Interview › Istio & Service Mesh
What is a common cause of 503 errors in Istio, and how do you diagnose it?
Istio & Service Mesh · Intermediate level
Answer
A common cause of 503 in Istio is that Envoy has no healthy upstream endpoints or no valid route to the selected subset. It can also come from mTLS mismatch, outlier ejection, gateway routing errors, or upstream connection failures.
Technical explanation
If a VirtualService routes to subset v2 but DestinationRule labels do not match any pods, Envoy can return 503.
Proxy access-log flags help narrow the class of issue: NR for no route, UF for upstream failure, UH for no healthy upstream, and RBAC for denied requests.
Always compare Kubernetes endpoints with Envoy endpoints.
Hands-on example
Diagnosis:
$ kubectl get endpoints backend -n app
$ istioctl proxy-config endpoints deploy/frontend -n app | grep backend
$ istioctl proxy-config route deploy/frontend -n app | grep backend
$ kubectl logs deploy/frontend -c istio-proxy -n app --tail=200
Fix labels, subsets, readiness, or TLS policy based on the missing piece.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?