Sidecar proxy (Envoy): injected by Kubernetes MutatingAdmissionWebhook into pods in labeled namespaces. An init container sets up iptables rules to redirect all traffic through Envoy. The app connects to localhost; Envoy intercepts and proxies. Benefits: app is unchanged, gets mTLS, distributed tracing, metrics, retries, circuit breaking "for free". Cost: two containers per pod (~50-100MB RAM each), ~0.5ms added latency per proxy hop. Ambient mode (Istio 2023+): moves L4 to per-node ztunnel, eliminating per-pod sidecars while keeping L7 via optional Waypoint proxies.
2 / 5
What is mTLS in a service mesh and what does it prevent?
mTLS: standard TLS proves server identity to client. mTLS proves both. Istio Citadel (now part of istiod) acts as a CA, issuing SPIFFE SVIDs (certificates) to each pod based on its Kubernetes service account. SPIFFE ID: spiffe://cluster.local/ns/default/sa/payments. PeerAuthentication: STRICT (only mTLS connections accepted) or PERMISSIVE (transition mode). AuthorizationPolicy: "allow traffic to payments service only from the checkout service account, on path /api/charge". This is zero-trust inside the cluster.
3 / 5
In Istio, what does a VirtualService control?
VirtualService: attaches to a service's hostname. Defines routing rules evaluated by the Envoy sidecar when routing requests to the service. Key features: Weight-based routing: 90% → v1, 10% → v2 (canary). Header match: route requests with X-Canary: true to v2. Retry policy: retry on 5xx, 3 attempts, 25ms between. Timeout: fail after 500ms. Fault injection: inject artificial 5xx or delay — test resilience. DestinationRule: defines subsets (pod groups by label), load balancing policy (round robin, consistent hash), circuit breaker (outlier detection), and TLS settings per subset.
4 / 5
What is outlier detection in Istio's circuit breaking?
Outlier detection: configured in DestinationRule.trafficPolicy. Key settings: consecutiveGatewayErrors: 5 — eject after 5 consecutive 5xx. interval: 30s — evaluation window. baseEjectionTime: 30s — minimum ejection duration (doubles on each ejection). maxEjectionPercent: 50 — prevent ejecting majority of endpoints. Works at individual endpoint (pod IP) level — not service level. Complements retry policy: retry sends to any available endpoint; outlier detection removes known-bad endpoints from the pool entirely.
5 / 5
What is the data plane vs control plane split in Istio?
Data plane (Envoy sidecars): intercepts all traffic, enforces policy, collects telemetry, performs mTLS. Runs in the application pods. Control plane (istiod): components: Pilot (converts Istio CRs to xDS config), Citadel (CA for certificates), Galley (config validation). Uses xDS API (Envoy's discovery service) to push configuration to proxies: LDS (listener), RDS (route), CDS (cluster), EDS (endpoint). Configuration changes propagate to proxies within seconds. The control plane is relatively small (one istiod pod per cluster) while the data plane scales with your pods.