💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Prologue — "Service mesh got hard again"

KubeCon EU, 2024. An SRE on stage joked: "Do not say you know service mesh. The mesh you knew two years ago does not exist anymore." The crowd laughed, but it was half true.

Between 2024 and 2026, here is what happened:

- **Istio Ambient mode hit GA in 1.22 (2024)** — sidecar-free Istio became real.

- **Linkerd 3 (Buoyant)** — moved stable production releases to a paid edition, triggering community backlash.

- **Cilium / Isovalent acquired by Cisco (2024)** — eBPF mesh joined the Cisco umbrella.

- **HashiCorp acquired by IBM (2024)** — governance of Consul Connect shifted.

- **Open Service Mesh (Microsoft) — sunset January 2024**.

- **AWS App Mesh — sunset October 2024**.

- **Kuma (Kong)** — settled in as the federated multi-zone mesh.

- **Gloo Mesh (solo.io)** — became the de facto standard for multi-cluster Istio.

- **Traefik Mesh** — survived as the lightweight option.

Technically, the more interesting story is that **the model itself split**. In 2020, everybody was a sidecar (Envoy living next door to your pod). In 2026, three models coexist.

1. **Sidecar model** — classical Istio, Linkerd 2/3, Consul Connect default.

2. **Ambient model (L4 + L7 separation)** — Istio Ambient (ztunnel + waypoint), some Linkerd patterns.

3. **eBPF / proxyless model** — Cilium Service Mesh, gRPC-native, parts of the JVM stack.

The three models have different trade-offs, and the right answer depends on your workload and operational capacity. This post covers **the 2026 status of each option**, **the sidecar vs ambient vs proxyless debate**, **the operational patterns (mTLS, RBAC, traffic shifting, observability)**, and **a decision tree for who should pick what**.

One thing to say up front: **service mesh is not a default.** "We use Kubernetes, so we install a mesh" is still bad reasoning in 2026. Teams without a mesh are often happier than teams with one. But for the teams that actually need it, a well-chosen mesh changes the texture of operations.

1. The 2026 service mesh map — three models, seven candidates

| --- | --- | --- | --- |

A one-liner per model:

- **Sidecar** — one Envoy (or micro-proxy) pod runs next to each workload pod. Most mature, but memory, CPU, startup time, and debugging complexity are all expensive.

- **Ambient** — a per-node L4 proxy (ztunnel) handles all pod traffic, and you only spin up a separate L7 waypoint proxy where you need it. Cuts sidecar cost dramatically.

- **eBPF / proxyless** — kernel-level eBPF implements policy, encryption, and observability. mTLS and some policy are possible without a data-plane proxy. For L7 features, traffic is forwarded to an Envoy.

The three models carry **different trade-offs**. Sidecar is "mature but expensive", ambient is "simpler to run but introduces new components", eBPF is "lightest but tied to kernel/OS/CNI". There is no universal winner.

2. Istio Ambient (2024 GA) — ztunnel + waypoint

Istio Ambient mode started as alpha in 2022 and reached GA in 1.22 (2024). The core idea is **splitting the data plane into two layers**.

[Pod A] ────► [ztunnel (node DaemonSet)] ──mTLS──► [ztunnel] ────► [Pod B]

L4 (TCP, HBONE tunnel)

When L7 is required:

[Pod A] → [ztunnel] → [waypoint proxy (per namespace/service)] → [ztunnel] → [Pod B]

L7 (HTTP route, RBAC, traffic shifting)

- **ztunnel**: a new Rust-based node DaemonSet. One instance per node, forwarding all pod traffic over HBONE (HTTP-Based Overlay Network Environment — HTTP/2 over mTLS). L4 only — TLS, identity, simple mTLS.

- **waypoint proxy**: a separate Envoy pod, deployed per namespace or service account, only where L7 policy (HTTP routing, header-based routing, RBAC, retry, mirror) is needed. ztunnel routes L7-required traffic through the waypoint.

**Why does this matter?**

- **Memory and CPU savings**: instead of 100 sidecars for 100 pods, you have 10 ztunnels on 10 nodes plus 2-3 waypoints. You save the 50-200 MB Envoy memory footprint per sidecar.

- **Faster startup**: sidecars must come up alongside the pod, lengthening pod startup. Ambient ztunnels are already running, so pods start faster.

- **Decoupled app and sidecar**: sidecar OOMs killing the app, or sidecar version pinning the app's lifecycle, all go away.

