Skill

service-mesh

Istio/Linkerd service mesh review + design. mTLS strict, traffic shifting (canary/blue-green), retry/timeout/circuit breaker (idempotency-aware), zero-trust authz (SPIFFE/ServiceAccount identity), failure injection, observability (RED metric + B3/W3C trace + access log). No-mesh → mesh migration faz planı.

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Service Mesh

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Sidecar = network plane. App L7 retry/timeout/auth ile uğraşmaz.
mTLS by default. Servis-arası şifreli + identity verified.
Zero-trust authz. ServiceAccount/SPIFFE identity; IP-based değil.
Progressive rollout. Canary / blue-green mesh VirtualService / TrafficSplit.
Observability built-in. RED metric + B3/W3C trace + access log.

Ne Zaman Kullanılır

Yeni cluster mesh seçim + install
Mevcut cluster no-mesh → mesh migration
mTLS PERMISSIVE → STRICT rollout
Canary / progressive delivery setup
Resilience (retry/timeout/CB) app code'dan mesh'e taşıma
Zero-trust authz policy review
Mesh post-incident debug (data plane)

Workflow

1) Mesh seçim

Faktör	Linkerd	Istio	Cilium
Komplekslik	Düşük	Orta-Yüksek	Yüksek (eBPF)
Kaynak	~50MB/sidecar	~150MB/sidecar	sidecarless
Feature	Temel	Wasm filter, ratelimit	L7 NetworkPolicy + mesh
Adoption	Orta	En geniş	Yeni
Önerilen	Küçük-orta cluster	Enterprise / feature-rich	Performance-critical

Plugin default: Linkerd; complex policy varsa Istio.

2) Install

# Linkerd
linkerd check --pre
linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
linkerd check
linkerd viz install | kubectl apply -f -

# Istio
istioctl install --set profile=production -y
istioctl analyze

3) Servis enroll

# linkerd namespace
metadata:
  annotations:
    linkerd.io/inject: enabled

# istio namespace
metadata:
  labels:
    istio-injection: enabled

Sidecar verify:

kubectl get pods -n production -o jsonpath='{.items[*].spec.containers[*].name}'
# api-svc + istio-proxy (veya linkerd-proxy)

4) mTLS

PERMISSIVE → STRICT 4-hafta ramp:

# Istio PeerAuthentication
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: PERMISSIVE     # hafta 1-2
    # mode: STRICT         hafta 3+

Verify:

# linkerd
linkerd viz edges -n production
# tüm edge "yes" → mTLS OK

# istio
istioctl x authz check pod/api-svc-abc -n production

5) Traffic management

Canary header-based:

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata: { name: api-svc, namespace: production }
spec:
  hosts: [api-svc]
  http:
    - match: [{ headers: { x-canary: { exact: "true" } } }]
      route: [{ destination: { host: api-svc, subset: v2 } }]
    - route:
        - { destination: { host: api-svc, subset: v1 }, weight: 90 }
        - { destination: { host: api-svc, subset: v2 }, weight: 10 }

Linkerd SMI TrafficSplit:

apiVersion: split.smi-spec.io/v1alpha2
kind: TrafficSplit
metadata: { name: api-svc-rollout }
spec:
  service: api-svc
  backends:
    - { service: api-svc-v1, weight: 90 }
    - { service: api-svc-v2, weight: 10 }

Argo Rollouts + Flagger entegrasyon → otomatik analysis + promote / rollback.

6) Resilience

spec:
  http:
    - timeout: 5s
      retries:
        attempts: 3
        perTryTimeout: 2s
        retryOn: 5xx,reset,connect-failure
      route: [...]

Idempotency-aware retry: POST endpoint Idempotency-Key header zorunlu; yoksa retry yasak.

