Interview › Security & DevSecOps
How do you apply least privilege to service-to-service communication (e.g., with Istio mTLS)? [Intermediate]
Answer
For service-to-service least privilege, I authenticate workloads with strong identities, encrypt traffic with mTLS, authorize only required service pairs and methods, and restrict network paths. With Istio, that means PeerAuthentication, AuthorizationPolicy, and optionally NetworkPolicy together.
Technical explanation
mTLS proves workload identity and encrypts traffic, but authorization policies decide who can call what.
Policies should be namespace/service/method scoped rather than allowing all mesh traffic.
NetworkPolicy still matters because it limits traffic at the network layer even if application policy is misconfigured.
Hands-on example
Istio example: enable STRICT PeerAuthentication in the namespace. Create an AuthorizationPolicy allowing checkout service account to call payment POST /authorize only. Deny all other callers by default, then verify with curl from allowed and disallowed pods.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]