- **L4 vs L7 split**: workloads that need no L7 (many — plain gRPC backends, queue workers) only need ztunnel.

**Why is not everyone moving to Ambient?**

- **Two new components** (ztunnel, waypoint) to learn operationally.

- **CNI/network dependencies**: ambient installs new netfilter rules on top of iptables. Conflicts with some CNIs (notably some Cilium versions) have been reported.

- **Some features are still sidecar-only**: certain EnvoyFilter configs, WASM extensions, etc. are limited in ambient.

- **Migration cost**: moving a working sidecar cluster to ambient is itself a large project.

The 2026 recommendation: **new clusters go ambient; existing sidecar clusters migrate gradually.** Commercial distros like Gloo are filling in the ambient migration tooling fast.

3. Istio sidecar (classical) — still everywhere

Sidecar Istio is not dead just because ambient is GA. In 2026, **the majority of Istio clusters in production are still sidecar-mode**. The reason is simple — "we do not move what is working".

Sidecar Istio still has clear strengths:

- **The most case studies, docs, and blog posts.** When things break, Google has answers.

- **Every feature works**: EnvoyFilter, WASM extensions, all telemetry v2 features.

- **Integration with other ingress/egress patterns is best-documented.**

The weaknesses are also intact:

- **Memory and CPU cost** — 50-200 MB per Envoy sidecar.

- **Pod startup latency** — the app cannot accept traffic until the sidecar is ready (`holdApplicationUntilProxyStarts`).

- **App and sidecar lifecycle coupling** — sidecar OOM cuts the app's traffic.

- **Istio control plane (istiod) load** — xDS push cost grows with pod count.

**When is sidecar Istio still right?**

- Already running and working (the most common case).

- Sidecar-only EnvoyFilter or WASM is essential to your feature set.

- The team does not have bandwidth to absorb a new component model.

Recommendation: **start fresh on ambient; migrate slowly from sidecar.** The most common mistake is "ambient is GA, so we move now" — the operational learning curve is real.

4. Linkerd 3 — Buoyant's paid-tier decision (2024)

Linkerd has billed itself since 2017 as "sidecar but lightweight". The Rust-based linkerd2-proxy (now `linkerd-proxy`) used a lot less memory and CPU than Envoy — 10-30 MB per sidecar.

Then in 2024, Buoyant (Linkerd's parent company) **announced that stable releases (the production-ready builds) would move to a paid edition**. Free downloads remain available on the edge channel (weekly builds), but using a stable channel in production now requires a Buoyant Enterprise license.

Community reaction was fierce:

- "The golden age of open-source mesh is over."

- "This is effectively a regression to source-available."

- "But Linkerd is maintained by a tiny company — how could it stay free forever?"

- "Is this acceptable for a CNCF-graduated project?"

**Technical changes in Linkerd 3**:

- Sidecar is still a Rust micro-proxy. Still lightweight.

- Adopted some ambient-style patterns (per-service policy delegation).

- Stronger multi-cluster mTLS and federated certificate management.

- The **policy** resource gained more L7 RBAC features.

**The 2026 view**:

- Technically still attractive. **The lightest sidecar mesh by a wide margin.**

- Operationally genuinely simple. No need to memorize dozens of CRDs like Istio.

- But the paid-stable policy **eroded the comfort of "this is a CNCF-graduated project."**

- Edge channel is free, but enterprises usually cannot run an "unsupported" channel for political reasons.

**Selection criteria**:

- If you want a lightweight, simple sidecar mesh and can absorb the Buoyant Enterprise cost, still a great choice.

- If vendor lock-in worries you, Istio Ambient or Cilium Service Mesh are alternatives.

- A small team that just needs mTLS fast — Linkerd is still one of the cleanest options.

5. Cilium Service Mesh — eBPF + Cisco acquisition (2024)

Cilium started as a CNI (Container Network Interface), but its eBPF foundations let it extend into service mesh. It formalized mesh features in 2022 and saw real production adoption in 2023-2024.

**Cisco acquired Isovalent (Cilium's parent) in 2024.** Cisco's reach in eBPF expanded overnight, and Isovalent Cilium Enterprise — Cilium's commercial distribution — is heading toward integration with Cisco's security and networking portfolio.

**Cilium Service Mesh model**:

- **L4 mTLS and policy**: in eBPF. No sidecar, no waypoint — kernel-resident on each node.

