Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Arquitectura

Service Mesh in 2023: Istio, Linkerd, and the Cilium Option

8 min read 53 reads
Service Mesh in 2023: Istio, Linkerd, and the Cilium Option
Table of contents
  1. Key takeaways
  2. What a Service Mesh Does
  3. Istio, Linkerd, and Cilium
  4. When You Do NOT Need a Service Mesh
  5. Pragmatic Recommendation
  6. Conclusion

Actualizado: 2026-05-03

A service mesh adds an infrastructure layer that manages communication between services — mTLS, observability, traffic management, retries, and timeouts — without requiring application code changes. The ecosystem has consolidated: Istio[1] remains the most complete and complex, Linkerd[2] is the simple lightweight option, and Cilium[3] has entered strongly offering service mesh over eBPF without sidecars.

Key takeaways

  • A service mesh provides mTLS, uniform observability, and traffic management as a cross-cutting layer.
  • Istio covers the widest range of enterprise cases but carries the highest operational cost.
  • Linkerd prioritises simplicity: one-hour onboarding, lightweight Rust-based proxies.
  • Cilium delivers sidecarless service mesh via eBPF with very low CPU overhead.
  • For fewer than 10 services or without inter-service encryption requirements, you probably don’t need one.

What a Service Mesh Does

When you have 20+ services communicating in Kubernetes, common needs arise:

  • Inter-service encryption (mTLS): real Zero Trust between microservices.
  • Uniform observability: latency, error rate, and RPS metrics for every inter-service call without instrumenting each app.
  • Traffic management: canary deployments, A/B testing, traffic mirroring without touching code.
  • Consistent retries, circuit breaking, and timeouts as declarative policies.
  • Fine-grained authorisation: which services can call which, based on cryptographic identity.

Without a mesh, each team implements these in its own language and differently. The mesh provides them as a cross-cutting layer.

Kubernetes logo, the platform on which the service meshes analysed here are deployed

Istio, Linkerd, and Cilium

Istio is the most mature. Originating at Google/IBM/Lyft, its feature set is extensive: sophisticated traffic policies, multi-cluster, JWT authentication, fine-grained authorisation. The price is high operational complexity — hundreds of CRDs, a steep learning curve, and historically problematic upgrades (improving in recent versions). Every Envoy sidecar adds notable CPU and memory consumption.

Linkerd took the opposite path: simplicity as a guiding principle. Its proxies are written in Rust (linkerd2-proxy, not Envoy), making them extremely lightweight. Onboarding takes an hour to have mTLS running, and upgrades are smooth. The trade-off is a narrower feature set for sophisticated multi-cluster and complex traffic policies.

Cilium Service Mesh does most of its work in the kernel via eBPF, without Envoy sidecars. If you already use Cilium as your CNI, adding mesh is natural and the convergence saves complexity. CPU overhead is very low, but as a service mesh it is less mature than Istio or Linkerd, and requires modern kernels (Linux ≥5.8).

Aspect Istio Linkerd Cilium SM
Mesh maturity Very high High Medium-high
Ops complexity High Low Medium
Performance overhead Medium (Envoy) Low (Rust proxy) Very low (eBPF)
Feature richness Maximum Essential Growing
Multi-cluster Excellent Limited In development
Sidecars Yes (Envoy) Yes (linkerd2-proxy) Optional

When You Do NOT Need a Service Mesh

Many teams adopt a service mesh because “the conference says so” without having the problem it solves. You don’t need one if:

  • You have fewer than 10 services — operational overhead doesn’t pay off.
  • mTLS between services isn’t a real requirement and Kubernetes NetworkPolicies cover your needs.
  • Basic observability with Prometheus and manual app instrumentation is enough.
  • You don’t do canary releases or complex traffic shaping.
  • Your team lacks capacity to maintain one more system.

For those cases, lighter alternatives work better: NetworkPolicies for basic authorisation, direct OpenTelemetry for tracing and metrics, and an Ingress controller with TLS for external traffic.

eBPF logo, the technology Cilium Service Mesh uses to operate sidecarless at kernel level

Pragmatic Recommendation

  • Limited operational budget or small team → Linkerd. Delivers 80% of the value at 20% of the cost.
  • Need sophisticated multi-cluster, JWT validation, or enterprise features → Istio. Take on operating costs with a dedicated team.
  • Already use Cilium as CNI or starting a new cluster → Cilium Service Mesh. Convergence saves complexity.
  • Unsure whether you need it → probably not yet.

Related: if you are evaluating GitOps tools for deploying the service mesh, read the ArgoCD vs Flux CD comparison. And if your starting point is Docker Swarm, note that the entire CNCF service-mesh ecosystem assumes Kubernetes.

Conclusion

Service mesh is a powerful tool for specific inter-service communication problems at scale. The choice among Istio, Linkerd, and Cilium depends more on operational priority and existing stack than on absolute technical capabilities. The most important question is not “which do I choose” but “do I need it today”. For many teams, the honest answer is still “not yet”.

Was this useful?
[Total: 15 · Average: 4.6]
Post Views: 53
  1. Istio
  2. Linkerd
  3. Cilium

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 36K Reads Rating

Related posts