Istio is often used with microservices. What main job does Istio do?
Think about how microservices communicate and what challenges they face.
Istio acts as a service mesh that controls how microservices talk to each other. It adds security, monitoring, and traffic management without changing the microservices code.
When you run istioctl install in your Kubernetes cluster, what is the expected result?
Think about what 'install' usually means in command line tools.
The command istioctl install deploys Istio's control plane components like Pilot and others into your Kubernetes cluster to enable the service mesh.
Put these steps in the correct order to enable automatic sidecar injection for a Kubernetes namespace.
Think about what must be ready before labeling and deploying.
First, Istio must be installed (3). Then label the namespace (1) to enable injection. Next, deploy pods (2) so they get the sidecar. Finally, verify the sidecar is present (4).
You labeled your namespace for automatic sidecar injection, but new pods do not have the Envoy sidecar. What is a likely cause?
Sidecar injection depends on a webhook component in Istio.
The automatic sidecar injection relies on a Kubernetes admission webhook. If this webhook is down or misconfigured, pods won't get the sidecar even if the namespace is labeled.
In a production environment, what is a recommended practice to enhance security with Istio?
Think about how to protect communication between services.
Enabling mutual TLS (mTLS) ensures that all traffic between microservices is encrypted and authenticated, which greatly improves security in production.