Interview › Istio & Service Mesh
What is a PeerAuthentication policy?
Istio & Service Mesh · Basic level
Answer
A PeerAuthentication policy controls how workloads accept peer connections, especially mTLS mode. It can be applied mesh-wide, namespace-wide, or workload-specific, and it determines whether inbound traffic must use mutual TLS.
Technical explanation
PeerAuthentication is about peer identity and transport authentication, not end-user JWT authentication.
Workload-specific policies use selectors; namespace policies without selectors apply broadly in that namespace.
It is commonly used to move from PERMISSIVE to STRICT mTLS in stages.
Hands-on example
Namespace STRICT example:
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: payments
spec:
mtls:
mode: STRICT
Validate:
$ istioctl analyze -n payments
$ istioctl authn tls-check deploy/api -n payments
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?