Testing

Service Mesh Testing Patterns: Istio and Linkerd

HelpMeTest

HelpMeTest

9 min read
Service Mesh Testing Patterns: Istio and Linkerd

Service meshes (Istio, Linkerd) add traffic management, observability, and security at the infrastructure layer. Testing mesh behavior requires testing at a different level than application code — you're testing retry policies, circuit breakers, mTLS, and traffic routing rules, not business logic. This guide covers the test patterns specific to Istio and Linkerd.

Key Takeaways

Test mesh behavior separately from application behavior. Retry policy tests don't belong in your application's unit test suite. They belong in infrastructure tests that run against a real mesh.

Use Istio's fault injection for resilience testing. The VirtualService fault injection API lets you inject HTTP errors and delays without modifying application code. Use this to verify your circuit breakers and bulkheads actually trigger.

mTLS verification requires certificate inspection. Don't assume mTLS is working because the mesh is configured for it. Write tests that verify certificates are present, valid, and from the expected CA.

Canary deployment tests need traffic shifting validation. After deploying a canary with a 10% traffic rule, verify that approximately 10% of requests actually reach the canary. Traffic rules are easier to misconfigure than you think.

Linkerd's service profiles enable per-route metrics. Configure ServiceProfile resources for accurate per-route latency and error rate data. Without service profiles, all traffic to a service looks the same in metrics.

What Service Mesh Testing Covers

Application-level tests (unit, integration, E2E) verify that your code works correctly in isolation. Service mesh tests verify that the infrastructure layer works correctly — that traffic policies, security rules, and observability configurations behave as configured.

The split is conceptually clean:

Layer Tests Tools
Application Unit, integration, E2E pytest, Jest, JUnit, Selenium
Service mesh Traffic management, mTLS, observability kubectl, istioctl, linkerd, curl

In practice, some tests live in the overlap: "does my service handle the retry-after-timeout correctly?" requires both application and mesh behavior.

Testing in a Local Mesh Environment

Before testing mesh behavior in staging or production, you need a local environment. Options:

k3d + Istio: Lightweight Kubernetes in Docker with Istio:

k3d cluster create mesh-test --servers 1 --agents 2
istioctl install --set profile=demo
kubectl label namespace default istio-injection=enabled

minikube + Linkerd:

minikube start --memory=4096
linkerd install --crds | kubectl apply -f -
linkerd install <span class="hljs-pipe">| kubectl apply -f -
linkerd check
kubectl annotate namespace default linkerd.io/inject=enabled

Kind (Kubernetes-in-Docker):

kind create cluster
# Then install mesh of choice

All three approaches run a full Kubernetes cluster locally with Docker, suitable for mesh testing without cloud costs.

Istio Fault Injection

Istio's VirtualService resource supports fault injection: HTTP delays and HTTP errors injected at the sidecar level. This is the primary tool for testing resilience behavior.

Injecting HTTP Errors

# fault-injection-errors.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: payment-service
spec:
  hosts:
    - payment-service
  http:
    - fault:
        abort:
          httpStatus: 503
          percentage:
            value: 50  # 50% of requests fail with 503
      route:
        - destination:
            host: payment-service

Apply and test:

kubectl apply -f fault-injection-errors.yaml

# Test that order service handles 503 from payment service
<span class="hljs-comment"># Run 100 requests, verify at least some succeed (retries) and failures are handled gracefully
<span class="hljs-keyword">for i <span class="hljs-keyword">in {1..100}; <span class="hljs-keyword">do
  response=$(curl -s -o /dev/null -w <span class="hljs-string">"%{http_code}" http://order-service/orders -X POST ...)
  <span class="hljs-built_in">echo <span class="hljs-variable">$response
<span class="hljs-keyword">done <span class="hljs-pipe">| <span class="hljs-built_in">sort <span class="hljs-pipe">| <span class="hljs-built_in">uniq -c

A well-configured application with retries and circuit breaking should handle 50% backend errors gracefully — either by retrying successfully or by returning a meaningful error to the caller.

Injecting Delays

# fault-injection-delays.yaml  
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: user-service
spec:
  hosts:
    - user-service
  http:
    - fault:
        delay:
          fixedDelay: 3s
          percentage:
            value: 100  # All requests delayed 3 seconds
      route:
        - destination:
            host: user-service

Use delay injection to verify:

  • Timeout configurations are correct (does the caller timeout at the right time?)
  • Cascading failure doesn't occur (does a slow user-service bring down the entire system?)
  • Bulkheads work (does slow user-service slow down unrelated product catalog calls?)

