[Golden Kubestronaut] ICA Practice Exam 80 Questions - Istio Certified Associate

• A) minimal
• B) default
• C) demo
• D) preview

Answer: B) default

The default profile is recommended for production deployments. It includes istiod and the Ingress Gateway. The demo profile includes all components but with lower resource requirements for learning/testing. The minimal profile includes only istiod, and preview includes experimental features.

• A) istioctl apply --set profile=default
• B) istioctl install --set profile=default
• C) istioctl setup --profile=default
• D) istioctl init --set profile=default

Answer: B) istioctl install --set profile=default

istioctl install is the standard method to install Istio on a cluster. The --set profile= flag specifies the installation profile. apply, setup, and init are not valid istioctl subcommands.

• A) spec.components.NAME.disabled: true
• B) spec.components.NAME.enabled: false
• C) spec.components.NAME.install: false
• D) spec.values.NAME.enabled: false

Answer: B) spec.components.NAME.enabled: false

In the IstioOperator CRD, each component is located under spec.components and can be disabled by setting enabled: false. For example, to disable the Ingress Gateway, set spec.components.ingressGateways[0].enabled: false.

• A) istioctl install --set revision=canary
• B) istioctl upgrade --canary
• C) istioctl install --set tag=canary
• D) istioctl canary install

Answer: A) istioctl install --set revision=canary

Revision-based canary upgrades use the --set revision= flag to install a new control plane instance alongside the existing one. Workloads are then gradually migrated by changing namespace labels to istio.io/rev=canary.

• A) sidecar.istio.io/inject: "true"
• B) istio-injection: enabled
• C) istio.io/sidecar: "true"
• D) inject.istio.io: "true"

Answer: B) istio-injection: enabled

Setting the istio-injection: enabled label on a namespace enables automatic Envoy sidecar injection for all pods in that namespace. For revision-based installations, use the istio.io/rev=REVISION_NAME label instead.

• A) Analyze cluster network performance
• B) Detect potential issues in Istio configuration
• C) Analyze Envoy proxy memory usage
• D) Analyze traffic patterns between services

Answer: B) Detect potential issues in Istio configuration

istioctl analyze performs static analysis on Istio configuration to detect potential issues, misconfigurations, and best practice violations. It can run against a live cluster or a set of local files.

• A) Pilot, Mixer, Galley
• B) Pilot, Citadel, Galley
• C) Pilot, Citadel, Mixer
• D) Envoy, Pilot, Citadel

Answer: B) Pilot, Citadel, Galley

Since Istio 1.5, istiod unifies Pilot (traffic management/xDS), Citadel (certificate management/CA), and Galley (configuration validation) into a single binary. Mixer was removed in Istio 1.8, and Envoy is the data plane proxy.

• A) Synchronization state between proxies and istiod
• B) xDS configuration version received by proxies
• C) CPU/memory usage of proxies
• D) CDS, LDS, EDS, RDS status of proxies

Answer: C) CPU/memory usage of proxies

istioctl proxy-status shows the xDS synchronization state (SYNCED, NOT SENT, STALE) for each proxy. It displays the sync status and version for CDS, LDS, EDS, and RDS, but resource usage must be checked via Prometheus metrics or kubectl top.

• A) Define multiple destinations with weights in spec.http.route
• B) Define ratios in spec.tcp.split
• C) Define two targets in spec.http.mirror
• D) Define ratios in spec.http.redirect

Answer: A) Define multiple destinations with weights in spec.http.route

In a VirtualService, define multiple destinations in spec.http[].route[] with weight for each to split traffic. For example, you can do canary deployments sending 80% to v1 and 20% to v2.

• A) spec.subsets[].labels
• B) spec.trafficPolicy.subsets
• C) spec.host.subsets
• D) spec.subsets[].name and spec.subsets[].labels

Answer: D) spec.subsets[].name and spec.subsets[].labels

A DestinationRule subset is identified by name and selects pods using labels. VirtualServices reference these subset names to route traffic accordingly.

