Interview › Istio & Service Mesh
How would you structure Istio config ownership across many teams?
Istio & Service Mesh · Advanced level
Answer
I structure Istio config ownership by separating platform-owned, security-owned, and service-owned resources. Platform owns installation, revisions, gateways, mesh config, and global defaults. Security owns baseline mTLS and authorization standards. Service teams own namespace-local routing and policies for their services within guardrails.
Technical explanation
Clear ownership reduces outage risk from overlapping VirtualServices or conflicting policies.
Git repository layout should mirror ownership and environment promotion.
Admission controls should enforce the ownership model because documentation alone is not enough.
Hands-on example
Repo layout:
mesh-platform/istio-install, revisions, gateways, telemetry defaults.
mesh-security/baseline PeerAuthentication and default-deny templates.
services/<team>/<service>/virtualservice, destinationrule, authz-policy.
CI validates each layer and prevents service repos from changing shared gateway selectors.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?