- **L7 features (HTTP routing, gRPC, Kafka filter)**: per-node Envoy DaemonSets or ingress gateways. Not sidecar.

- **Observability**: Hubble for L3/L4/L7 visibility. Because eBPF captures everything, sampling is rarely needed.

- **Network policy integration**: CiliumNetworkPolicy covers L3-L7 in one place.

**Why eBPF mesh is attractive**:

- **Zero sidecars** — savings on memory, CPU, and startup time.

- **L4 in the kernel** — no context switch, fast.

- **Mesh and CNI in one** — no need to manage two distinct components.

- **Hubble observability** — eBPF captures all traffic, so you see everything without sampling.

**Realistic limits**:

- **Kernel dependency**: new features need new kernels. 5.x late or 6.x recommended.

- **L7 still uses Envoy** — there is no sidecar, but Envoy exists somewhere.

- **Operational learning**: the interaction between eBPF, iptables, CNI, and NetworkPolicy is complex.

- **Less Istio API parity**: teams used to Istio operate differently.

**2026 recommendation**:

- If you are choosing a CNI for a new cluster, Cilium is a strong candidate (and the recommended CNI on several clouds).

- Cilium Service Mesh is a natural extension if you are already on Cilium CNI.

- Watch licensing and governance evolution post-Cisco.

6. Consul Connect — HashiCorp → IBM acquisition (2024)

Consul started in 2014 as HashiCorp's service discovery and KV store, and Consul Connect added service mesh. **The unique angle was VMs and Kubernetes in one mesh** — while Istio and Linkerd were Kubernetes-first, Consul could rope VMs and bare-metal into a single mesh from the start.

**IBM acquired HashiCorp in 2024**. Terraform, Vault, Consul, Nomad — every HashiCorp product is now under the IBM umbrella. Governance and licensing (already moved to BSL in 2023) are both affected.

**Consul Connect's strengths (still)**:

- **Hybrid environments**: VM + Kubernetes + bare-metal in one mesh.

- **Multi-datacenter and WAN federation**: supported early and well.

- **Vault integration**: Consul Connect CA can be delegated to Vault.

- **Service mesh + service discovery + KV**: integrated platform.

**Weaknesses and concerns**:

- **BSL license (2023)**: no longer free OSS — competitive SaaS offerings are limited.

- **Roadmap uncertainty post-IBM**: some users worry about an OpenTofu-style fork (no Consul fork is mature yet).

- **In Kubernetes-only environments**, less compelling than Istio or Linkerd.

**When is Consul Connect the right answer?**

- Hybrid environments with both VMs and Kubernetes.

- Organizations already deep on the HashiCorp stack (Terraform, Vault, Nomad).

- Multi-region / multi-datacenter mesh is the primary requirement.

**When to avoid?**

- Pure Kubernetes-only and vendor lock-in is a concern.

- OSS-first organizations sensitive to license changes.

7. Kuma (Kong) — federated mesh

Kuma was created by Kong in 2019 and donated to CNCF Sandbox in 2020. Technically it is an Envoy-based sidecar mesh, but its differentiator is its **multi-zone / federated** model.

**Kuma architecture**:

- **Global control plane** (global policy management) plus **zone control plane** (per cluster / region).

- One mesh can span multiple clusters, multiple clouds, and VMs.

- Universal mode (VMs / bare-metal) and Kubernetes mode both supported.

**Strengths vs other meshes**:

- **Multi-zone is first-class**: a simpler operational model than Istio or Linkerd multi-cluster.

- **Policy fans out by mesh**: define once, propagate to all zones.

- **Integration with Kong API Gateway**: the API gateway becomes part of the mesh.

**Weaknesses**:

- Less broad documentation and case studies than Istio.

- Some advanced L7 features arrive later than Istio.

- The OSS feature set depends on Kong's commercial strategy.

**When Kuma?** Multi-cluster / multi-cloud / hybrid environments where operational simplicity is the priority. Especially natural if you are already on Kong API Gateway.

8. Gloo Mesh (solo.io) — multi-cluster Istio

solo.io's Gloo Mesh is **a commercial multi-cluster control plane on top of Istio**. Istio itself runs fine in a single cluster, but **roping multiple clusters into one mesh** (multi-cluster federation, shared certificates, cross-cluster service discovery) is operationally heavy. Gloo Mesh abstracts that into a commercial product.