• A) Define backend server addresses
• B) Define the ports and protocols the gateway should listen on
• C) Define server list for service discovery
• D) Define the number of Envoy proxy servers

Answer: B) Define the ports and protocols the gateway should listen on

spec.servers[] in a Gateway defines the ports, protocols (HTTP/HTTPS/TCP etc.), and hostnames the gateway should listen on. TLS settings are also included here. Actual routing is handled by VirtualServices.

• A) Register services within the mesh
• B) Add external services to the Istio service registry
• C) Create Kubernetes Services
• D) Modify DNS server configuration

Answer: B) Add external services to the Istio service registry

ServiceEntry allows you to add entries to the Istio service registry for services outside the mesh (e.g., external APIs, databases). This enables applying traffic management, mTLS, and monitoring policies to external services.

• A) spec.http[].match[].headers
• B) spec.http[].route[].headers
• C) spec.http[].filter.headers
• D) spec.http[].headerMatch

Answer: A) spec.http[].match[].headers

The headers field in HTTP match conditions allows routing based on specific header values. It supports exact, prefix, and regex matching.

• A) spec.trafficPolicy.connectionPool
• B) spec.connectionPool
• C) spec.policy.pool
• D) spec.trafficPolicy.connections

Answer: A) spec.trafficPolicy.connectionPool

Connection pool settings are under spec.trafficPolicy.connectionPool, divided into tcp and http sections. TCP handles maxConnections, while HTTP handles h2UpgradePolicy, maxRequestsPerConnection, and more.

• A) Milliseconds only
• B) Seconds (e.g., "10s")
• C) Minutes only
• D) Integers only (no units)

Answer: B) Seconds (e.g., "10s")

The spec.http[].timeout in VirtualService uses Duration format, expressed as "10s", "0.5s", etc. The default is no timeout (0s). This setting is translated to Envoy route timeout.

• A) spec.http[].rewrite.uri
• B) spec.http[].route[].rewrite
• C) spec.http[].redirect.uri
• D) spec.http[].transform.uri

Answer: A) spec.http[].rewrite.uri

The spec.http[].rewrite field allows rewriting uri and authority. Rewrite proxies the request while changing the URI, whereas redirect returns a 3xx response to the client.

• A) Service names only (e.g., "reviews")
• B) namespace/hostname format (e.g., "./", "istio-system/")
• C) IP addresses only
• D) URL format (e.g., "http://reviews:9080")

Answer: B) namespace/hostname format (e.g., "./", "istio-system/")

Sidecar egress.hosts uses "namespace/dnsName" format. "./" means all services in the same namespace, "istio-system/" means all services in istio-system. This limits the scope of services the sidecar needs to know about, saving memory.

• A) spec.http[].mirror
• B) spec.http[].shadow
• C) spec.http[].duplicate
• D) spec.http[].copy

Answer: A) spec.http[].mirror

spec.http[].mirror mirrors (duplicates) traffic to another service. Mirrored requests are sent in a "fire and forget" manner, and responses are ignored. Use mirrorPercentage to control the mirroring ratio.

• A) Client certificate only
• B) Server certificate and private key
• C) CA certificate only
• D) No certificates needed

Answer: B) Server certificate and private key

SIMPLE TLS mode is one-way TLS, requiring a server certificate (referenced via credentialName to a Secret). MUTUAL mode also requires client certificates, and PASSTHROUGH passes TLS without termination.

• A) spec.http[].match[].uri.regex
• B) spec.http[].match[].uri.pattern
• C) spec.http[].match[].uri.regexp
• D) spec.http[].match[].uri.match

Answer: A) spec.http[].match[].uri.regex

The regex field in URI matching uses RE2 regular expression syntax. Three matching methods are supported: exact, prefix, and regex.

