Implement production-ready service mesh deployments with Istio, Linkerd, or Cilium. Configure mTLS, authorization policies, traffic routing, and progressive delivery patterns for secure, observable microservices. Use when setting up service-to-service communication, implementing zero-trust security, or enabling canary deployments.
View on GitHubskills/implementing-service-mesh/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/ancoleman/ai-design-components/blob/main/skills/implementing-service-mesh/SKILL.md -a claude-code --skill implementing-service-meshInstallation paths:
.claude/skills/implementing-service-mesh/# Service Mesh Implementation ## Purpose Configure and deploy service mesh infrastructure for Kubernetes environments. Enable secure service-to-service communication with mutual TLS, implement traffic management policies, configure authorization controls, and set up progressive delivery strategies. Abstracts network complexity while providing observability, security, and resilience for microservices. ## When to Use Invoke this skill when: - "Set up service mesh with mTLS" - "Configure Istio traffic routing" - "Implement canary deployments" - "Secure microservices communication" - "Add authorization policies to services" - "Traffic splitting between versions" - "Multi-cluster service mesh setup" - "Configure ambient mode vs sidecar" - "Set up circuit breaker configuration" - "Enable distributed tracing" ## Service Mesh Selection Choose based on requirements and constraints. **Istio Ambient (Recommended for most):** - 8% latency overhead with mTLS (vs 166% sidecar mode) - Enterprise features, multi-cloud, advanced L7 routing - Sidecar-less L4 (ztunnel) + optional L7 (waypoint) **Linkerd (Simplicity priority):** - 33% latency overhead (lowest sidecar) - Rust-based micro-proxy, automatic mTLS - Best for small-medium teams, easy adoption **Cilium (eBPF-native):** - 99% latency overhead, kernel-level enforcement - Advanced networking, sidecar-less by design - Best for eBPF infrastructure, future-proof For detailed comparison matrix and architecture trade-offs, see `references/decision-tree.md`. ## Core Concepts ### Data Plane Architectures **Sidecar:** Proxy per pod, fine-grained L7 control, higher overhead **Sidecar-less:** Shared node proxies (Istio Ambient) or eBPF (Cilium), lower overhead **Istio Ambient Components:** - ztunnel: Per-node L4 proxy for mTLS - waypoint: Optional per-namespace L7 proxy for HTTP routing ### Traffic Management **Routing:** Path, header, weight-based traffic distribution **Resilience:** Retries, timeouts, circuit breakers, f