**What Gloo Mesh solves**:

- **Multi-cluster Istio federation automated**: certificate, trust domain, east-west gateway setup via GUI / CLI.

- **Global policy management**: define once, propagate to all clusters.

- **Higher-level abstractions over VirtualService / DestinationRule**: RouteTable and VirtualGateway CRDs.

- **Ambient migration support**: solo.io is one of the leading ambient contributors.

**Who uses it**: large enterprises, especially those where multi-cluster Istio is central. Banks, telcos, some big-tech SRE orgs.

**Alternatives**: OSS Istio with hand-rolled multi-cluster setup (possible but operationally heavy), or Cilium ClusterMesh.

9. Traefik Mesh — the lightweight option

Traefik Mesh (formerly Maesh) is **a lightweight DaemonSet-based mesh**. Instead of sidecars, a node-local Traefik proxy handles all traffic for the pods on that node. Architecturally it is close to ambient's ztunnel — except it was built far earlier (2019).

**Strengths**:

- **No sidecars** — low memory, fast startup.

- **Operationally simple** — small learning curve for teams already using Traefik.

- **SMI (Service Mesh Interface) compatible** — standard API.

**Weaknesses**:

- **L7 policy richness is not at Istio's level**.

- **mTLS and complex RBAC** are simpler than in other meshes.

- **Smaller community** than Istio, Linkerd, or Cilium.

**When Traefik Mesh?** Small clusters, simple traffic policies, and teams that already use Traefik ingress.

10. The meaning of OSM and AWS App Mesh sunsetting

**Open Service Mesh (Microsoft)** — sunset January 2024.

**AWS App Mesh** — sunset October 2024.

Two mesh shutdowns sent a signal to the industry.

**What OSM's end means**:

- Microsoft decided that **following Istio and Cilium adoption is more rational than maintaining its own mesh**.

- AKS (Azure Kubernetes Service) now recommends the Istio add-on by default.

- **The cloud-vendor-built-mesh model has limits** — it cannot keep up with community momentum.

**What App Mesh's end means**:

- AWS also gave up its own mesh. Customers are reverting to **AWS Cloud Map + ALB/NLB + OSS mesh on EKS (Istio / Linkerd)**.

- An acknowledgement that EKS customers picked Istio / Linkerd / Cilium far more often than App Mesh.

- AWS responded by **deprecating App Mesh and providing a migration guide**.

**Wider lessons**:

1. **Mesh consolidates where OSS community + CNCF umbrella is strongest** — Istio, Linkerd, Cilium, Kuma.

2. **Cloud-vendor-native meshes struggle to survive** — even Google builds ASM (Anthos Service Mesh) on top of Istio.

3. **The value of a mesh is portability** — spanning multiple clouds with one mesh. Vendor-locked meshes conflict with that value.

11. mTLS / RBAC / Traffic shifting / Observability patterns

Whichever mesh you pick, the operational patterns you must run are similar. Four big ones.

11.1 mTLS — the most common reason

The most common reason to install a mesh. The first step of zero-trust networking.

- **STRICT mode**: only mTLS allowed inside the mesh. External plaintext is rejected.

- **PERMISSIVE mode**: both mTLS and plaintext accepted. Used during migration.

- **CA management**: Istio uses istiod as CA, Cilium integrates with SPIRE, Consul delegates to Vault.

Operational tips:

- **Stage adoption**: PERMISSIVE first, then STRICT. Going straight to STRICT causes outages from unidentified plaintext flows.

- **External integrations**: databases, Kafka, external APIs live outside the mesh. Use an egress gateway to manage policy separately.

- **Certificate rotation**: 7 days by default. Too short increases control-plane load.

11.2 RBAC — who can call whom

Expressed as `AuthorizationPolicy` (Istio), `Server` / `ServerAuthorization` (Linkerd), `CiliumNetworkPolicy` (Cilium).

Istio example — only the frontend ServiceAccount can call backend's /api

apiVersion: security.istio.io/v1

kind: AuthorizationPolicy

metadata:

name: backend-policy

spec:

selector:

matchLabels:

app: backend

rules:

- from:

- source:

principals: ['cluster.local/ns/default/sa/frontend']

to:

- operation:

paths: ['/api/*']

Operational tips:

- **default-deny then allow rules**: the zero-trust pattern.

- **Use ServiceAccount-based principals** — namespace or label rules are fragile to changes.

