Interview › Istio & Service Mesh
What is Istio, and what are the core capabilities it provides?
Istio & Service Mesh · Basic level
Answer
Istio is a service mesh implementation for Kubernetes and other environments. Its core capabilities are traffic management, security, and observability: routing, canary releases, retries, timeouts, mTLS, authorization, JWT validation, metrics, logs, traces, and integration with gateways.
Technical explanation
Istio provides APIs such as VirtualService, DestinationRule, Gateway, ServiceEntry, PeerAuthentication, RequestAuthentication, and AuthorizationPolicy.
The data plane can run as Envoy sidecars or, in ambient mode, through node-level ztunnel plus optional waypoint proxies.
The control plane, mainly istiod, translates high-level Istio and Kubernetes configuration into proxy configuration.
Hands-on example
Hands-on checklist:
$ istioctl install --set profile=demo -y
$ kubectl label namespace app istio-injection=enabled
$ kubectl apply -n app -f deployment.yaml
$ istioctl proxy-status
Then add a VirtualService for traffic routing, a PeerAuthentication for mTLS, and an AuthorizationPolicy for access control.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?
- What problem does Istio solve that Kubernetes Services alone do not?