Ambient & Sidecarless Models
Can you use a Service Mesh without sidecars?
Discuss the architectural shift towards 'sidecar-less' or 'ambient' service mesh models. What problems do these newer models address compared to the traditional sidecar approach, and what are their tradeoffs?
How does ambient mesh interoperate with sidecars in the same environment?
How does Istio's Ambient Mode reduce overhead?
How does the security model (mTLS, L4/L7 authorization) differ between sidecar and ambient mode?
What is a waypoint proxy in ambient mode, and how does it differ in responsibilities from the ztunnel?
What is Cilium's eBPF-based service mesh, and how does it avoid per-pod sidecars?
What is HBONE and why is it important in Istio Ambient Mesh?
Mesh Implementations Comparison
Conceptually compare and contrast different service mesh implementations like Istio, Linkerd, and HashiCorp Consul Connect, highlighting their design philosophies and typical use cases.
How does Consul Connect's model of service mesh differ architecturally from Istio?
How does Linkerd's Rust micro-proxy differ from Envoy, and what tradeoffs does that design choice bring?
What are some alternatives to Istio, such as Linkerd or Consul Connect?
When would you choose Istio over other Service Meshes like Linkerd or Consul Connect?
When would you choose Linkerd over other Service Meshes?
Load Balancing & Service Discovery
Describe how a service mesh handles load balancing between service instances.
Explain how a service mesh can provide Layer 7 load balancing, and why this is more granular than Layer 4 load balancing.
How does a service mesh handle non-HTTP protocols like raw TCP or gRPC traffic?
How does a service mesh integrate with existing service discovery, and does it replace or augment Kubernetes DNS-based discovery?
What is locality-aware load balancing, and why is it valuable in a multi-zone or multi-region mesh?
What is the role of service discovery within a service mesh?
Sidecar Pattern & Injection
Describe the Sidecar Proxy pattern in a Service Mesh — what are its advantages and disadvantages in terms of functionality, performance, and operational overhead?
Explain the concept of automatic sidecar injection and its importance.
How does a service mesh typically intercept and manage traffic without requiring changes to application code?
How does the mutating admission webhook enable automatic sidecar injection in Kubernetes?
What is a sidecar proxy and what role does it play in a Service Mesh?
What ordering or race-condition problems can arise from sidecar container startup, and how are they addressed?
Performance Cost & Operations
Discuss the resource overhead in CPU, memory, and latency that a service mesh with sidecars can introduce, and how it can be mitigated.
How does a service mesh add per-request latency, and where in the request path does that overhead come from?
What are the costs and tradeoffs of adopting a Service Mesh, such as performance overhead, operational complexity, and learning curve?
What challenges have you faced while implementing a Service Mesh, and how did you resolve them?
What strategies do you follow to ensure smooth upgrades and compatibility when dealing with new Service Mesh versions?
Observability & Debugging
Explain how a service mesh aids in distributed tracing, and what are the responsibilities of the application versus the mesh in propagating trace context?
How can you monitor the performance of Istio itself?
How does a service mesh enhance observability by providing L7 metrics like request rate, error rates, and latency without modifying application code?
How does a tool like Kiali build and present the service topology or dependency graph?
How would you debug why traffic between two meshed services is failing, and what proxy-level tools help?
How would you use Istio's observability and monitoring capabilities?
What access logs does a service mesh emit, and how do they complement metrics and traces?
What kind of observability does a Service Mesh provide out-of-the-box, in terms of metrics, tracing, and logging?
Which trace-context headers (e.g. B3 or W3C traceparent) must applications propagate for mesh-assisted distributed tracing to work end-to-end?
Fundamentals & Value Proposition
Explain the concept of north-south versus east-west traffic in a distributed system, and how a service mesh primarily addresses one of these.
How does a service mesh differ from an API Gateway, and when would you use one over the other, or both?
How does a Service Mesh differ from traditional load balancing and traditional networking?
What is a service mesh, and what core problem does it aim to solve in a microservices architecture?
