Interview › Istio & Service Mesh
What is an AuthorizationPolicy, and how do you enforce service-to-service access control?
Istio & Service Mesh · Basic level
Answer
AuthorizationPolicy enforces access control for workloads. It can allow, deny, or audit traffic based on source workload identity, namespace, principals, HTTP methods, paths, ports, IP blocks, and JWT claims.
Technical explanation
mTLS gives authenticated workload identity; AuthorizationPolicy uses that identity to enforce least privilege.
DENY policies are evaluated carefully because a broad DENY can break traffic across a namespace.
Policies should be tested with dry run or limited scope before production enforcement.
Hands-on example
Allow only frontend to call orders:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: orders
spec:
selector:
matchLabels:
app: orders
action: ALLOW
rules:
- from:
- source:
principals: [cluster.local/ns/frontend/sa/frontend]
to:
- operation:
methods: [GET, POST]
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?