Interview › Istio & Service Mesh
Why would you start with PERMISSIVE mTLS during a rollout?
Istio & Service Mesh · Basic level
Answer
I start with PERMISSIVE mTLS because it reduces migration risk. It allows existing plaintext clients and newly meshed clients to coexist while we identify traffic paths, fix missing injection, and validate that mTLS is actually negotiated before enforcing STRICT.
Technical explanation
Large clusters often have cronjobs, legacy clients, external callers, and ad-hoc tools that are easy to miss.
PERMISSIVE mode lets telemetry expose which workloads are using mTLS without immediately causing outages.
The migration should still have a deadline; PERMISSIVE should be a rollout phase, not the final security posture.
Hands-on example
Rollout plan:
1. Enable sidecar injection or ambient in one namespace.
2. Apply PeerAuthentication PERMISSIVE.
3. Verify tls-check and request metrics.
4. Fix non-mesh callers.
5. Apply STRICT during a controlled window.
6. Alert on plaintext attempts or 403/503 spikes.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?