Interview › Istio & Service Mesh
How do you exclude certain ports or IP ranges from sidecar interception?
Istio & Service Mesh · Intermediate level
Answer
Istio can exclude specific inbound ports, outbound ports, outbound IP ranges, or interfaces from sidecar interception using traffic.sidecar.istio.io annotations. I use this only for well-understood exceptions because exclusions bypass mesh policy and telemetry.
Technical explanation
Examples include node-local agents, backup traffic, special database clients, or ports that cannot tolerate proxy interception.
Every exclusion should be documented with owner, reason, expiry, and compensating controls.
After applying an annotation, the pod must be recreated for injection and redirection config to change.
Hands-on example
Pod annotation example:
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/excludeInboundPorts: '15020'
Validate:
$ kubectl rollout restart deploy/app -n app
$ istioctl proxy-config listeners deploy/app -n app
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?