Circuit breaker:

apiVersion: networking.istio.io/v1
kind: DestinationRule
spec:
  trafficPolicy:
    connectionPool:
      http:
        http1MaxPendingRequests: 50
        maxRetries: 3
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s

7) Authz

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: payments-allow-checkout-only
  namespace: production
spec:
  selector: { matchLabels: { app: payments-svc } }
  action: ALLOW
  rules:
    - from:
        - source: { principals: ["cluster.local/ns/production/sa/checkout-svc"] }
      to:
        - operation: { methods: [POST], paths: [/v1/payments] }

ServiceAccount identity zorunlu; IP-based yasak.

8) Failure injection (chaos)

spec:
  http:
    - fault:
        delay: { percentage: { value: 10 }, fixedDelay: 5s }
      route: [...]

Staging'de doğrula; production'da /chaos-drill --mesh-fault koordineli.

9) Observability

Metric: Prometheus scrape istio-proxy veya linkerd-proxy.
Trace: B3/W3C context propagate; Jaeger / Tempo backend.
Access log: JSON structured stdout; Loki / Datadog ship.

Grafana dashboard:

Istio: istio-mesh.json, istio-service.json, istio-workload.json
Linkerd: linkerd-top-line.json, linkerd-deployment.json

10) Migration faz planı

Phase 1 (1 ay): Mesh install + 1 non-critical servis enroll
Phase 2 (1 ay): Observability validate
Phase 3 (1 ay): mTLS PERMISSIVE cluster-wide
Phase 4 (1 ay): mTLS STRICT progressive
Phase 5 (2 ay): Authz + retry/timeout/CB app → mesh
Phase 6 (1 ay): Traffic shift / progressive delivery

Rollback her phase'de: namespace label remove → sidecar düşer.

Checklist

Antipattern

mTLS PERMISSIVE production sustained — STRICT'e geç.
App code retry + mesh retry birlikte — double-retry storm.
POST retry Idempotency-Key olmadan — duplicate write.
IP-based authz — pod IP volatile.
Sidecar resource limit yok.
Control plane single AZ.
mTLS audit log yok.
Trace propagation kırık (app traceparent drop).
Access log PII — GDPR.
Sidecar version drift.
Failure injection production deneysel.
Mesh + API gateway retry karışık.

Örnek Agent Davranışı

User: /mesh-review
Agent (infrastructure-implementer + platform-engineer + security-reviewer):
1. Cluster scan: Istio 1.21 control plane, 47 namespace, 38 enrolled.
2. mTLS audit: 28 STRICT, 8 PERMISSIVE (3 ay sustained), 2 DISABLE.
3. AuthorizationPolicy: 12 var, 4 namespace boş (default allow).
4. Resilience: 18 VirtualService retry attempts 5 (yüksek);
   2 servis POST retry Idempotency-Key yok.
5. Trace: %23 request `traceparent` drop (Node servis 2 adet).
6. Sidecar version drift: istio-proxy 1.19 (control plane 1.21) > 1 minor.

Findings:
- Critical: 8 PERMISSIVE production sustained 3 ay; STRICT migrate
- Critical: 2 POST retry idempotency-key yok (duplicate write riski)
- High: AuthorizationPolicy boş 4 namespace (zero-trust gap)
- High: Sidecar version drift > 1 minor
- Medium: Trace propagation 2 servis kırık
- Medium: Retry attempts 5 → retry budget %5 üstü

Action items: 6 issue açıldı.

Çıktı Formatı

# Service Mesh Review: <cluster | namespace>

## Mesh inventory
- Control plane (versiyon, HA, kaynak)
- Enrolled namespace + sidecar count

## mTLS status
- STRICT vs PERMISSIVE vs DISABLE breakdown

## AuthorizationPolicy gap

## Resilience config
- Retry / timeout / CB matrix

## Trace propagation
- B3/W3C uyumluluk

## Findings (Critical/High/Medium/Low)

## Action Items
| P | Aksiyon | Sahip | Bitiş | Issue |

## Migration plan (varsa)