Interview › Istio & Service Mesh
What is a RequestAuthentication policy, and how does it validate JWTs?
Istio & Service Mesh · Basic level
Answer
RequestAuthentication validates end-user or caller JWTs at the proxy. It tells Istio where to find the token and how to validate it using an issuer and JWKS. It authenticates the request token but does not by itself authorize access; AuthorizationPolicy enforces what is allowed.
Technical explanation
RequestAuthentication produces authenticated request principal information when the JWT is valid.
Invalid tokens are rejected when the policy applies, but missing-token behavior usually requires AuthorizationPolicy if a token is mandatory.
It is useful at ingress gateways and internal services that need consistent JWT validation.
Hands-on example
JWT policy sketch:
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: app-jwt
namespace: app
spec:
selector:
matchLabels:
app: orders
jwtRules:
- issuer: https://issuer.example.com/
jwksUri: https://issuer.example.com/.well-known/jwks.json
Then add AuthorizationPolicy requiring requestPrincipals.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?