Interview › Istio & Service Mesh
What is a service mesh, and what problem does it solve?
Istio & Service Mesh · Basic level
Answer
A service mesh is a dedicated infrastructure layer that manages service-to-service communication, usually through sidecar proxies deployed next to each workload. It solves the problem of doing traffic management, security (like mTLS), and observability consistently across many services without baking that logic into each application.
Technical explanation
As a system grows into many microservices, concerns like retries, timeouts, mutual TLS, and telemetry get reimplemented inconsistently in every service and language. A mesh moves those concerns into a shared data plane of proxies, controlled by a central control plane.
The data plane (for example, Envoy sidecars) intercepts traffic and enforces routing, encryption, and metrics. The control plane (for example, Istiod in Istio) distributes configuration and certificates to the proxies.
The tradeoff is added complexity and some latency and resource overhead per proxy, so a mesh is worth adopting when you actually need cross-cutting traffic, security, and observability policy at scale.
Hands-on example
A minimal way to see the value on a Kubernetes cluster:
$ istioctl install --set profile=demo -y
$ kubectl label namespace default istio-injection=enabled
$ kubectl apply -f your-app.yaml
$ istioctl proxy-statusThen enable mTLS with a PeerAuthentication policy and route traffic with a VirtualService to demonstrate security and traffic management without changing the application code.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?