Interview › Istio & Service Mesh
How do you handle gradual migration of services into mTLS STRICT mode?
Istio & Service Mesh · Advanced level
Answer
For gradual migration to mTLS STRICT, I first enable the mesh in PERMISSIVE mode, identify all callers, verify that expected traffic uses mTLS, fix non-meshed clients, then apply STRICT at workload or namespace scope in waves.
Technical explanation
Do not switch a namespace to STRICT until batch jobs, cronjobs, external clients, probes, and legacy services are accounted for.
Use PeerAuthentication selectors for smaller blast radius when needed.
Monitor 503, TLS errors, and failed handshakes during each wave.
Hands-on example
Migration sequence:
1. PERMISSIVE namespace policy.
2. istioctl authn tls-check for important paths.
3. Enable STRICT for one workload selector.
4. Run smoke tests from every known caller.
5. Expand to namespace-level STRICT.
6. Add alert for plaintext attempts or handshake failures.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?