• A) ROUND_ROBIN
• B) LEAST_CONN
• C) RANDOM
• D) WEIGHTED_RESPONSE_TIME

Answer: D) WEIGHTED_RESPONSE_TIME

Istio DestinationRule supports ROUND_ROBIN (default), LEAST_CONN, RANDOM, and PASSTHROUGH. It also supports session affinity via consistentHash. WEIGHTED_RESPONSE_TIME is not a supported algorithm in Istio.

• A) httpHeaderName
• B) httpCookie
• C) useSourceIp
• D) httpMethod

Answer: D) httpMethod

consistentHash supports httpHeaderName, httpCookie, useSourceIp, and httpQueryParameterName as hash keys. HTTP method (GET, POST, etc.) cannot be used as a hash key.

• A) Set both spec.hosts and spec.gateways
• B) Set only spec.hosts
• C) Set spec.gateway (singular)
• D) Use spec.bind to reference the Gateway

Answer: A) Set both spec.hosts and spec.gateways

To bind a VirtualService to a Gateway, specify the Gateway name in spec.gateways[] and set hosts in spec.hosts[] matching the Gateway server hosts. Add "mesh" to gateways to also apply to internal mesh traffic.

• A) spec.http[].match[].sourceLabels
• B) spec.http[].match[].source
• C) spec.http[].from
• D) spec.http[].match[].sourceNamespace and spec.http[].match[].sourceLabels

Answer: D) spec.http[].match[].sourceNamespace and spec.http[].match[].sourceLabels

Match conditions support sourceLabels to match the source workload labels and sourceNamespace to restrict the source namespace. This allows applying different routing rules only to requests from specific services.

• A) spec.http[].headers.request.set
• B) spec.http[].route[].headers.request
• C) spec.http[].addHeaders
• D) spec.http[].requestHeaders

Answer: A) spec.http[].headers.request.set

The headers field in VirtualService allows set (overwrite), add, and remove operations for both request and response headers. Header manipulation is also possible at the route level.

• A) Endpoints are resolved via DNS
• B) IP addresses specified in the endpoints field are used directly
• C) References a Kubernetes Service inside the mesh
• D) mTLS is disabled and plaintext communication is used

Answer: B) IP addresses specified in the endpoints field are used directly

When resolution is STATIC, the IP addresses explicitly listed in the endpoints field are used directly. DNS resolves via DNS server, and NONE uses the original request address.

• A) 301 (Moved Permanently)
• B) 302 (Found)
• C) 307 (Temporary Redirect)
• D) 308 (Permanent Redirect)

Answer: A) 301 (Moved Permanently)

The default redirect code in spec.http[].redirect is 301 when redirectCode is not specified. You can explicitly set 301, 302, 303, 307, or 308 using the redirectCode field.

• A) mTLS with manually specified certificates
• B) mTLS automatically managed by Istio
• C) Plaintext communication without TLS
• D) One-way TLS only

Answer: B) mTLS automatically managed by Istio

ISTIO_MUTUAL uses certificates automatically provisioned by Istio CA (Citadel). MUTUAL requires manually specifying certificates, SIMPLE is one-way TLS, and DISABLE turns off TLS.

• A) spec.workloadSelector
• B) spec.selector
• C) spec.podSelector
• D) spec.targetRef

Answer: B) spec.selector

The spec.selector in a Gateway uses matchLabels to select which Istio Ingress/Egress Gateway pods this Gateway configuration applies to. Typically uses the istio: ingressgateway label.

• A) Delegate routing rules to another VirtualService
• B) Delegate service account permissions
• C) Delegate TLS certificate management
• D) Delegate metric collection to another component

Answer: A) Delegate routing rules to another VirtualService

Delegate allows routing rules for a specific path prefix to be delegated to another VirtualService. This enables distributed management of routing configurations in large-scale environments.

