Interview › Istio & Service Mesh
What is mutual TLS (mTLS), and how does Istio provide it automatically?
Istio & Service Mesh · Basic level
Answer
mTLS means both client and server authenticate each other using certificates, then encrypt the connection. Istio provides this automatically by issuing workload certificates, configuring proxies with identities, and using those identities during service-to-service communication.
Technical explanation
Each workload gets a SPIFFE-like identity tied to its service account and trust domain.
Envoy proxies use certificates from Istio to establish encrypted and authenticated connections.
Once mTLS is enabled, policy can reason about authenticated service identity instead of relying only on IP addresses.
Hands-on example
Check mTLS:
$ istioctl authn tls-check deploy/frontend.app
$ istioctl proxy-config secret deploy/frontend -n app
Apply STRICT in a namespace:
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: app
spec:
mtls:
mode: STRICT
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?