Interview › Istio & Service Mesh
How does Istio interact with NetworkPolicies — do you need both?
Istio & Service Mesh · Advanced level
Answer
Istio and Kubernetes NetworkPolicies operate at different layers, and I usually want both. NetworkPolicy provides L3/L4 network segmentation enforced by the CNI, while Istio provides identity-aware mTLS and L7 policies such as method, path, and JWT-claim checks.
Technical explanation
NetworkPolicy can block bypass paths if a pod tries to avoid the sidecar or call directly at the network layer.
Istio AuthorizationPolicy can express service-account and HTTP-level intent that NetworkPolicy cannot.
Defense in depth is stronger than relying on either layer alone.
Hands-on example
Example:
NetworkPolicy allows traffic to payments only from frontend namespace on port 8080.
Istio AuthorizationPolicy allows only principal cluster.local/ns/frontend/sa/frontend and only POST /charge.
If one layer is bypassed or misconfigured, the other still reduces blast radius.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?