• A) "." (current namespace only)
• B) "*" (all namespaces)
• C) "~" (not exported anywhere)
• D) No default (required field)

Answer: B) "*" (all namespaces)

The default value of exportTo is "*", which exports to all namespaces. "." means current namespace only, and "~" means no export. You can also specify particular namespaces.

• A) Terminates TLS and forwards plaintext to backend
• B) Passes TLS connections through to the backend without termination
• C) Upgrades to mTLS before forwarding to backend
• D) Terminates TLS and re-encrypts with new TLS

Answer: B) Passes TLS connections through to the backend without termination

In PASSTHROUGH mode, the gateway does not terminate the TLS connection and routes based on the SNI header. This is used when the backend service handles TLS directly.

• A) An error occurs
• B) The routing rule applies to all requests
• C) The rule applies to no requests
• D) Only default routing applies

Answer: B) The routing rule applies to all requests

An HTTP route without match conditions matches all requests. This serves as a "catch-all" rule and is typically placed as the last rule in a VirtualService.

• A) Limiting inbound/outbound traffic scope of sidecars
• B) Optimizing Envoy memory usage
• C) Specifying protocols for specific ports
• D) Configuring mTLS mode between workloads

Answer: D) Configuring mTLS mode between workloads

The Sidecar resource limits the visibility scope of sidecar proxies to save memory and fine-tunes inbound/outbound listeners. mTLS mode configuration is handled by PeerAuthentication and DestinationRule.

• A) All conditions are combined with AND
• B) All conditions are combined with OR
• C) Conditions within the same match block are AND; different match blocks are OR
• D) Only one is evaluated based on priority

Answer: C) Conditions within the same match block are AND; different match blocks are OR

Conditions within a single match block (headers, uri, method, etc.) are combined with AND. Multiple match blocks are evaluated with OR, so if any match block matches, the corresponding route is applied.

• A) The service is outside the mesh
• B) The service is inside the mesh but not a Kubernetes Service
• C) The service is only accessible from the local proxy
• D) The service is only exposed in the same namespace

Answer: B) The service is inside the mesh but not a Kubernetes Service

MESH_INTERNAL indicates the service is part of the mesh but not registered as a Kubernetes Service (e.g., VM workloads). MESH_EXTERNAL indicates services outside the mesh (external APIs, etc.).

• A) Total number of request attempts (including original)
• B) Number of retries after the original request fails
• C) Number of concurrent retries
• D) Maximum retries per second

Answer: B) Number of retries after the original request fails

retries.attempts is the number of additional retries after the original request fails. For example, if attempts is 3, up to 4 requests (1 original + 3 retries) may be made. Use retryOn to configure retry conditions.

• A) CLUSTER
• B) LISTENER
• C) ROUTE_CONFIGURATION
• D) SERVICE

Answer: D) SERVICE

EnvoyFilter applyTo supports CLUSTER, LISTENER, ROUTE_CONFIGURATION, NETWORK_FILTER, HTTP_FILTER, HTTP_ROUTE, VIRTUAL_HOST, and more. SERVICE is not a valid value.

• A) spec.http[].corsPolicy
• B) spec.corsPolicy
• C) spec.http[].route[].corsPolicy
• D) spec.http[].headers.cors

Answer: A) spec.http[].corsPolicy

CORS policy is configured at spec.http[].corsPolicy. You can set allowOrigins, allowMethods, allowHeaders, exposeHeaders, maxAge, and more.

• A) Alphabetical order
• B) Creation time order
• C) Defined order (top to bottom, first match applies)
• D) Descending order by weight value

Answer: C) Defined order (top to bottom, first match applies)

HTTP rules in a VirtualService are evaluated in the order they are defined, and the first matching rule is applied. Therefore, more specific rules should be placed first.

• A) 5xx error rate threshold
• B) Consecutive 5xx error count threshold
• C) Total cumulative 5xx errors
• D) Number of errors in 5 seconds

Answer: B) Consecutive 5xx error count threshold

consecutive5xxErrors is the threshold for consecutive 5xx errors returned by an endpoint. When exceeded, that endpoint is temporarily removed (ejected) from the load balancing pool.

