Service Mesh · DevOps & CI/CD Deep Dive

What It Does

The Three Capabilities

Security — automatic mTLS between services, identity-based authz policies (workload X may call workload Y).
Traffic management — header-based routing, weighted splits (canary), retries, timeouts, circuit breakers, fault injection.
Observability — uniform request metrics (latency, error rate, RPS) and distributed-trace headers, all without app instrumentation.

Players

Mesh	Approach	Notes
Istio	Envoy sidecars (or Ambient mode without sidecars)	Most features; biggest footprint; Ambient mode dropped per-pod sidecars in 2024.
Linkerd	Tiny Rust micro-proxy sidecar	Simpler, lighter, faster to learn; smaller feature surface.
Cilium Service Mesh	eBPF in the kernel — no sidecar at all	Lower overhead, fewer pods, but ties you to Cilium CNI.
Consul Connect	Envoy sidecars driven by Consul service catalog	Strong outside K8s — VMs, multi-DC.
AWS App Mesh / GCP Anthos	Cloud-managed Envoy	Less independent operation, more vendor surface.

Tradeoffs

Cost is real. Sidecars double pod count, add latency, and burn CPU/memory. Ambient/eBPF modes help but bring their own complexity.
Debugging gets harder. A 503 might come from your app, the sidecar, the destination's sidecar, or a policy.
Upgrades are scary — mesh CRDs evolve; Envoy/Istio rev quickly.
Often unneeded. If you have <20 services, a couple of NetworkPolicies and OpenTelemetry SDKs cover most of the win.
Gateway API is now the standard for north-south traffic; some mesh features are migrating there.

Continue