Interview › Istio & Service Mesh
How do you do a canary upgrade of the Istio control plane?
Istio & Service Mesh · Intermediate level
Answer
A canary upgrade installs the new Istio control plane alongside the old one, then migrates a small set of workloads or namespaces to the new revision. I validate proxy sync, mTLS, routing, telemetry, gateway behavior, and application SLOs before expanding.
Technical explanation
Use low-risk but representative workloads first, not an empty demo service only.
Check CRD compatibility, deprecated fields, EnvoyFilter behavior, and custom telemetry before migration.
Gate expansion on both mesh health and application SLOs.
Hands-on example
Canary runbook:
$ istioctl install --set revision=new -y
$ kubectl label ns sample istio.io/rev=new --overwrite
$ kubectl rollout restart deploy -n sample
$ istioctl proxy-status | grep sample
$ istioctl analyze -A
Run smoke and load tests, then move one production namespace at a time.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?