<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Istio on marktaguiad.dev</title>
    <link>https://marktaguiad.dev/tags/istio/</link>
    <description>Recent content in Istio on marktaguiad.dev</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <managingEditor>marktaguiad@marktaguiad.dev (Mark Taguiad)</managingEditor>
    <webMaster>marktaguiad@marktaguiad.dev (Mark Taguiad)</webMaster>
    <copyright>marktaguiad.dev</copyright>
    <lastBuildDate>Fri, 03 Apr 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://marktaguiad.dev/tags/istio/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Istio: A/B Testing and Canary Deployment</title>
      <link>https://marktaguiad.dev/post/k8s-istio-quatro/</link>
      <pubDate>Fri, 03 Apr 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-quatro/</guid>
      <description>&lt;img&#xA;  class=&#34;theme-image&#34;&#xA;  src=&#34;https://marktaguiad.dev/images/devops/k8s-notes/istio/ab-testing/k8s-ab-testing-001.png&#34;&#xA;  data-light=&#34;/images/devops/k8s-notes/istio/ab-testing/k8s-ab-testing-001.png&#34;&#xA;  data-dark=&#34;/images/devops/k8s-notes/istio/ab-testing/k8s-ab-testing-dark-001.png&#34;&#xA;  alt=&#34;Architecture Diagram&#34;&#xA;&gt;&#xA;&#xA;&lt;p&gt;A/B testing and Canary Deployment allows you to route traffic between different versions of your application to compare performance, behavior, or user experience.&lt;/p&gt;&#xA;&lt;p&gt;With Istio, you can control traffic without changing application code—just by configuring the service mesh.&lt;/p&gt;&#xA;&lt;p&gt;Replicate this using this &lt;a href=&#34;https://github.com/mcbtaguiad/istio-demo&#34;&gt;repo&lt;/a&gt;.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;kubectl apply -k kube/ab-testing/demo&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#ab-testing-vs-canary-deployment&#34;&gt;A/B Testing vs Canary Deployment&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#ab-testing&#34;&gt;A/B Testing&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#labels&#34;&gt;Labels&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#service&#34;&gt;Service&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#destination-rule&#34;&gt;Destination Rule&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#virtual-service&#34;&gt;Virtual Service&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#rollout-strategy&#34;&gt;Rollout Strategy&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#roll-back-strategy&#34;&gt;Roll-back Strategy&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#canary-deployment&#34;&gt;Canary Deployment&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#rollout-strategy-1&#34;&gt;Rollout Strategy&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#observe-metrics&#34;&gt;Observe Metrics&lt;/a&gt;&lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;ab-testing-vs-canary-deployment&#34;&gt;A/B Testing vs Canary Deployment&lt;/h3&gt;&#xA;&lt;table&gt;&#xA;  &lt;thead&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;th&gt;Aspect&lt;/th&gt;&#xA;          &lt;th&gt;Canary Deployment&lt;/th&gt;&#xA;          &lt;th&gt;A/B Testing&lt;/th&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/thead&gt;&#xA;  &lt;tbody&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;Purpose&lt;/td&gt;&#xA;          &lt;td&gt;Safe rollout&lt;/td&gt;&#xA;          &lt;td&gt;Experimentation&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;Traffic split&lt;/td&gt;&#xA;          &lt;td&gt;Gradual (10% → 100%)&lt;/td&gt;&#xA;          &lt;td&gt;Fixed (often 50/50)&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;Decision basis&lt;/td&gt;&#xA;          &lt;td&gt;Errors, latency&lt;/td&gt;&#xA;          &lt;td&gt;User behavior, metrics&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;End goal&lt;/td&gt;&#xA;          &lt;td&gt;Replace old version&lt;/td&gt;&#xA;          &lt;td&gt;Pick best variant&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;Versions&lt;/td&gt;&#xA;          &lt;td&gt;Usually same feature&lt;/td&gt;&#xA;          &lt;td&gt;Different UX/features&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/tbody&gt;&#xA;&lt;/table&gt;&#xA;&lt;h3 id=&#34;ab-testing&#34;&gt;A/B Testing&lt;/h3&gt;&#xA;&lt;h4 id=&#34;labels&#34;&gt;Labels&lt;/h4&gt;&#xA;&lt;p&gt;Label your deployments properly.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Istio: Fault Injection, Retries and Circuit Breaker</title>
      <link>https://marktaguiad.dev/post/k8s-istio-tres/</link>
      <pubDate>Sat, 28 Mar 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-tres/</guid>
      <description>&lt;p&gt;Continuation of Kubernetes Istio.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#ingress-gateway&#34;&gt;Ingress Gateway&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#gateway&#34;&gt;Gateway&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#fault-injection&#34;&gt;Fault Injection&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#verify&#34;&gt;Verify&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#retries&#34;&gt;Retries&lt;/a&gt;&lt;/li&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#circuit-breaker&#34;&gt;Circuit Breaker&lt;/a&gt;&lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;p&gt;I&amp;rsquo;ve mentioned in this &lt;a href=&#34;https://marktaguiad.dev/post/k8s-istio-uno.md&#34;&gt;post&lt;/a&gt; that will sticking with &lt;code&gt;HTTPRoute&lt;/code&gt;, but feature discussed here only support (for now) Istio API.&lt;/p&gt;&#xA;&lt;h3 id=&#34;ingress-gateway&#34;&gt;Ingress Gateway&lt;/h3&gt;&#xA;&lt;p&gt;Istio deploys a default resource for this, and for this example we are using the default ingress gateway &lt;code&gt;ingressgateway&lt;/code&gt;.&lt;/p&gt;&#xA;&lt;p&gt;If you want to create a custom ingress gateway.