The platform layer for service-to-service traffic. Learn sidecars and ambient mode, traffic management, mTLS and zero trust, resilience patterns and mesh observability — and remember it with spaced repetition.
A service mesh is a dedicated infrastructure layer that handles service-to-service communication — routing, security and telemetry — outside your application code. Proxies (Envoy sidecars in Istio, micro-proxies in Linkerd, or ambient/sidecarless modes) sit on the request path, so every call gets mTLS, retries and metrics without touching the app.
The mental model that makes everything click is the split between the data plane (the proxies moving your traffic) and the control plane (the brain configuring them). From there the features follow: traffic splitting for canary releases, retry budgets that prevent retry storms, authorization policies for zero-trust networking, and RED metrics for every service — for free.
This track is the advanced tier of the Kubernetes family: it assumes you know Pods, Services and Deployments, and stays vendor-neutral — concepts first, with Istio and Linkerd named where the implementations genuinely differ. Spaced repetition keeps the distinctions sharp for design reviews and interviews alike.
Each module is a set of flashcards — 80 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
What a mesh is, data vs control plane, sidecars, ambient mode, and when to use one
16 cardsL7 routing, canary releases, retries and timeouts, mirroring, and load balancing
16 cardsMutual TLS, workload identity, authorization policies, and zero-trust networking
16 cardsCircuit breaking, outlier detection, fault injection, rate limiting, and failover
16 cardsGolden signals from the proxies, RED metrics, tracing propagation, and access logs
16 cardsA taste of the real flashcards. Pick an answer, then reveal the explanation.
What is a service mesh?
How does a canary release work with a mesh?
Which class of attack remains possible even with mesh mTLS everywhere?
What is the mesh's role in distributed tracing?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
mTLS, canary routing and golden-signal metrics for every service without changing application code — once you know how to wield them.
Workload identity and authorization policies are how modern clusters drop the "trusted internal network" assumption.
Circuit breaking, outlier ejection and retry budgets tame cascading failures — if you understand what each knob really does.
Mesh architecture questions (sidecar vs ambient, ON-path vs control plane) are staples of platform and SRE interviews.
Yes — the track assumes you are comfortable with Pods, Services and Deployments. The Kubernetes tracks cover those fundamentals if you need them first.
Neither — the cards teach mesh concepts that hold across implementations, and name Istio or Linkerd explicitly where they genuinely differ (Envoy sidecars vs micro-proxies, ambient mode, Viz extension).
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Not always — and the track says so. One of the concepts covered is when a mesh is overkill and plain Kubernetes Services with NetworkPolicies are the better call.
Plant your first seed today. Ten minutes a day is all it takes to turn mesh buzzwords into working knowledge.