• A) Wait time before circuit breaker activates
• B) Minimum time an endpoint is removed from the pool
• C) Error detection interval
• D) Duration the entire circuit stays open

Answer: B) Minimum time an endpoint is removed from the pool

baseEjectionTime is the base time an endpoint is ejected from the load balancing pool. The actual ejection time is calculated as baseEjectionTime multiplied by the ejection count, increasing with repeated failures.

• A) spec.http[].fault.delay.fixedDelay and spec.http[].fault.delay.percentage
• B) spec.http[].delay.time
• C) spec.http[].fault.latency
• D) spec.http[].inject.delay

Answer: A) spec.http[].fault.delay.fixedDelay and spec.http[].fault.delay.percentage

Fault injection delay uses fixedDelay for the delay duration and percentage.value for the percentage of requests affected. For example, fixedDelay: 5s with percentage.value: 10 adds a 5-second delay to 10% of requests.

• A) The status code that triggers the abort
• B) The HTTP status code returned to the client
• C) The health status code of the backend service
• D) An internal proxy status code

Answer: B) The HTTP status code returned to the client

fault.abort.httpStatus specifies the HTTP status code (e.g., 500, 503) to return to the client when aborting the request. Used with percentage.value to intentionally fail a percentage of requests.

• A) Maximum number of HTTP/1.1 connections
• B) Maximum number of requests pending while waiting for a connection
• C) Maximum requests per second
• D) Maximum idle connections

Answer: B) Maximum number of requests pending while waiting for a connection

http1MaxPendingRequests is the maximum size of the queue waiting for connection pool connections. When exceeded, the circuit breaker activates and returns 503. The default is 2^32-1 (effectively unlimited).

• A) Interval for re-checking after ejection
• B) Frequency of analyzing error statistics
• C) Health check interval
• D) Endpoint refresh interval for the load balancer

Answer: B) Frequency of analyzing error statistics

interval is the time interval between outlier detection analysis sweeps. The default is 10 seconds. At each interval, error statistics for each endpoint are checked to determine ejection.

• A) 5xx
• B) gateway-error
• C) connect-failure
• D) client-error

Answer: D) client-error

Valid retryOn conditions include 5xx, gateway-error, connect-failure, retriable-4xx, refused-stream, retriable-status-codes, reset, and retriable-headers. client-error is not a valid retryOn condition.

• A) Maximum requests for the entire cluster
• B) Maximum requests per connection before it is closed
• C) Maximum requests per connection per second
• D) Maximum concurrent requests per connection

Answer: B) Maximum requests per connection before it is closed

maxRequestsPerConnection is the maximum number of requests a single connection can handle. When reached, the connection is closed and a new one is created. Setting it to 1 effectively disables Keep-Alive.

• A) mTLS is completely disabled
• B) Only mTLS connections are accepted; plaintext is rejected
• C) Both mTLS and plaintext are accepted
• D) mTLS is applied selectively

Answer: B) Only mTLS connections are accepted; plaintext is rejected

In STRICT mode, only mTLS connections are accepted. Plaintext requests from services without sidecars are rejected. PERMISSIVE accepts both mTLS and plaintext, and DISABLE turns off mTLS.

• A) Production environments where security is top priority
• B) When services with and without sidecars coexist
• C) When communicating with external APIs
• D) When managing certificates manually

Answer: B) When services with and without sidecars coexist

PERMISSIVE mode accepts both mTLS and plaintext traffic. It is especially useful during migration when sidecar injection is being gradually applied. Switch to STRICT after all services have sidecars.

