Interview › Istio & Service Mesh
How does Istio issue and rotate workload certificates (SPIFFE/SPIRE concepts)?
Istio & Service Mesh · Intermediate level
Answer
Istio issues and rotates workload certificates through its CA functionality in istiod. Workload identities are commonly represented as SPIFFE-style URIs based on trust domain, namespace, and service account, which allows proxies to authenticate services rather than IP addresses.
Technical explanation
A typical identity looks like spiffe://cluster.local/ns/payments/sa/payments-api.
The proxy obtains certificates and secrets from the control plane and uses them for mTLS handshakes.
SPIRE is a separate SPIFFE implementation; Istio uses SPIFFE concepts and can integrate with external CA or trust-domain models depending on architecture.
Hands-on example
Inspect a workload cert:
$ istioctl proxy-config secret deploy/payments-api -n payments
$ istioctl proxy-config secret deploy/payments-api -n payments -o json
Check subject, SAN URI, expiration, and whether certificates are rotating before expiry.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?