Istio Cheat Sheet 2026: Service Mesh Commands

A quick reference for Istio — the Kubernetes service mesh. Bookmark this page.

Installation

# Install istioctl
curl -L https://istio.io/downloadIstio | sh -
export PATH=$PWD/istio-*/bin:$PATH

# Install Istio with default profile
istioctl install --set profile=demo -y

# Install with custom profile
istioctl install -f custom-config.yaml

# Enable sidecar injection for a namespace
kubectl label namespace default istio-injection=enabled

# Verify installation
istioctl verify-install
istioctl analyze

Traffic Management

# VirtualService — route traffic
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
    - my-service
  http:
    - match:
        - headers:
            x-canary:
              exact: "true"
      route:
        - destination:
            host: my-service
            subset: v2
    - route:
        - destination:
            host: my-service
            subset: v1
          weight: 90
        - destination:
            host: my-service
            subset: v2
          weight: 10

---
# DestinationRule — define subsets
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: my-service
spec:
  host: my-service
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: DEFAULT
        maxRequestsPerConnection: 10
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2

Gateway (Ingress)

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: my-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: my-tls-cert
      hosts:
        - "app.example.com"

Security

# PeerAuthentication — require mTLS
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

---
# AuthorizationPolicy — access control
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/frontend"]
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]

Observability

# Open dashboards
istioctl dashboard kiali
istioctl dashboard grafana
istioctl dashboard jaeger
istioctl dashboard prometheus

# Check proxy status
istioctl proxy-status

# Debug proxy config
istioctl proxy-config routes deploy/my-app
istioctl proxy-config clusters deploy/my-app
istioctl proxy-config endpoints deploy/my-app
istioctl proxy-config listeners deploy/my-app

Troubleshooting

# Analyze configuration issues
istioctl analyze
istioctl analyze -n my-namespace

# Check sidecar injection
kubectl get pods -o jsonpath='{.items[*].spec.containers[*].name}'

# View Envoy access logs
kubectl logs deploy/my-app -c istio-proxy

# Debug connectivity
istioctl x describe pod my-app-pod

Tips and Tricks

• Use istioctl analyze before applying any config changes
• Use PeerAuthentication in STRICT mode for zero-trust networking
• Use RequestAuthentication for JWT validation at the mesh level
• Use Kiali for visual service mesh topology and traffic flow
• Use Sidecar resource to limit proxy scope and reduce memory

Related Resources

• Cilium Cheat Sheet
• Helm Cheat Sheet
• Kubernetes Cheat Sheet