Interview › Istio & Service Mesh
What is a ServiceEntry, and when do you need one?
Istio & Service Mesh · Basic level
Answer
A ServiceEntry adds external or otherwise non-Kubernetes services to Istio's service registry. I use it when mesh workloads must call an external API, database, VM, or service that Istio cannot discover from Kubernetes Services.
Technical explanation
ServiceEntry lets Istio understand the host, ports, protocols, resolution mode, and endpoints for external services.
It is required in locked-down meshes when outbound traffic policy allows only registered external services.
It can be combined with VirtualService, DestinationRule, and egress gateway routing.
Hands-on example
Example external API:
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: partner-api
spec:
hosts: [api.partner.com]
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?