Interview › Istio & Service Mesh
What is the difference between PERMISSIVE and STRICT mTLS mode?
Istio & Service Mesh · Basic level
Answer
PERMISSIVE mTLS accepts both plaintext and mTLS traffic, while STRICT requires mTLS. PERMISSIVE is useful during migration; STRICT is the target for strong zero-trust enforcement inside the mesh.
Technical explanation
PERMISSIVE lets meshed and non-meshed workloads communicate while sidecars or ambient enrollment are rolled out.
STRICT prevents plaintext clients from connecting to protected workloads.
A namespace should move to STRICT only after all expected callers are in the mesh and telemetry shows mTLS is being used.
Hands-on example
Migration check:
$ istioctl authn tls-check deploy/backend -n app
$ kubectl get pods -n app --show-labels
$ kubectl get pods -n app -o custom-columns=NAME:.metadata.name,CONTAINERS:.spec.containers[*].name
If any required client lacks istio-proxy or ambient enrollment, do not switch that path to STRICT yet.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?