Service Mesh & Istio
Traffic management, observability, security, sidecars, virtual services, gateways, Linkerd comparison
1What is the main role of a service mesh like Istio in a microservices architecture?
What is the main role of a service mesh like Istio in a microservices architecture?
回答
A service mesh manages communication between microservices by providing traffic management, observability, and security features without modifying application code. Istio injects a sidecar proxy (Envoy) next to each pod to intercept and manage all network traffic. This centralizes configuration for retry, timeout, circuit breaking, mTLS, and distributed tracing at the infrastructure level rather than the application level.
2How does the sidecar pattern work in Istio and which proxy is used by default?
How does the sidecar pattern work in Istio and which proxy is used by default?
回答
Istio automatically injects an Envoy proxy container as a sidecar into each application pod via a mutating admission webhook. This sidecar intercepts all inbound and outbound traffic from the application container, enabling traffic management, security, and observability policies without code changes. Envoy is chosen for its high performance, modern protocol support (HTTP/2, gRPC), and ability to handle dynamic configuration via xDS APIs.
3What is the difference between the control plane and the data plane in Istio?
What is the difference between the control plane and the data plane in Istio?
回答
The control plane (Istiod) manages configuration, discovers services, and distributes rules to proxies via xDS APIs. It contains Pilot for service discovery, Citadel for certificate management, and Galley for configuration validation. The data plane consists of Envoy sidecars that execute traffic rules by intercepting and routing requests between services. Istiod never touches application traffic, only the sidecars do.
What is the role of a VirtualService in Istio?
What is the difference between a Gateway and a VirtualService in Istio?
+21 面接問題