Interview › Istio & Service Mesh
How would you use the mesh to enforce least-privilege between microservices?
Istio & Service Mesh · Advanced level
Answer
I enforce least privilege by combining mTLS STRICT, dedicated service accounts, default-deny AuthorizationPolicy, explicit ALLOW rules for known service edges, JWT validation where user context matters, and CI validation so policy changes are reviewed before production.
Technical explanation
The service account becomes the workload identity, so workloads should not share a broad default service account.
Start by observing traffic to build an allowlist, but move to enforcement once owners validate required flows.
Policy should be owned as code and tested with representative requests.
Hands-on example
Least-privilege rollout:
1. Inventory edges from Istio telemetry for 14 days.
2. Replace default service accounts.
3. Apply namespace default-deny.
4. Add ALLOW policies per service edge.
5. Dry-run or canary the policy.
6. Enforce and alert on denied legitimate traffic.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?