&lt;/p&gt;&#xA;&lt;p&gt;&lt;em&gt;istio-gateway.yaml&lt;/em&gt;&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-yaml&#34; data-lang=&#34;yaml&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nt&#34;&gt;apiVersion&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;install.istio.io/v1alpha1&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nt&#34;&gt;kind&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;IstioOperator&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nt&#34;&gt;metadata&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;  &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;name&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-control-plane&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;  &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;namespace&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-system&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;nt&#34;&gt;spec&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;  &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;components&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 8&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;    &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;ingressGateways&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt; 9&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;      &lt;/span&gt;- &lt;span class=&#34;nt&#34;&gt;name&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-ingressgateway-prod&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;10&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;namespace&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-system&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;11&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;enabled&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;kc&#34;&gt;true&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;12&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;13&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;          &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;istio&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;ingressgateway-prod&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;14&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;15&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;      &lt;/span&gt;- &lt;span class=&#34;nt&#34;&gt;name&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-ingressgateway-dev&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;16&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;namespace&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;istio-system&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;17&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;enabled&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;kc&#34;&gt;true&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;18&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;        &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;label&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;19&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;w&#34;&gt;          &lt;/span&gt;&lt;span class=&#34;nt&#34;&gt;istio&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt;&lt;span class=&#34;w&#34;&gt; &lt;/span&gt;&lt;span class=&#34;l&#34;&gt;ingressgateway-dev&lt;/span&gt;&lt;span class=&#34;w&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This will create two  ingress gateway.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Istio: mTLS and RBAC</title>
      <link>https://marktaguiad.dev/post/k8s-istio-dos/</link>
      <pubDate>Tue, 24 Mar 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-dos/</guid>
      <description>&lt;p&gt;Continuation of Kubernetes Istio, this time we&amp;rsquo;ll focus on Security.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#security&#34;&gt;Security&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#authorizationpolicy-rbac&#34;&gt;AuthorizationPolicy (RBAC)&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;security&#34;&gt;Security&lt;/h3&gt;&#xA;&lt;h4 id=&#34;mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/h4&gt;&#xA;&lt;p&gt;This will ensure that service-to-service traffic is encrypted and authenticated.&lt;/p&gt;&#xA;&lt;p&gt;Istio allows you to configure three main modes per namespace, workload, or globally:&lt;/p&gt;&#xA;&lt;table&gt;&#xA;  &lt;thead&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;th&gt;Mode&lt;/th&gt;&#xA;          &lt;th&gt;Behavior&lt;/th&gt;&#xA;          &lt;th&gt;When to Use&lt;/th&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/thead&gt;&#xA;  &lt;tbody&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;STRICT&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Only allows &lt;strong&gt;mTLS-encrypted traffic&lt;/strong&gt;. Plain HTTP connections are rejected.&lt;/td&gt;&#xA;          &lt;td&gt;Best for production when you want &lt;strong&gt;full security&lt;/strong&gt; between services.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;PERMISSIVE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Accepts both mTLS-encrypted and plain HTTP traffic.&lt;/td&gt;&#xA;          &lt;td&gt;Useful during &lt;strong&gt;gradual migration&lt;/strong&gt; to mTLS. Old workloads can still communicate without encryption.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;DISABLE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Does not use mTLS at all.&lt;/td&gt;&#xA;          &lt;td&gt;For testing, legacy workloads, or non-critical traffic.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/tbody&gt;&#xA;&lt;/table&gt;&#xA;&lt;p&gt;You might get confused with the HTTPS traffic, it just mean that all traffic are converted by istio envoy to mTLS. So as long as the request is going through first the sidecar then it is valid.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Istio: Routing</title>
      <link>https://marktaguiad.dev/post/k8s-istio-uno/</link>
      <pubDate>Mon, 23 Mar 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-uno/</guid>
      <description>&lt;p&gt;Modern applications are no longer built as single, monolithic systems—they’re composed of many small, interconnected services. Managing how these services communicate can quickly become complex, especially as systems scale. This is where Istio comes in.&lt;/p&gt;&#xA;&lt;p&gt;Istio acts as a powerful service mesh that sits between your services and handles three critical concerns: traffic management, security, and observability.&lt;/p&gt;&#xA;&lt;p&gt;With Istio, you gain fine-grained control over how traffic flows between services—enabling advanced deployment strategies like A/B testing and canary releases with ease. At the same time, it strengthens service-to-service security and provides deep visibility into your system through metrics, logs, and tracing.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