What is the Service Mesh Interface (SMI), and what problem does it try to standardize?
When considering API versioning across microservices, how can a service mesh assist in managing and coordinating these changes?
When is a service mesh truly necessary, and when might it be considered overkill for a given application or organization?
When should you install Istio in a Kubernetes cluster?
Why would you use a service mesh instead of implementing cross-cutting concerns like retries, timeouts, and security directly in application code or client-side libraries?
Resilience & Rate Limiting
Explain the concept of outlier detection in a service mesh and its purpose.
How can a service mesh enforce rate limiting at the mesh level?
How can retries in a service mesh cause retry storms, and how do retry budgets mitigate this?
How does a Service Mesh improve latency management in distributed systems?
How does a Service Mesh provide resilience features such as circuit breaking, retries, and timeouts?
What is fault injection in a service mesh, and how is it used for testing and improving system resilience?
What is the difference between circuit breaking and outlier detection in a service mesh?
What is the difference between local and global rate limiting in a service mesh?
Envoy & Xds Configuration
Explain the conceptual purpose of Envoy's xDS APIs (LDS, CDS, RDS, EDS) in dynamically configuring data plane proxies.
Explain the role of Envoy proxy in modern Service Mesh implementations and why Envoy is a popular choice.
What is Envoy, and why is it a popular choice as a data plane proxy in service meshes? Explain the conceptual role of xDS APIs (LDS, CDS, RDS, EDS) in dynamically configuring Envoy.
Where does Istio's Envoy proxy run in the architecture?
Architecture Control & Data Plane
Explain the fundamental architecture of a service mesh, differentiating between the data plane and the control plane.
How does the Control Plane dynamically configure the Data Plane proxies without downtime?
What are the key components of a Service Mesh control plane, such as Istiod and CRDs like VirtualService, DestinationRule, and Gateway?
What are the responsibilities of the Data Plane in a Service Mesh?
What happens to the data plane if the control plane becomes unavailable?
What is the conceptual mapping between Envoy's listeners, clusters, routes, and endpoints?
Which Istio component handles traffic management?
Traffic Management & Routing
How can you customize a Service Mesh's behavior through policies and routing rules?
How does a mesh control egress traffic, and why would you route it through an egress gateway?
How does a Service Mesh enable advanced traffic management features like canary deployments, blue-green deployments, weighted routing, and traffic mirroring?
How does a service mesh handle ingress and egress traffic for services within the mesh?
How does a service mesh perform request routing based on headers, paths, or other request attributes?
How does the Kubernetes Gateway API relate to a mesh's own traffic APIs, and why is the ecosystem shifting toward it?
What are DestinationRules in Istio, and why are they used?
What is a mesh (ingress) gateway, and how does it differ from a plain Kubernetes Ingress?
What is a ServiceEntry, and when would you need one to bring external services into the mesh?
What is an Istio VirtualService, and how does it differ from a DestinationRule?
What is the purpose of the Sidecar CRD, and how can it be used to limit a proxy's configuration scope?
What is traffic mirroring or shadowing in a service mesh, and when would you use it?
Security Identity & Mtls
How does a service mesh allow you to define and enforce service-to-service authorization policies?
How does a Service Mesh improve security in microservices communication?
How does a service mesh support workload identity and zero-trust networking?
How does Istio handle authentication and authorization?
What is mutual TLS (mTLS) in the context of a Service Mesh, why is it important, and how does the mesh enable it?
What is SPIFFE, and what is an SVID in the context of workload identity in a service mesh?
What is the difference between PeerAuthentication and AuthorizationPolicy in a service mesh?
What is the role of the mesh Certificate Authority in a service mesh, and how does it manage certificate issuance and rotation for workloads?
Multi Cluster & Hybrid Topologies
How does a service mesh expand to include VMs or workloads running outside Kubernetes?
How does a service mesh integrate with and extend Kubernetes networking capabilities?
How does a service mesh support multi-cluster or hybrid cloud environments?
What are the different approaches to multi-cluster mesh topologies, such as shared versus replicated control planes?