Bird
0
0

You want to enforce mTLS only for service payments in namespace finance, but allow other services to accept plain traffic. Which PeerAuthentication config achieves this?

hard📝 Workflow Q15 of 15
Kubernetes - Service Mesh
You want to enforce mTLS only for service payments in namespace finance, but allow other services to accept plain traffic. Which PeerAuthentication config achieves this?
A<pre>apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: permissive-all namespace: finance spec: mtls: mode: PERMISSIVE</pre>
B<pre>apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: finance-wide namespace: finance spec: mtls: mode: STRICT</pre>
C<pre>apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: payments-mtls namespace: finance spec: selector: matchLabels: app: payments mtls: mode: STRICT</pre>
D<pre>apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: payments-disable namespace: finance spec: selector: matchLabels: app: payments mtls: mode: DISABLE</pre>
Step-by-Step Solution
Solution:

  1. Step 1: Understand requirement

    Enforce mTLS STRICT only for 'payments' service, allow others to accept plain traffic.

  2. Step 2: Analyze options

    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-mtls
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: STRICT
    applies STRICT mode with selector for 'payments' only. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance-wide
  namespace: finance
spec:
  mtls:
    mode: STRICT
    enforces STRICT for whole namespace, not desired. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-all
  namespace: finance
spec:
  mtls:
    mode: PERMISSIVE
    allows both for all services. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-disable
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: DISABLE
    disables mTLS for payments, opposite of requirement.

  3. Final Answer:

    PeerAuthentication with selector for payments and STRICT mode -> Option C

  4. Quick Check:

    Selector + STRICT = mTLS only for selected service [OK]
Quick Trick: Use selector with STRICT mode for specific service enforcement [OK]
Common Mistakes:
  • Applying STRICT mode to whole namespace accidentally
  • Using DISABLE mode when enforcement is needed
  • Not using selector to target specific service

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More Kubernetes Quizzes
Advanced Deployment Patterns - Why advanced patterns matter - Quiz 10hard Advanced Deployment Patterns - FluxCD for continuous delivery - Quiz 7medium Monitoring and Logging - Kubernetes dashboard - Quiz 3easy Monitoring and Logging - Centralized logging (EFK stack) - Quiz 6medium Production Best Practices - etcd backup and recovery - Quiz 8hard RBAC and Security - Roles and ClusterRoles - Quiz 13medium RBAC and Security - Service accounts - Quiz 10hard Troubleshooting - OOMKilled containers - Quiz 4medium Troubleshooting - Why troubleshooting skills are critical - Quiz 5medium Troubleshooting - Pod in CrashLoopBackOff - Quiz 7medium