Interview › Istio & Service Mesh
How does Istio handle headless services and StatefulSets?
Istio & Service Mesh · Intermediate level
Answer
Istio can work with headless services and StatefulSets, but I pay close attention to service discovery, DNS, stable pod identities, and protocol behavior. Headless services expose individual pod endpoints, which may interact differently with Envoy routing and load balancing than normal ClusterIP services.
Technical explanation
Stateful workloads often use long-lived connections and identity-sensitive peer addresses, so mesh behavior must be tested before production rollout.
Subsets can still use labels, but per-pod routing may require careful hostnames or service entries depending on the use case.
For databases or brokers, verify readiness, mTLS compatibility, connection draining, and client failover behavior.
Hands-on example
StatefulSet validation:
$ kubectl get svc mydb -o yaml | grep clusterIP
$ kubectl exec deploy/client -c app -- nslookup mydb-0.mydb.default.svc.cluster.local
$ istioctl proxy-config endpoints deploy/client -n app | grep mydb
Run failover tests before enabling STRICT mTLS for the data path.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?