Testing Retry Policies

# retry-policy.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: inventory-service
spec:
  hosts:
    - inventory-service
  http:
    - retries:
        attempts: 3
        perTryTimeout: 2s
        retryOn: "gateway-error,connect-failure,retriable-4xx"
      route:
        - destination:
            host: inventory-service

Test that retries work:

# Inject 503 faults at 70% rate
<span class="hljs-comment"># With 3 retries, most requests should succeed

kubectl apply -f fault-injection-70pct.yaml

<span class="hljs-comment"># Run test load
hey -n 1000 -c 10 http://api-gateway/inventory/check-stock

<span class="hljs-comment"># Check success rate — should be high despite 70% per-attempt failure
<span class="hljs-comment"># because retries compound: P(3 consecutive failures) = 0.70^3 ≈ 34%

Testing Circuit Breakers

Istio's circuit breaker is configured through DestinationRule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: payment-service-circuit-breaker
spec:
  host: payment-service
  trafficPolicy:
    outlierDetection:
      consecutive5xxErrors: 5      # Trip after 5 consecutive 5xx errors
      interval: 30s                # Evaluation interval
      baseEjectionTime: 30s        # Eject pod for 30 seconds
      maxEjectionPercent: 100      # Allow ejecting all pods if needed

Test the circuit breaker behavior:

#!/bin/bash
<span class="hljs-comment"># circuit-breaker-test.sh

<span class="hljs-built_in">echo <span class="hljs-string">"1. Injecting 503 fault on payment-service"
kubectl apply -f fault-injection-100pct.yaml

<span class="hljs-built_in">echo <span class="hljs-string">"2. Sending requests until circuit opens"
<span class="hljs-keyword">for i <span class="hljs-keyword">in {1..20}; <span class="hljs-keyword">do
  STATUS=$(curl -s -o /dev/null -w <span class="hljs-string">"%{http_code}" http://api-gateway/process-payment)
  <span class="hljs-built_in">echo <span class="hljs-string">"Request $i: <span class="hljs-variable">$STATUS"
  <span class="hljs-built_in">sleep 1
<span class="hljs-keyword">done

<span class="hljs-built_in">echo <span class="hljs-string">"3. Checking outlier detection metrics"
kubectl <span class="hljs-built_in">exec -n istio-system deploy/prometheus -- \
  curl -s <span class="hljs-string">"http://localhost:9090/api/v1/query?query=envoy_cluster_outlier_detection_ejections_active"

<span class="hljs-built_in">echo <span class="hljs-string">"4. Removing fault injection"
kubectl delete -f fault-injection-100pct.yaml

<span class="hljs-built_in">echo <span class="hljs-string">"5. Waiting for circuit to close (30 second base ejection time)"
<span class="hljs-built_in">sleep 35

<span class="hljs-built_in">echo <span class="hljs-string">"6. Verifying requests succeed after circuit closes"
<span class="hljs-keyword">for i <span class="hljs-keyword">in {1..5}; <span class="hljs-keyword">do
  STATUS=$(curl -s -o /dev/null -w <span class="hljs-string">"%{http_code}" http://api-gateway/process-payment)
  <span class="hljs-built_in">echo <span class="hljs-string">"Post-recovery request $i: <span class="hljs-variable">$STATUS"
<span class="hljs-keyword">done

Testing mTLS

Mutual TLS between services is a core security feature of service meshes. Don't assume it's working — verify it.

Istio mTLS Verification

# Check mTLS status for all services in the namespace
istioctl authn tls-check default

<span class="hljs-comment"># Verify a specific service-to-service communication uses mTLS
istioctl authn tls-check order-service.default payment-service.default

Expected output for correctly configured mTLS:

HOST:PORT                           STATUS     SERVER     CLIENT     AUTHN POLICY
payment-service.default:8080        OK         mTLS       mTLS       default/default

If status is CONFLICT or CLIENT DISABLED, mTLS is not working between those services.

Certificate Inspection

# Inspect the certificate being used between services
<span class="hljs-comment"># Exec into the order-service pod's sidecar
kubectl <span class="hljs-built_in">exec -n default deploy/order-service -c istio-proxy -- \
  openssl s_client -connect payment-service:8080 -showcerts 2>/dev/null <span class="hljs-pipe">| \
  openssl x509 -noout -text <span class="hljs-pipe">| grep -A 2 <span class="hljs-string">"Subject:"

For automated mTLS testing, write a test that:

  1. Attempts to connect to a service without a valid certificate
  2. Verifies the connection is rejected
  3. Attempts to connect with a valid certificate from the correct trust domain
  4. Verifies the connection succeeds
# Test that direct connection without mesh certificate is rejected
<span class="hljs-comment"># From a pod outside the mesh namespace
kubectl run test-pod --image=curlimages/curl --<span class="hljs-built_in">rm -it --restart=Never \
  --namespace=external \
  -- curl -v https://payment-service.default:8080/health 2>&1 <span class="hljs-pipe">| grep <span class="hljs-string">"SSL certificate"
  
<span class="hljs-comment"># Should see certificate error — the external pod doesn't have a valid mesh cert

Testing Traffic Splitting (Canary Deployments)

When deploying a new version with gradual traffic shifting, verify the traffic distribution matches the configured percentages:

