Interview › Istio & Service Mesh
How do you integrate an external authorization service with Istio?
Istio & Service Mesh · Advanced level
Answer
External authorization delegates the allow/deny decision to an external auth service through Envoy's ext_authz integration. I use it when policy depends on business context, entitlements, tenant state, or centralized authorization logic that is not practical to encode only in AuthorizationPolicy.
Technical explanation
The proxy sends selected request metadata to the external auth service.
The auth service returns allow or deny, optionally with headers to add or remove.
Availability and latency of the auth service become part of the request path, so it needs SLOs, caching strategy, and failure-mode design.
Hands-on example
Design:
Gateway receives request with JWT.
RequestAuthentication validates token.
ext_authz sends user, tenant, path, and method to authz-service.
authz-service checks entitlements and returns allow/deny.
Load test the authz service and decide fail-open vs fail-closed per route risk.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?