Skip to content

Istio

← Back to all decks

36 cards — 🟢 9 easy | 🟡 15 medium | 🔴 6 hard

🟢 Easy (9)

1. What three former Istio components were merged into istiod in Istio 1.5?

Show answer Pilot (xDS config distribution), Citadel (certificate/identity management), and Galley (config validation and ingestion).

Name origin: Istio is Greek for sail — navigating the sea of microservices. Created by Google, IBM, and Lyft in 2017.

Remember: PiCG — Pilot, Citadel, Galley merged into istiod. The merge simplified deployment from 3 pods to 1.

Gotcha: Pre-1.5 Istio documentation references these as separate components. Post-1.5, they are internal modules of istiod.

2. What is the role of the Envoy sidecar in an Istio mesh?

Show answer The Envoy proxy is injected alongside each application pod (data plane). It intercepts all inbound and outbound traffic for that pod, handling load balancing, retries, mTLS, circuit breaking, and telemetry — without the application knowing.

3. How do you enable automatic Istio sidecar injection for an entire namespace?

Show answer Label the namespace: `kubectl label namespace istio-injection=enabled`. All new pods will get an istio-proxy sidecar. Existing pods must be restarted.

Gotcha: Existing pods must be restarted to get the sidecar: `kubectl rollout restart deployment -n `.

Remember: Per-pod opt-out: annotate with sidecar.istio.io/inject: false. Per-namespace opt-in: the label above.

Debug clue: `kubectl get pod -o jsonpath='{.spec.containers[*].name}'` — look for istio-proxy.

4. What are the three mTLS modes in a PeerAuthentication resource?

Show answer STRICT (only mTLS accepted, plaintext rejected), PERMISSIVE (both mTLS and plaintext accepted), and DISABLE (no mTLS). PERMISSIVE is for migration; STRICT is the production target.

Remember: SPD — Strict, Permissive, Disable. Production target = STRICT. Migration tool = PERMISSIVE.

Gotcha: Switching from PERMISSIVE to STRICT can break health checks from kubelet (no sidecar) and external monitoring tools. Test in staging first.

5. What is Kiali and what does it show?

Show answer Kiali is the Istio-native service graph UI. It reads Prometheus metrics and Istio config to show a live topology of service-to-service communication, traffic error rates, mTLS status per connection, and config validation warnings.

6. How does Istio canary routing differ from Kubernetes native rolling updates?

Show answer Kubernetes splits traffic by pod replica ratio (5 v2 pods out of 100 = 5% traffic). Istio splits traffic by explicit percentage weight in the VirtualService, independent of replica count. You can send 5% to v2 while running only 1 v2 replica.

7. What command validates Istio config across the entire cluster for issues?

Show answer `istioctl analyze` — checks for host mismatches, missing DestinationRule subsets, Gateway/VirtualService host conflicts, and other logical errors. Use `istioctl analyze -n ` for a single namespace.

Remember: `istioctl analyze` is like `terraform validate` for Istio — catches config errors before they cause traffic failures.

Gotcha: istioctl analyze checks config validity but NOT whether the data plane actually applied it. Use `istioctl proxy-status` for that.

8. What does istioctl proxy-status show and what does STALE mean?

Show answer It shows the xDS sync state for every sidecar in the mesh — whether each proxy's routes, clusters, listeners, and endpoints are SYNCED or STALE. STALE means the proxy has not received the latest config from istiod.

9. When using Istio distributed tracing, what must the application do?

Show answer The application must propagate trace context headers between upstream and downstream calls. Istio injects headers on ingress but cannot trace through application logic automatically. Headers to forward: x-request-id, x-b3-traceid, x-b3-spanid, x-b3-parentspanid, x-b3-sampled.

🟡 Medium (15)

1. What is the difference between a VirtualService and a DestinationRule?

Show answer VirtualService defines routing rules — how requests to a hostname are matched and forwarded (weights, header matches, retries, fault injection). DestinationRule defines traffic policies for a destination — subsets (pod label groups), load balancing algorithm, connection pool limits, and outlier detection.

2. How does an Istio Gateway differ from a Kubernetes Ingress resource?

Show answer A Kubernetes Ingress relies on an Ingress controller and offers limited configuration. An Istio Gateway runs on a dedicated Envoy pod (not a sidecar), supports full Istio traffic management (VirtualService routing, fault injection, retries), and is controlled by `Gateway` + `VirtualService` resources rather than Ingress annotations.

3. What is the default behavior when an AuthorizationPolicy exists in a namespace?

Show answer Once any AuthorizationPolicy is created in a namespace, all traffic not explicitly allowed by a policy is denied. An empty AuthorizationPolicy with no rules blocks all traffic. This is default-deny.

4. What is a SPIFFE identity and how does Istio use it?

Show answer SPIFFE (Secure Production Identity Framework for Everyone) defines a URI format for workload identity: `spiffe:///ns//sa/`. Istiod issues X.509 certificates encoding this identity to every pod. AuthorizationPolicy source principals reference SPIFFE identities, enabling identity-based (not IP-based) authorization.

5. What does the Sidecar resource do and why should every namespace have one?

Show answer The Sidecar resource scopes which services a proxy can see in its xDS configuration. Without it, every sidecar in a 200-service mesh receives config for all 200 services — most of which it never calls — bloating memory and slowing config push. A default Sidecar resource limits egress to only services the namespace actually needs.

6. How do you inject a 7-second delay on 50% of requests to a service using Istio?

Show answer Add a `fault.delay` block to the VirtualService: set `fixedDelay: 7s` and `percentage.value: 50`. The fault is applied at the sidecar before the request reaches the upstream pod. Always remove after testing — left-in fault injection is a common self-inflicted outage cause.

7. What does istioctl proxy-config routes <pod>.<ns> show?

Show answer It shows all virtual hosts and route rules that the sidecar's Envoy proxy knows about — which hostnames it can reach and how requests to each are routed. Useful to verify that a VirtualService has been pushed to and accepted by a specific sidecar.

8. Why is leaving mTLS in PERMISSIVE mode a security problem?

Show answer PERMISSIVE accepts both mTLS and plaintext. Services are called over plaintext from callers without sidecars, external tools, or old Jobs — all without any errors. You believe you have mTLS encryption and authentication, but traffic is actually flowing in plaintext. PERMISSIVE is a migration tool, not a production setting.

9. Why do Kubernetes health check probes fail after applying an AuthorizationPolicy?

Show answer The kubelet has no Istio sidecar and therefore no SPIFFE identity. Under an AuthorizationPolicy's default-deny behavior, probe paths (e.g., /healthz, /ready) are blocked because the kubelet cannot present a recognized principal. Fix: explicitly allow health check paths in the policy.

10. What happens if a VirtualService uses a short hostname and callers are in a different namespace?

Show answer The short name `reviews` resolves relative to the VirtualService's namespace. A caller in a different namespace resolves it to a different FQDN. The VirtualService has no effect on cross-namespace traffic. Always use fully qualified names (`reviews.bookinfo.svc.cluster.local`) in VirtualServices when cross-namespace calls occur.

11. What does istioctl experimental describe pod <pod>.<ns> synthesize?

Show answer It combines Istio config and Envoy state to show: which VirtualService and DestinationRule apply to the pod, the effective PeerAuthentication mTLS mode, which AuthorizationPolicies apply, and any configuration warnings. It is the fastest way to understand why traffic to a pod behaves unexpectedly.

12. After setting a 95/5 weight split in a VirtualService, how do you verify the split is actually in effect?

Show answer Use `istioctl proxy-config routes .bookinfo` to verify the route exists, check sidecar access logs for response counts by pod, or use `istioctl proxy-config clusters ` to confirm the v2 subset endpoint is registered. Kiali also shows per-version traffic split in real time.

13. What is an Istio egress gateway and why use one?

Show answer A dedicated Envoy pod that all outbound traffic to external services routes through. Benefits: single egress point for audit logging and policy enforcement, TLS origination for external calls, and ServiceEntry registration of external hostnames in the mesh. Without it, pods can call external services directly through the sidecar with less visibility.

14. What is the canary control plane upgrade pattern for Istio?

Show answer Install a new istiod revision alongside the old one (`istioctl install --set revision=1-20`). Migrate namespaces one at a time by relabeling (`istio.io/rev=1-20`) and restarting pods. If a namespace has issues, relabel back to the old revision. After all namespaces migrate, uninstall the old istiod. This ensures one functioning control plane is always available.

15. What is Istio Ambient Mesh and how does it differ from sidecar mode?

Show answer Ambient Mesh removes per-pod sidecar injection. Instead, a per-node ztunnel daemon handles L4 mTLS, and a shared waypoint proxy handles L7 per namespace or service account. Benefits: no pod restarts needed for proxy upgrades, lower memory overhead, simpler injection. It reached stable status in Istio 1.24.

🔴 Hard (6)

1. What does istiod's Pilot component do with Istio CRDs, and what protocol does it use to push config to sidecars?

Show answer Pilot watches Kubernetes for Istio CRDs (VirtualService, DestinationRule, etc.) and Kubernetes Services/Endpoints. It translates these into Envoy xDS (Extension Discovery Service) configuration — specifically LDS (listeners), RDS (routes), CDS (clusters), and EDS (endpoints) — and pushes them to each Envoy sidecar over a persistent gRPC stream.

2. How does PeerAuthentication policy precedence work across mesh, namespace, and workload levels?

Show answer More specific wins. Workload-level PeerAuthentication (matchLabels selector) overrides namespace-level (no selector, in a specific namespace), which overrides mesh-wide (no selector, in istio-system). This allows a cluster-wide STRICT policy with specific PERMISSIVE exceptions for individual workloads during migration.

3. A mesh has 500 services. A sidecar without a Sidecar resource uses 450Mi of memory. A sidecar with a tightly scoped Sidecar resource uses 60Mi. Why the difference?

Show answer Without a Sidecar resource, every Envoy proxy receives xDS configuration for all 500 services — all their listeners, routes, clusters, and endpoints. This full-mesh config grows with the square of service count. The Sidecar resource tells istiod to send only the config for services this workload actually needs, dramatically reducing xDS payload size and proxy memory.

4. An AuthorizationPolicy allows traffic from cluster.local/ns/frontend/sa/web to reviews. Traffic is still being denied. What are three things to check?

Show answer 1) Verify the calling pod actually uses service account `web` in namespace `frontend` — `kubectl get pod -o jsonpath='{.spec.serviceAccountName}'`.
2) Confirm mTLS is STRICT (PERMISSIVE mode means no SPIFFE identity is presented, so principal matching fails).
3) Check for a DENY policy in the same namespace that takes precedence — DENY policies evaluate before ALLOW.

5. What is the difference between Istio multi-primary and primary-remote multi-cluster topologies?

Show answer Multi-primary: each cluster runs its own istiod, shares a common root CA for cross-cluster mTLS, and peers with other clusters via east-west gateways. Resilient but operationally complex. Primary-remote: one cluster (primary) runs istiod and manages sidecars in remote clusters. Simpler but the primary istiod is a single point of failure for remote cluster config. East-west gateways handle cross-cluster traffic in both topologies.

6. An engineer applies a new VirtualService but traffic routing does not change. istioctl proxy-status shows STALE for several pods. Walk through the diagnosis.

Show answer 1) Run `istioctl analyze -n ` — a config validation error may have caused istiod to reject the new config silently.
2) Check istiod logs for NACK messages: `kubectl logs -l app=istiod -n istio-system | grep NACK`.
3) If config is valid but sidecars are still STALE, check istiod resource utilization — an overloaded istiod falls behind on pushes.
4) As a last resort, restart the affected pods to force sidecar reconnection to istiod.