0
0
Kubernetesdevops~20 mins

Mutual TLS for service communication in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Mutual TLS Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
What is the primary purpose of mutual TLS in Kubernetes service communication?

Mutual TLS (mTLS) is used between services in Kubernetes. What is its main goal?

ATo speed up network traffic between pods
BTo automatically restart pods on failure
CTo allow services to communicate without authentication
DTo encrypt traffic and verify both client and server identities
Attempts:
2 left
💡 Hint

Think about security and trust between two communicating services.

💻 Command Output
intermediate
1:30remaining
What is the output of this command to check mTLS status in Istio?

Given the command istioctl authn tls-check myservice.default, what does the output STRICT mean?

Kubernetes
istioctl authn tls-check myservice.default
AThe service does not use TLS at all
BThe service requires mutual TLS for all incoming connections
CThe service allows both TLS and plaintext connections
DThe service is currently down
Attempts:
2 left
💡 Hint

STRICT mode means strict enforcement of TLS.

Configuration
advanced
2:00remaining
Which YAML snippet correctly enables mutual TLS for a Kubernetes service using Istio PeerAuthentication?

Choose the correct PeerAuthentication resource configuration to enforce mutual TLS for all workloads in the default namespace.

A
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT
B
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: PERMISSIVE
C
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: default
spec:
  trafficPolicy:
    tls:
      mode: DISABLE
D
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default
  namespace: default
spec:
  action: DENY
Attempts:
2 left
💡 Hint

Look for the resource that controls mTLS enforcement at the workload level.

Troubleshoot
advanced
2:00remaining
Why does a service fail to communicate over mTLS despite correct PeerAuthentication settings?

You have set mode: STRICT in PeerAuthentication, but the client pod logs show TLS handshake errors. What could be the cause?

AThe client pod does not have a sidecar proxy injected
BThe server pod is missing a label
CThe Kubernetes API server is down
DThe service port is not exposed
Attempts:
2 left
💡 Hint

mTLS requires proxies to handle certificates and encryption.

🔀 Workflow
expert
3:00remaining
Order the steps to enable mutual TLS between two Kubernetes services using Istio

Arrange the following steps in the correct order to enable mutual TLS between two services in Kubernetes using Istio.

A1,3,2,4
B2,1,3,4
C1,2,3,4
D3,1,2,4
Attempts:
2 left
💡 Hint

Think about preparing the environment before deploying workloads.