuit breaker thresholds
- Use traffic mirroring before full canary rollout
- Implement gradual rollout with traffic splitting
- Configure timeouts for all external calls
- Use fault injection for chaos engineering
- Monitor Envoy metrics for troubleshooting
Common Issues
Traffic not routing as expected:
- Verify VirtualService and DestinationRule are in same namespace
- Check subset labels match pod labels
- Review Istio proxy logs
Circuit breaker not triggering:
- Verify outlierDetection settings are appropriate
- Check connection pool limits
- Monitor actual error rates
High latency with retries:
- Reduce retry attempts
- Lower perTryTimeout
- Check upstream service performance
Related Resources
π Go Further with Kubernetes Recipes
Love this recipe? Thereβs so much more! This is just one of 100+ hands-on recipes in our comprehensive Kubernetes Recipes book.
Inside the book, youβll master:
- β Production-ready deployment strategies
- β Advanced networking and security patterns
- β Observability, monitoring, and troubleshooting
- β Real-world best practices from industry experts
βThe practical, recipe-based approach made complex Kubernetes concepts finally click for me.β
π Get Your Copy Now β Start building production-grade Kubernetes skills today!
π Get All 100+ Recipes in One Book
Stop searching β get every production-ready pattern with detailed explanations, best practices, and copy-paste YAML.
#istio #service-mesh #traffic-management #circuit-breaker #fault-injection #traffic-splitting
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.