cd ../lexicon
sys/docs/lexicon/service-mesh-2.md
Lexicon Entry

Service Mesh

A dedicated, infrastructure-layer abstraction that manages service-to-service communication via out-of-process proxies, decoupling network logic (retries, mTLS, observability, routing) from application code. It exists to provide uniform L4/L7 traffic control and zero-trust security across a distributed system without requiring per-language client libraries.

A service mesh is architecturally split into two planes: the data plane, composed of proxies (typically Envoy, Linkerd2-proxy, or eBPF-based dataplanes) intercepting all ingress/egress traffic for a workload, and the control plane (Istiod, Linkerd control-plane, Consul), which handles configuration distribution, certificate issuance, and service discovery aggregation. The classic implementation injects a sidecar container into every pod; iptables rules (or eBPF hooks in ambient/CNI-based models) transparently redirect all TCP traffic through the local proxy, meaning the application is entirely unaware the mesh exists. Configuration is pushed to proxies dynamically via APIs like Envoy’s xDS protocol (LDS, RDS, CDS, EDS), enabling near-zero-downtime updates to routing rules, load balancing algorithms, and TLS certificates without redeploying application pods.

The primary architectural value is the enforcement of mTLS at the transport layer as a platform-wide invariant rather than an application concern. The control plane runs a Certificate Authority (often integrated with SPIFFE/SPIRE for workload identity) that issues short-lived X.509 certs to each proxy, rotated automatically — this decouples identity from IP address or hostname, which is critical in ephemeral, autoscaled environments. Traffic shaping primitives — canary releases via weighted routing, circuit breaking, outlier detection, and fault injection — are expressed declaratively (e.g., Istio’s VirtualService/DestinationRule CRDs) and enforced entirely in the data plane, meaning polyglot services get consistent behavior regardless of implementation language.

  • Latency/Resource Overhead: Sidecar-per-pod models introduce a proxy hop on every request (typically 1-5ms p99 tax) and multiply resource footprint by container count — a cluster with 5,000 pods means 5,000 additional Envoy processes, each holding a full copy of cluster/endpoint state, which strains control-plane push bandwidth at scale (the ‘xDS thundering herd’ problem).
  • Ambient Mesh / eBPF evolution: Newer architectures (Istio Ambient, Cilium Service Mesh) remove the sidecar entirely, splitting responsibilities into a per-node ztunnel (L4 mTLS/identity) and optional per-namespace waypoint proxies (L7 policy), reducing resource duplication at the cost of some traffic-shaping granularity.
  • Failure Domain Coupling: A misconfigured or crashed sidecar can silently blackhole a healthy pod’s traffic — debugging requires correlating control-plane push status, proxy config dump (istioctl proxy-config), and application logs simultaneously.
  • Multi-cluster/Federation: Meshes extend trust domains across clusters via east-west gateways and shared root CAs, but this introduces DNS and endpoint-discovery complexity that must be reconciled against underlying Kubernetes service discovery.

Operationally, adopting a service mesh shifts the failure surface: application teams stop writing retry/backoff logic and TLS handshakes, but platform teams inherit an additional distributed system (the control plane itself) that must be highly available, versioned carefully against Envoy API compatibility, and monitored for config-propagation lag — a mesh that is slow to converge state during a rolling deploy can cause transient 503s indistinguishable from real backend failures.