• A) ALLOW first, then DENY
• B) DENY first, then ALLOW
• C) CUSTOM first, then DENY, then ALLOW
• D) All policies evaluated simultaneously

Answer: C) CUSTOM first, then DENY, then ALLOW

AuthorizationPolicy evaluation order is CUSTOM -> DENY -> ALLOW. If CUSTOM denies, the request is rejected. If matched by a DENY policy, it is rejected. If matched by an ALLOW policy, it is allowed. If not matched by any ALLOW policy, it is denied.

• A) spec.jwtRules[].issuer and spec.jwtRules[].jwksUri
• B) spec.jwt.secret
• C) spec.authentication.token
• D) spec.rules[].jwt.key

Answer: A) spec.jwtRules[].issuer and spec.jwtRules[].jwksUri

RequestAuthentication uses jwtRules with issuer (token issuer) and jwksUri (public key set URL) to validate JWT tokens. Inline keys can also be provided via jwks.

• A) All requests are allowed
• B) All requests are denied
• C) The policy is ignored
• D) An error occurs

Answer: B) All requests are denied

When an AuthorizationPolicy with ALLOW action has empty rules, no request matches, so all requests are denied. Conversely, using DENY with empty rules means nothing is denied.

• A) Kubernetes ServiceAccount name
• B) SPIFFE ID format (e.g., "cluster.local/ns/NAMESPACE/sa/SERVICE_ACCOUNT")
• C) Pod IP address
• D) Username

Answer: B) SPIFFE ID format (e.g., "cluster.local/ns/NAMESPACE/sa/SERVICE_ACCOUNT")

source.principals uses SPIFFE-format peer identities. In Istio, each workload receives a SPIFFE ID based on its Kubernetes ServiceAccount. Wildcards (*) are also supported.

• A) 1 hour
• B) 12 hours
• C) 24 hours
• D) 7 days

Answer: C) 24 hours

The default validity period for X.509 certificates issued to workloads in Istio is 24 hours. Certificates are automatically rotated before expiration. This value can be adjusted via istiod environment variables.

• A) default
• B) kube-system
• C) istio-system
• D) Create individually in all namespaces

Answer: C) istio-system

Creating PeerAuthentication in the istio-system namespace (or the Istio root namespace) applies it mesh-wide. Namespace-level policies apply to all workloads in that namespace, and workload-level policies have the highest precedence.

• A) Kubernetes API methods
• B) HTTP methods (GET, POST, etc.)
• C) gRPC methods
• D) Envoy internal methods

Answer: B) HTTP methods (GET, POST, etc.)

operation.methods controls access based on HTTP methods (GET, POST, PUT, DELETE, etc.). Additional restrictions can be made with operation.paths for paths and operation.ports for ports.

• A) Filters based on the source pod namespace
• B) Filters based on the destination pod namespace
• C) References the service registry namespace
• D) Checks the Kubernetes Namespace resource labels

Answer: A) Filters based on the source pod namespace

source.namespaces controls access based on the namespace of the source workload sending the request. Since the source identity is verified through mTLS, mTLS must be enabled.

• A) Map port numbers and modes in spec.portLevelMtls
• B) Specify port list in spec.mtls.ports
• C) Select ports with spec.selector.ports
• D) Per-port configuration is not supported

Answer: A) Map port numbers and modes in spec.portLevelMtls

spec.portLevelMtls allows setting individual mTLS modes for specific ports. For example, you can DISABLE mTLS only for health check ports while keeping STRICT for the rest.

• A) Return custom HTTP status codes
• B) Delegate authorization decisions to an external service (e.g., OPA)
• C) Custom logging
• D) Custom metric generation

Answer: B) Delegate authorization decisions to an external service (e.g., OPA)

The CUSTOM action delegates authorization decisions to an external provider specified in spec.provider.name. OPA (Open Policy Agent), OAuth2 Proxy, and others can be used as external authorization services.

• A) Always rejected
• B) Always accepted
• C) Accepted but treated as unauthenticated
• D) Returns 500 error

Answer: C) Accepted but treated as unauthenticated

RequestAuthentication validates JWT if present and rejects invalid tokens. However, requests without JWT are accepted but treated as unauthenticated. To also reject requests without JWT, use an AuthorizationPolicy together.

