Interview › Istio & Service Mesh
What problem does Istio solve that Kubernetes Services alone do not?
Istio & Service Mesh · Basic level
Answer
Kubernetes Services provide stable virtual IPs, DNS names, and basic L4 load balancing. Istio adds service identity, mTLS, L7 routing, retries, timeouts, circuit breaking, telemetry, and policy controls that Kubernetes Services alone do not provide.
Technical explanation
A Kubernetes Service does not know that version v2 should receive 5 percent of traffic or that requests with a specific header should go to a canary.
Kubernetes NetworkPolicy can control L3/L4 network access, but it does not provide HTTP-method, path, JWT-claim, or service-identity decisions at L7.
Istio complements Kubernetes rather than replacing Services; it uses Services as part of service discovery.
Hands-on example
Compare:
Kubernetes Service: app calls http://reviews.default.svc.cluster.local.
Istio VirtualService: route 90 percent to reviews v1 and 10 percent to reviews v2, with timeout, retry, and telemetry.
This gives release control without changing the application endpoint.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?