Istio Namespace Isolation

I’m working on a project which requires a CockroachDB instance in multiple namespaces (prod/uat/dev), in an Isio-enabled Kubernetes cluster.

This is a companion discussion topic for the original entry at


  1. Would a different service mesh handle this better, like Maesh or Envoy proxy?
  2. How are you finding CockroachDB?
  3. This is a cool find and has many use cases, but in large enterprises would you have any dev or test traffic on prod networks / VLANs?
  4. Are the developers accessing via SQL? Have they considered an API gateway (Kong, Ambassador) and microservices?

Funny you should ask - just today, I’ve finished working through upgrading the platform from Istio 1.4.3 to 1.6…

  1. I don’t know. Istio is the king of the castle though, so for this project, we’re going with the top dog.
  2. It’s a PITA - we reverted back to PostgreSQL using Spilo, with the Zalando Postgres operator. I can’t remember exactly why cockroach didn’t fit, but IIRC it was to do with HA limitations.
  3. That’d depend on the enterprise, I guess. I’ve read about 1000-node clusters running many production workloads, and under those conditions it’s necessary to isolate traffic between namespaces. So I’d say yes, even if all your prod traffic is on a prod cluster, namespace isolation is important
  4. The apps consuming PostgreSQL (what was once CockroachDB) are all within the cluster, so developer access is not an issue in this case :wink: