Quiz: Service Mesh¶

3 questions

L0 (1 questions)¶

1. What are the two planes of a service mesh, and what does each do?

Show answer

The data plane consists of sidecar proxies (usually Envoy or linkerd2-proxy) injected alongside every pod that intercept all network traffic between services. The control plane (Istiod for Istio, Linkerd destination/identity for Linkerd) configures those proxies, issues certificates, and collects telemetry. The data plane handles traffic; the control plane manages policy and configuration.

L1 (1 questions)¶

1. How does a service mesh provide mutual TLS (mTLS) without changing application code?

Show answer

The control plane acts as a Certificate Authority and issues short-lived TLS certificates to each sidecar proxy (identity based on ServiceAccount). Every connection between proxies is automatically encrypted and mutually authenticated. Applications communicate over localhost to their sidecar; the sidecar handles all TLS negotiation and certificate rotation transparently. No code changes needed.

L2 (1 questions)¶

1. What observability signals does a service mesh provide for free, and what is a common pitfall with sidecar injection?

Show answer

A mesh gives you request rate, error rate (4xx/5xx), latency (p50/p95/p99), and live service topology — all without application instrumentation. A common pitfall is that sidecar injection requires the namespace to be labeled (Istio: istio-injection=enabled) or annotated (Linkerd: linkerd.io/inject=enabled). Pods created before injection was enabled need to be restarted to get the sidecar.