Interview › Istio & Service Mesh
What is istiod, and what does it do?
Istio & Service Mesh · Basic level
Answer
istiod is Istio's main control-plane service. It combines service discovery, configuration translation, certificate authority functions, and sidecar-injection support so the mesh proxies receive the right configuration and workload identity.
Technical explanation
istiod watches Kubernetes Services, Endpoints, pods, namespaces, and Istio CRDs.
It pushes Envoy configuration through xDS, including listeners, routes, clusters, endpoints, and secrets.
It also supports workload certificate issuance and rotation so mTLS can be automatic rather than manually managed per service.
Hands-on example
Useful commands:
$ kubectl -n istio-system get deploy,svc,pods -l app=istiod
$ kubectl -n istio-system logs deploy/istiod --tail=100
$ istioctl proxy-status
When proxies are stale or rejected, compare istiod logs with the proxy-status output before changing application code.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?
- What problem does Istio solve that Kubernetes Services alone do not?