• A) Pilot
• B) Galley
• C) istiod (Citadel functionality)
• D) Envoy

Answer: C) istiod (Citadel functionality)

The Citadel functionality integrated into istiod issues workload certificates. The istio-agent (in the pod) generates a CSR and sends it to istiod, which signs and returns the certificate. It is delivered to Envoy via SDS (Secret Discovery Service).

• A) request.headers[x-custom-header]
• B) source.ip
• C) request.auth.claims[groups]
• D) destination.labels[app]

Answer: D) destination.labels[app]

Valid when condition keys include request.headers, source.ip, source.namespace, request.auth.claims, and request.auth.presenter. destination.labels is not supported; use selector for destination workload selection.

• A) spiffe://cluster.local/httpbin/default
• B) spiffe://cluster.local/ns/default/sa/httpbin
• C) cluster.local/default/httpbin
• D) spiffe://default/sa/httpbin

Answer: B) spiffe://cluster.local/ns/default/sa/httpbin

The SPIFFE ID format is spiffe://TRUST_DOMAIN/ns/NAMESPACE/sa/SERVICE_ACCOUNT. With trust domain cluster.local, namespace default, and ServiceAccount httpbin, the result is as above.

• A) istio_requests_total
• B) istio_request_duration_milliseconds
• C) istio_tcp_sent_bytes_total
• D) istio_request_messages_total

Answer: D) istio_request_messages_total

Istio generates istio_requests_total (request count), istio_request_duration_milliseconds (request latency), istio_request_bytes (request size), istio_response_bytes (response size), istio_tcp_sent_bytes_total, and istio_tcp_received_bytes_total by default.

• A) Service mesh topology graph visualization
• B) Istio configuration validation
• C) Automatic canary deployment execution
• D) Workload health monitoring

Answer: C) Automatic canary deployment execution

Kiali is a tool for service mesh visualization, configuration validation, health monitoring, and traffic flow inspection. Canary deployment automation is the role of progressive delivery tools like Flagger. Kiali can visually confirm traffic splitting.

• A) X-Request-ID only
• B) B3 headers and W3C TraceContext
• C) OpenTelemetry headers only
• D) Custom Istio headers

Answer: B) B3 headers and W3C TraceContext

Istio supports B3 headers (x-b3-traceid, x-b3-spanid, x-b3-parentspanid, x-b3-sampled) and W3C TraceContext (traceparent, tracestate). Applications must propagate these headers for end-to-end tracing.

• A) 0.1% (1 in 1000)
• B) 1% (1 in 100)
• C) 10% (1 in 10)
• D) 100% (all requests)

Answer: B) 1% (1 in 100)

The default trace sampling rate in Istio is 1%. This can be adjusted via MeshConfig defaultConfig.tracing.sampling. Use lower rates for production and higher rates for debugging.

• A) Set spec.metrics[].providers[].name to "none"
• B) spec.metrics[].disabled: true
• C) spec.metrics[].overrides[].disabled: true
• D) Set spec.metrics: [] as empty array

Answer: C) spec.metrics[].overrides[].disabled: true

The Telemetry API uses spec.metrics[].overrides[] to disable specific metrics or add/remove tags. Match conditions allow selectively disabling specific metrics.

• A) MeshConfig accessLogFile setting
• B) Telemetry API accessLogging setting
• C) Adding access log filter via EnvoyFilter
• D) All of the above

Answer: D) All of the above

Envoy access logging can be enabled via MeshConfig accessLogFile ("/dev/stdout"), Telemetry API accessLogging, or EnvoyFilter. The Telemetry API is the most recommended method.

• A) response_code
• B) source_workload
• C) destination_service
• D) request_path

Answer: D) request_path

istio_requests_total includes response_code, source_workload, source_workload_namespace, destination_service, destination_workload, request_protocol, and connection_security_policy. request_path is not a default label due to high cardinality.