- **Do not over-specify L7 policy** — fine-grained rules turn code changes into policy changes.

11.3 Traffic shifting — canary / blue-green / A/B

The killer feature of mesh. Weighted routing for gradual exposure.

Istio — 90% to v1, 10% to v2

apiVersion: networking.istio.io/v1

kind: VirtualService

metadata:

name: payment

spec:

hosts: ['payment']

http:

- route:

- destination: { host: payment, subset: v1 }

weight: 90

- destination: { host: payment, subset: v2 }

weight: 10

Operational tips:

- **Pair with Argo Rollouts / Flagger** for automated progressive delivery.

- **Metric-based auto rollback**: error rate or latency above threshold triggers automatic recovery.

- **Header-based routing for internal dogfood**: requests with a specific header go to v2 — let employees validate first.

11.4 Observability — golden signals

The four signals a mesh captures automatically:

1. **Traffic**: RPS, bytes/sec

2. **Errors**: 5xx rate, gRPC error codes

3. **Latency**: p50, p95, p99

4. **Saturation**: queue length, connection pool

Dashboards:

- **Istio**: Kiali (service graph) + Grafana (metrics) + Jaeger / Tempo (traces).

- **Linkerd**: its viz extension (lightweight).

- **Cilium**: Hubble UI (eBPF-based, very rich).

Operational tips:

- **Trace sampling at 1-5%**: 100% strains backends (Tempo / Jaeger).

- **Manage metric cardinality**: do not blindly stuff pod labels into metrics (Prometheus blows up).

- **Service graph is for discovery**: not for daily watching, but the fastest tool during an incident.

12. Sidecar vs ambient vs proxyless debate

The fiercest mesh debate of 2024-2026. Summarized:

- **Sidecar**: mature but expensive.

- **Ambient**: cheaper but adds new components.

- **eBPF / proxyless**: lightest but tied to kernel and CNI.

The sidecar argument (Istio sidecar, Linkerd 2/3)

- **Every feature works** — EnvoyFilter, WASM, telemetry v2.

- **Strong isolation** — one pod's mesh config does not affect another.

- **Debugging is intuitive** — find the pod's sidecar.

- Cost? "100 MB per pod is small compared to a cloud instance."

The ambient argument (Istio Ambient)

- **Massive memory and startup reduction** — 100 pods at 100 MB each is 10 GB you no longer need.

- **App and sidecar lifecycle decoupling** — sidecar update is no longer an app restart.

- **L4 / L7 separation** — waypoints only where L7 is needed.

- Downside? "Two new components to run. Still less burden than sidecar."

The eBPF / proxyless argument (Cilium)

- **No sidecar, no waypoint, no ztunnel** — kernel does the work.

- **L4 mTLS and policy in the kernel** — lightest.

- **Hubble observes everything without sampling** — rich observability.

- Downside? "L7 still needs Envoy. Kernel dependency is heavy."

The 2026 consensus (loose, but emerging)

1. **New clusters** → ambient (Istio) or eBPF (Cilium). Sidecar no longer recommended for greenfield.

2. **Existing sidecar clusters** → migrate gradually as the team has capacity.

3. **Picking a CNI from scratch** → Cilium is a strong candidate; if you choose Cilium, Cilium Service Mesh is the natural extension.

4. **Hybrid (VM + K8s)** → Consul Connect or Kuma.

The debate is not over. But the sidecar-only era is.

13. Korea and Japan case studies — Toss, Kakao, Mercari, Cybozu

Toss — Istio + gradual ambient experiments

Toss runs payments, securities, and banking on a single Kubernetes platform. Security and audit requirements made mTLS mandatory, and Istio sidecar was the original choice. From 2024-2025, Toss **introduced ambient mode on new clusters** and is migrating sidecar clusters gradually.

Key drivers:

- **Financial audit requirements**: consolidating mTLS, audit logs, and RBAC under the mesh.

- **Multi-cluster visibility**: Kiali + Grafana + Tempo combination.

- **Ambient for new clusters**: pod memory savings matter at thousand-pod scale.

Kakao — Istio + custom control plane tooling

Kakao runs large-scale microservices on Istio sidecar. It built **custom control-plane tooling** — a GitOps layer that makes VirtualService / DestinationRule changes safer and reduces friction between platform and product teams.

Key patterns:

- **Canary via custom progressive delivery tooling**: Argo Rollouts based.

