Interview › Istio & Service Mesh
How do you roll out Istio to existing workloads with minimal disruption (as you did at Intuit)?
Istio & Service Mesh · Intermediate level
Answer
I would roll out Istio to existing workloads in waves, starting with low-risk namespaces, using PERMISSIVE mTLS, strong telemetry, and clear rollback. The goal is to learn real traffic patterns before enforcing strict policy or advanced routing.
Technical explanation
Start with discovery: service owners, ports, protocols, cronjobs, external dependencies, and readiness probes.
Use revision labels or namespace labels so onboarding is controlled and reversible.
Move from observe-only to mTLS PERMISSIVE, then to STRICT and AuthorizationPolicy after traffic is understood.
Hands-on example
Wave plan:
1. Install Istio with a revision.
2. Onboard one non-critical namespace.
3. Restart workloads to inject sidecars.
4. Validate logs, metrics, probes, and dependency calls.
5. Add PeerAuthentication PERMISSIVE.
6. Move to STRICT after tls-check is clean.
7. Repeat by service tier with a runbook and owner signoff.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?