Interview › Istio & Service Mesh
How do you test an AuthorizationPolicy before enforcing it (dry-run)?
Istio & Service Mesh · Advanced level
Answer
I test AuthorizationPolicy using dry-run where supported, narrow selectors, staging namespaces, synthetic requests, and access-log review before enforcing. Dry-run lets me see what would be denied without actually breaking production traffic.
Technical explanation
Dry-run is especially useful when introducing DENY policies or default-deny posture.
I also run positive and negative test cases: allowed caller succeeds, unauthorized caller fails, wrong method fails, wrong JWT claim fails.
After enforcement, I monitor 403 responses and RBAC response flags closely.
Hands-on example
Dry-run annotation example:
metadata:
annotations:
istio.io/dry-run: 'true'
Then send test traffic and inspect proxy metrics/logs for authorization decision signals.
PromQL idea:
sum(rate(istio_requests_total{response_code='403'}[5m])) by (source_workload,destination_workload)
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?