- **mTLS STRICT, RBAC default-deny.**

- **Trace sampling at 1%, error traces at 100%.**

Mercari (Japan) — Istio + Cloud Run / GKE hybrid

Mercari started on GKE + Istio sidecar. As some workloads moved to Cloud Run, calls outside the mesh grew, and Mercari built clean **ingress / egress gateway patterns** to handle external integration.

From its tech blog:

- **mTLS mandatory for all service-to-service.**

- **Backstage + Istio CRD** integration so policy changes go through PR-based workflows.

- **gRPC + Envoy gRPC-Web filter** — frontend integration.

Cybozu (Japan) — Linkerd 2/3 for simplicity

Cybozu (kintone, etc.) is known for OSS-friendly engineering culture. **They chose Linkerd for simplicity**. Rather than absorb Istio's complexity, Cybozu preferred Linkerd's lighter operational pattern.

After Buoyant's 2024 paid-tier announcement they reassessed, but reportedly are considering **operating on the edge channel plus community builds** (no official statement — community speculation).

14. Who should pick what — decision tree

Q1. Do you actually need a mesh?

├── No (only mTLS) → cert-manager + library mTLS / SPIFFE/SPIRE directly

├── No (only traces) → OTel SDK + Tempo / Jaeger

└── Yes → next

Q2. What is the environment?

├── Pure K8s, single cluster

│ ├── Greenfield → Istio Ambient or Cilium Service Mesh

│ └── Existing sidecar → gradual migration

├── Pure K8s, multi-cluster

│ ├── OSS-only → Cilium ClusterMesh or Kuma

│ └── Need enterprise support → Gloo Mesh (solo.io)

├── Hybrid (VM + K8s)

│ └── Consul Connect or Kuma (Universal mode)

└── Very small cluster, simple policy

└── Traefik Mesh

Q3. Team capacity?

├── Small ops team → Linkerd 3 (if paid is acceptable) or Traefik Mesh

├── Large ops team → Istio Ambient (full feature)

└── eBPF experience → Cilium Service Mesh

Q4. CNI?

├── Already on Cilium → Cilium Service Mesh is natural

├── Calico / others → Istio Ambient / Linkerd

└── Cloud-default CNI → verify compatibility first

**One-line picks (as of May 2026)**:

- General greenfield K8s: **Istio Ambient** or **Cilium Service Mesh**.

- Small team, simplicity first: **Linkerd 3** (if paid is acceptable) or **Traefik Mesh**.

- Hybrid (VM + K8s): **Consul Connect** or **Kuma**.

- Multi-cluster enterprise: **Gloo Mesh**.

The most important meta-recommendation: **before installing a mesh, ask once more whether you can live without one.** Fewer teams genuinely need a mesh than think they do.

References

- Istio Ambient Mode — https://istio.io/latest/docs/ops/ambient/

- Istio 1.22 Release Notes (Ambient GA) — https://istio.io/latest/news/releases/1.22.x/announcing-1.22/

- Linkerd by Buoyant — https://linkerd.io/

- Buoyant stable release policy change (2024) — https://buoyant.io/blog/changes-to-stable-distribution

- Cilium Service Mesh — https://cilium.io/use-cases/service-mesh/

- Isovalent acquired by Cisco (2024) — https://www.isovalent.com/blog/post/welcome-isovalent-cisco/

- HashiCorp + IBM (2024) — https://www.hashicorp.com/blog/hashicorp-joins-ibm

- Consul Connect — https://developer.hashicorp.com/consul/docs/connect

- Kuma — https://kuma.io/

- Gloo Mesh (solo.io) — https://www.solo.io/products/gloo-mesh/

- Traefik Mesh — https://traefik.io/traefik-mesh/

- Open Service Mesh sunset announcement — https://github.com/openservicemesh/osm

- AWS App Mesh end-of-support — https://docs.aws.amazon.com/app-mesh/latest/userguide/what-is-app-mesh.html

- CNCF Service Mesh Landscape — https://landscape.cncf.io/?group=projects-and-products&view-mode=card#orchestration-management--service-mesh

- Envoy Proxy — https://www.envoyproxy.io/

- SPIFFE/SPIRE — https://spiffe.io/

- Service Mesh Interface (SMI) — https://smi-spec.io/

- Mercari Tech Blog (service mesh) — https://engineering.mercari.com/en/

- Cybozu Tech Blog — https://blog.cybozu.io/