Training Agenda

Istio

Istio is a service mesh that adds traffic management, mutual TLS, observability, and policy enforcement to Kubernetes workloads — without changing application code. It runs as a sidecar proxy (Envoy) alongside each pod, intercepting all network traffic and applying rules defined through Kubernetes CRDs. This training covers Istio from installation through production-grade traffic management, security, and observability.

1–2 days On-site, remote, or hybrid Up to 20 participants German or English
What We Cover
Traffic, security, and observability at the mesh layer
Day 1

Istio Architecture & Traffic Management

  • Service mesh concepts: Why a mesh, sidecar vs ambient mode — the two Istio data plane models
  • Istio components: istiod, Envoy proxy, ingress/egress gateways — how the control and data planes fit together
  • Automatic sidecar injection: Namespace annotations, pod annotations, exclusions — controlling injection
  • VirtualService and DestinationRule: The core traffic routing CRDs — from first route to advanced policy
  • Traffic routing: Header-based routing, weight-based canary splits — fine-grained traffic steering
  • Fault injection: Simulating delays and errors for resilience testing without touching application code
  • Circuit breaking: Outlier detection and ejection thresholds — protecting services from cascading failure
  • Ingress gateway: Replacing the nginx Ingress Controller with Istio Gateway for TLS termination and routing
Day 2

Security, Observability & Operations

  • mTLS: PeerAuthentication policies, auto-mTLS, debugging certificate issues with istioctl
  • AuthorizationPolicy: Service-to-service access control that goes beyond Kubernetes Network Policies
  • RequestAuthentication: JWT validation at the mesh layer — offloading auth from application code
  • Observability: Kiali topology view, Jaeger traces, Prometheus metrics from Envoy — the full observability stack
  • Envoy access logs: Format, filtering, export to Loki — structured logging from the data plane
  • ServiceEntry: Extending the mesh to external services — controlling egress traffic
  • Istio upgrades: In-place vs canary control plane upgrades — safe upgrade strategies
  • Debugging: istioctl analyze, proxy-status, proxy-config, pilot-agent — systematic troubleshooting
Learning Outcomes
What your team walks away with

Istio practitioners who can configure traffic policies, enforce mTLS, and use the mesh's observability to understand service behavior — without drowning in Envoy complexity.

Book the Istio training

Available standalone or combined with the Linkerd training for a service mesh comparison. Prerequisite: working Kubernetes knowledge.

Get in touch