Service mesh adoption has grown as microservices architectures have scaled. Istio and Linkerd are the two dominant open source options. The production trade-offs between them have become clear after years of adoption.
What a service mesh provides
A service mesh handles cross-cutting concerns for service-to-service communication: mutual TLS (mTLS) for encryption and authentication, load balancing with traffic management, observability (metrics, traces, logs for every service call), and traffic policies (retry logic, circuit breaking, traffic splitting for canary deployments). These capabilities are implemented in sidecar proxies running alongside each service container, making them language-agnostic.
Istio's strengths
Istio uses Envoy as its data plane proxy. Envoy's feature set is comprehensive: it handles L7 traffic, has gRPC support, and is highly configurable. Istio's control plane (istiod) provides the configuration distribution, certificate management, and telemetry collection. The feature breadth of Istio is its strength: almost any service mesh use case is supported. The weakness is complexity: Istio is difficult to configure correctly and resource-intensive.
Linkerd's strengths
Linkerd uses a Rust-based micro-proxy (linkerd2-proxy) instead of Envoy. The micro-proxy is designed for minimal resource consumption and operational simplicity. Linkerd's configuration is simpler than Istio's. The mTLS is automatic: you install Linkerd, enable it on a namespace, and mTLS between services in that namespace is automatic. For teams that primarily want mTLS and observability without the full Istio feature set, Linkerd is the simpler path.
Cilium as an alternative
Cilium implements network policy and service mesh features using eBPF at the kernel level rather than sidecar proxies. This eliminates the per-pod proxy overhead of traditional service meshes. For clusters where the resource cost of sidecar proxies is a concern, Cilium's Hubble component provides the observability and the network policy features without the sidecar. The trade-off is that L7 traffic management (retries, circuit breaking, traffic splitting) is less feature-complete than Istio or Linkerd.