Interview › Istio & Service Mesh
What is a Gateway resource, and how does it differ from a Kubernetes Ingress?
Istio & Service Mesh · Basic level
Answer
An Istio Gateway configures an Envoy gateway proxy to accept traffic on specific ports, hosts, and TLS settings. Kubernetes Ingress is a simpler Kubernetes API for HTTP ingress, while Istio Gateway gives Istio-native control and is often paired with VirtualService for detailed routing.
Technical explanation
A Gateway selects gateway pods by label and describes what traffic those proxies should listen for.
A VirtualService then binds to that Gateway and defines routing to internal services.
For newer designs, Kubernetes Gateway API is increasingly preferred because it standardizes Gateway and route resources across implementations.
Hands-on example
Ingress pattern:
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: public-gw
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: app-tls
hosts: [app.example.com]
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?