Training Agenda

Service Mesh — Istio & Linkerd

A service mesh moves cross-cutting concerns — mTLS encryption, traffic management, observability, and policy enforcement — out of application code and into the infrastructure layer. Istio is the feature-rich standard for enterprises that need fine-grained control; Linkerd is the lightweight, CNCF-graduated alternative that prioritizes operational simplicity and performance.

2 days On-site, remote, or hybrid Up to 20 participants German or English
What We Cover
mTLS, traffic management, and zero-trust networking at the mesh layer
Day 1

Istio — Architecture, mTLS & Traffic Management

  • Architecture: istiod (Pilot, Citadel, Galley unified), Envoy sidecar data plane, xDS protocol for config distribution
  • mTLS: PERMISSIVE vs STRICT PeerAuthentication, automatic certificate rotation via istiod CA, SPIFFE identity
  • VirtualServices: HTTP routing rules, header-based routing, weight-based traffic splitting for canary releases
  • DestinationRules: subsets for stable/canary versions, connection pool settings, outlier detection (circuit breaking)
  • Retries and timeouts: configuring retry attempts, per-try timeouts, and retry conditions at the mesh level
  • Istio Gateway vs Kubernetes Ingress: Gateway and VirtualService for ingress, differences from standard Ingress resources
  • Built-in observability: Prometheus metrics (Istio standard metrics), Grafana dashboards, Jaeger distributed tracing integration
Day 2

Linkerd & Advanced Istio — Authorization & Multi-Cluster

  • Linkerd architecture: Rust-based micro-proxy (no Envoy), linkerd-proxy sidecar, control plane components
  • Linkerd mTLS: automatic certificate injection, identity components, verifying mTLS with linkerd viz
  • Traffic split for canary: SMI TrafficSplit in Linkerd, Flagger integration for automated canary analysis
  • Linkerd vs Istio: performance benchmarks, operational complexity, feature surface, migration considerations
  • Istio AuthorizationPolicy: ALLOW/DENY rules, principal-based (SPIFFE), namespace-based, and attribute-based policies
  • RequestAuthentication: JWT validation at the mesh layer, integrating with OIDC providers
  • Ambient mode: sidecarless Istio architecture (ztunnel L4, waypoint L7), migration from sidecar mode
Learning Outcomes
What your team walks away with

Participants can deploy and operate a service mesh in production — enforcing mTLS, managing traffic for safe deployments, and building zero-trust authorization policies between services.

Book the Service Mesh training

Reach out to schedule a session for your team — remote, on-site, or hybrid, in German or English.

Get in touch