• A) Create new spans for each request
• B) Propagate trace headers from inbound to outbound requests
• C) Send trace data directly to the collection system
• D) Notify the Envoy proxy of trace completion

Answer: B) Propagate trace headers from inbound to outbound requests

Istio/Envoy automatically creates spans, but for trace context to be connected, applications must propagate trace headers (B3, W3C TraceContext, etc.) from inbound requests to outbound requests.

• A) L7 traffic processing and routing
• B) Per-node L4 proxy handling mTLS and L4 authorization
• C) An Istio control plane component
• D) Certificate issuance and management

Answer: B) Per-node L4 proxy handling mTLS and L4 authorization

ztunnel (Zero Trust Tunnel) is an L4 proxy deployed as a DaemonSet on each node. It handles mTLS encryption/decryption, L4 authorization, and HBONE tunneling. L7 functionality is handled by waypoint proxies.

• A) One per pod
• B) One per node
• C) Per namespace (or per service account)
• D) One per cluster

Answer: C) Per namespace (or per service account)

Waypoint proxies are deployed per namespace or per service account. They are created using the Kubernetes Gateway API and handle L7 traffic management and L7 authorization policies.

• A) Add sidecar.istio.io/inject: "true" annotation to pods
• B) Add istio.io/dataplane-mode: ambient label to the namespace
• C) Select ambient profile in IstioOperator
• D) Add ambient-mesh: enabled label to pods

Answer: B) Add istio.io/dataplane-mode: ambient label to the namespace

Adding the istio.io/dataplane-mode=ambient label to a namespace enrolls workloads in that namespace into Ambient Mesh. This enables mesh features without sidecar injection.

• A) gRPC-based tunneling protocol
• B) HTTP/2 CONNECT-based tunneling for mTLS traffic delivery
• C) UDP-based lightweight tunneling
• D) IPsec-based network encryption

Answer: B) HTTP/2 CONNECT-based tunneling for mTLS traffic delivery

HBONE uses HTTP/2 CONNECT to create mTLS tunnels on port 15008. It is used for communication between ztunnels and between ztunnels and waypoint proxies, and is compatible with existing network infrastructure.

• A) Both clusters run independent control planes
• B) One cluster hosts the control plane while the other connects remotely
• C) An external control plane is used
• D) Each cluster runs different Istio versions

Answer: B) One cluster hosts the control plane while the other connects remotely

In the primary-remote model, the primary cluster runs istiod, and the remote cluster connects to the primary istiod for configuration. In the primary-primary model, both clusters run istiod.

• A) Deploy WebAssembly extensions to Envoy proxies
• B) Run workloads in WebAssembly runtime
• C) Manage Istio control plane plugins
• D) Auto-scale the service mesh

Answer: A) Deploy WebAssembly extensions to Envoy proxies

WasmPlugin deploys WebAssembly modules to Envoy proxies to add custom logic. It enables extending functionality for authentication, transformation, metric collection, and more. It is safer and easier to manage than EnvoyFilter.

• A) All external traffic is allowed
• B) Only external services registered via ServiceEntry are accessible
• C) External traffic only goes through the Egress Gateway
• D) Only DNS-based external services are allowed

Answer: B) Only external services registered via ServiceEntry are accessible

In REGISTRY_ONLY mode, only services registered in the Istio service registry are accessible. Requests to unregistered external services return 502 errors. ALLOW_ANY (default) allows all external traffic.

• A) istioctl uninstall --revision old
• B) istioctl x uninstall --revision old
• C) istioctl install --set revision=old --purge
• D) kubectl delete istiooperator old -n istio-system

Answer: A) istioctl uninstall --revision old

To remove the old revision control plane, use istioctl uninstall --revision OLD_REVISION. This should be run after all workloads have migrated to the new revision. The --purge flag is used to remove all Istio resources.