# canary-traffic-split.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: product-service
spec:
  hosts:
    - product-service
  http:
    - route:
        - destination:
            host: product-service
            subset: v1
          weight: 90
        - destination:
            host: product-service
            subset: v2
          weight: 10

Verify the split:

#!/bin/bash
<span class="hljs-comment"># verify-traffic-split.sh

V1_COUNT=0
V2_COUNT=0

<span class="hljs-keyword">for i <span class="hljs-keyword">in {1..1000}; <span class="hljs-keyword">do
  VERSION=$(curl -s http://product-service/version <span class="hljs-pipe">| jq -r <span class="hljs-string">'.version')
  <span class="hljs-keyword">if [ <span class="hljs-string">"$VERSION" == <span class="hljs-string">"v1" ]; <span class="hljs-keyword">then
    V1_COUNT=$((V1_COUNT + <span class="hljs-number">1))
  <span class="hljs-keyword">else
    V2_COUNT=$((V2_COUNT + <span class="hljs-number">1))
  <span class="hljs-keyword">fi
<span class="hljs-keyword">done

<span class="hljs-built_in">echo <span class="hljs-string">"v1: $V1_COUNT/1000 (<span class="hljs-subst">$(( V1_COUNT / 10 ))%)"
<span class="hljs-built_in">echo <span class="hljs-string">"v2: $V2_COUNT/1000 (<span class="hljs-subst">$(( V2_COUNT / 10 ))%)"

<span class="hljs-comment"># Assert approximately 10% to v2 (within 3% variance)
<span class="hljs-keyword">if [ <span class="hljs-variable">$V2_COUNT -ge 70 ] && [ <span class="hljs-variable">$V2_COUNT -le 130 ]; <span class="hljs-keyword">then
  <span class="hljs-built_in">echo <span class="hljs-string">"✓ Traffic split is within expected range"
<span class="hljs-keyword">else
  <span class="hljs-built_in">echo <span class="hljs-string">"✗ Traffic split is outside expected range"
  <span class="hljs-built_in">exit 1
<span class="hljs-keyword">fi

Linkerd Testing Patterns

Linkerd has a different feature set and testing approach than Istio. It focuses on simplicity — fewer configuration resources, but less flexibility.

Service Profile Testing

Linkerd's ServiceProfile resource enables per-route metrics:

apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
  name: payment-service.default.svc.cluster.local
  namespace: default
spec:
  routes:
    - name: POST /charges
      condition:
        method: POST
        pathRegex: /charges
      responseClasses:
        - condition:
            status:
              min: 500
              max: 599
          isFailure: true
    - name: GET /charges/{id}
      condition:
        method: GET
        pathRegex: /charges/[^/]*

With service profiles configured, verify per-route metrics are available:

# Check that per-route metrics appear in Linkerd
linkerd viz <span class="hljs-built_in">stat deploy/order-service

<span class="hljs-comment"># Check specific route metrics
linkerd viz routes deploy/order-service --to deploy/payment-service

Linkerd Tap for Debugging

Linkerd's tap command shows live traffic — useful for verifying test traffic is flowing correctly:

# Tap live traffic to payment-service to verify headers, status codes, and latency
linkerd viz tap deploy/payment-service --namespace default \
  -o json <span class="hljs-pipe">| jq <span class="hljs-string">'select(.responseInitEvent.http.responseInit.status == 500)'

Use tap during test runs to verify that:

  • The right services are being called
  • Headers are being passed correctly
  • mTLS is active (look for tls=true in tap output)
  • Status codes match expectations

Integration Testing with Mesh in CI

Running a full Kubernetes cluster with a service mesh in CI is expensive in time and resources. Strategies:

Separate mesh tests from application tests. Run unit and integration tests without the mesh. Run mesh behavior tests in a dedicated CI pipeline that runs less frequently (nightly, or on infrastructure changes).

Use Istio's dry-run validation. For configuration correctness tests:

istioctl analyze --namespace default

This validates Istio configurations for common errors without running a cluster.

Lightweight mesh in CI: Use k3d with a minimal Istio install:

k3d cluster create ci-mesh --servers 1 --agents 1 --timeout 300s
istioctl install --<span class="hljs-built_in">set profile=minimal --<span class="hljs-built_in">set values.pilot.env.PILOT_ENABLE_EDS_DEBOUNCE=<span class="hljs-literal">true

The minimal profile skips components not needed for traffic management testing (telemetry, policy).

Summary

Service mesh testing focuses on infrastructure behavior: fault tolerance (retries, circuit breakers), security (mTLS), and traffic management (canary deployments, weighted routing).

The key tools are the mesh CLIs (istioctl, linkerd) and kubectl. Tests typically involve:

  1. Applying a mesh configuration
  2. Sending controlled test traffic
  3. Verifying the behavior through metrics, logs, or response codes

Mesh behavior tests belong in a separate test suite from application tests — they require a running cluster, run slower, and test different things.

The most common mesh testing mistake is assuming configuration is correct without verifying behavior. Apply the configuration, then prove it works.

Read more