Interview Istio & Service Mesh

How does Istio interact with NetworkPolicies — do you need both?

Istio & Service Mesh · Advanced level

Answer

Istio and Kubernetes NetworkPolicies operate at different layers, and I usually want both. NetworkPolicy provides L3/L4 network segmentation enforced by the CNI, while Istio provides identity-aware mTLS and L7 policies such as method, path, and JWT-claim checks.

Technical explanation

NetworkPolicy can block bypass paths if a pod tries to avoid the sidecar or call directly at the network layer.

Istio AuthorizationPolicy can express service-account and HTTP-level intent that NetworkPolicy cannot.

Defense in depth is stronger than relying on either layer alone.

Hands-on example

Example:

NetworkPolicy allows traffic to payments only from frontend namespace on port 8080.

Istio AuthorizationPolicy allows only principal cluster.local/ns/frontend/sa/frontend and only POST /charge.

If one layer is bypassed or misconfigured, the other still reduces blast radius.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Istio & Service Mesh interview questions

← All Istio & Service Mesh questions