CertGrid
Kubernetes Certification

Istio Certified Associate (ICA) Practice Exam

Validates knowledge of the Istio service mesh — traffic management, security (mTLS/authz), observability, and configuration.

Practice 299 exam-style Istio Certified Associate (ICA) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
299
Practice questions
60
On the real exam
750
Passing score
90 min
Exam length

What the Istio Certified Associate (ICA) exam covers

Free Istio Certified Associate (ICA) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 299.

  1. Question 1Istio Architecture

    What is a service mesh like Istio primarily used for?

    • AManaging service-to-service traffic, security (mTLS), and observability via sidecar proxiesCorrect
    • BBuilding Docker images
    • CAssigning pod IPs
    • DStoring container images
    ✓ Correct answer: A

    Service mesh manages service-to-service communication, security, and observability using sidecar proxies. Service mesh capabilities provide critical functionality for production Kubernetes deployments. These features enable organizations to manage complexity in microservice architectures.

    Why the other options are wrong
    • BBuilding Docker images is incorrect because this does not provide the specific technical capability required by the question.
    • CAssigning pod IPs is incorrect because this does not provide the specific technical capability required by the question.
    • DStoring container images is incorrect because this does not provide the specific technical capability required by the question.
  2. Question 2Istio ArchitectureSelect all that apply

    You are planning a zero-downtime Istio control-plane upgrade for a production mesh using sidecars. Which TWO practices reflect the recommended canary-upgrade design? (Choose TWO)

    • AInstall the new istiod as a separate revision alongside the existing oneCorrect
    • BMigrate workloads to the new revision gradually by relabeling namespaces and doing rolling restartsCorrect
    • CUpgrade all sidecars in place without restarting any pods
    • DDelete the old istiod first, then install the new version
    ✓ Correct answer: A, B

    Migrate workloads to the new revision gradually by relabeling namespaces and doing rolling restarts Both Install the new istiod as a separate revision alongside the existing one and Migrate workloads to the new revision gradually by relabeling namespaces and doing rolling restarts are essential components within the Istio Architecture domain. These features work together to provide comprehensive functionality required for effective platform implementation. Understanding how these capabilities integrate is critical for certification-level knowledge.

    Why the other options are wrong
    • CUpgrade all sidecars in place without restarting any pods is incorrect because this does not provide the specific technical capability required by the question.
    • DDelete the old istiod first, then install the new version is incorrect because this does not provide the specific technical capability required by the question.
  3. Question 3Traffic Management

    Which routing approach enables a blue/green release in Istio?

    • AChange CoreDNS
    • BDelete the old deployment first
    • CShift 100% of traffic to the new subset via VirtualService when readyCorrect
    • DResize a PVC
    ✓ Correct answer: C

    . VirtualService defines intelligent routing policies including weighted traffic splitting, retries, and timeouts. This enables advanced deployment patterns like canary releases without application modification.

    Why the other options are wrong
    • AChange CoreDNS is incorrect because DNS is for name resolution, not for traffic management or service mesh control.
    • BDelete the old deployment first is incorrect because this does not provide the specific technical capability required by the question.
    • DResize a PVC is incorrect because this does not provide the specific technical capability required by the question.
  4. Question 4Traffic Management

    During a canary, you want to alert when the v2 subset's error rate exceeds v1's. Which observability setup supports this directly?

    • ARead CoreDNS cache hit metrics
    • BInspect the VirtualService weight field for errors
    • CQuery istio_requests_total split by destination_version and response_code, then compare v1 vs v2 error ratios in alerting rulesCorrect
    • DCompare the replica counts of the two Deployments
    ✓ Correct answer: C

    Metrics, logs, and traces exported for monitoring service behavior and dependencies. Service mesh capabilities provide critical functionality for production Kubernetes deployments. These features enable organizations to manage complexity in microservice architectures.

    Why the other options are wrong
    • ARead CoreDNS cache hit metrics is incorrect because DNS is for name resolution, not for traffic management or service mesh control.
    • BInspect the VirtualService weight field for errors is incorrect because this does not provide the specific technical capability required by the question.
    • DCompare the replica counts of the two Deployments is incorrect because this does not provide the specific technical capability required by the question.
  5. Question 5Security

    After RequestAuthentication validates a JWT, which AuthorizationPolicy condition requires that a valid token actually be present?

    • Arules.when.key: source.jwt
    • Brules.from.source.requestPrincipals: ["*"]Correct
    • Caction: REQUEST_AUTH
    • Drules.to.operation.methods: ["JWT"]
    ✓ Correct answer: B

    Fine-grained access control between services using AuthorizationPolicy resources. Authorization policies enforce zero-trust security by explicitly defining which services can communicate. This provides network-level enforcement independent of application code.

    Why the other options are wrong
    • Arules.when.key: source.jwt is incorrect because this does not provide the specific technical capability required by the question.
    • Caction: REQUEST_AUTH is incorrect because this does not provide the specific technical capability required by the question.
    • Drules.to.operation.methods: ["JWT"] is incorrect because this does not provide the specific technical capability required by the question.
  6. Question 6Observability

    What is a benefit of mesh-generated telemetry being uniform across services?

    • AIt encrypts disks
    • BIt assigns IPs
    • CIt builds images
    • Dconsistent metrics/traces/logs without per-app instrumentation effort, aiding troubleshootingCorrect
    ✓ Correct answer: D

    . Service mesh capabilities provide critical functionality for production Kubernetes deployments. These features enable organizations to manage complexity in microservice architectures.

    Why the other options are wrong
    • AIt encrypts disks is incorrect because this does not provide the specific technical capability required by the question.
    • BIt assigns IPs is incorrect because this does not provide the specific technical capability required by the question.
    • CIt builds images is incorrect because this does not provide the specific technical capability required by the question.
  7. Question 7Observability

    Envoy access logs from your sidecars show the response flag 'UH'. What does this typically indicate?

    • AThe request was rejected by an AuthorizationPolicy
    • BThe TLS handshake succeeded
    • CThe request was successfully retried
    • DNo healthy upstream hosts were available for the route (upstream cluster had no healthy endpoints)Correct
    ✓ Correct answer: D

    Envoy is the sidecar proxy injected into each pod to intercept and manage all traffic. Envoy intercepts all pod traffic transparently without requiring application code modifications. The sidecar injection happens automatically in labeled namespaces, making adoption seamless.

    Why the other options are wrong
    • AThe request was rejected by an AuthorizationPolicy is incorrect because this does not provide the specific technical capability required by the question.
    • BThe TLS handshake succeeded is incorrect because this does not provide the specific technical capability required by the question.
    • CThe request was successfully retried is incorrect because this does not provide the specific technical capability required by the question.
  8. Question 8Observability

    Distributed tracing in your mesh generates a huge volume of spans, raising storage and backend costs, while you only need a representative sample for performance analysis. What is the most cost-effective adjustment?

    • ARemove all DestinationRules
    • BDisable Prometheus entirely
    • CLower the trace sampling rate (e.g., set sampling to a small percentage) via the Telemetry resource or mesh configCorrect
    • DSet the trace sampling rate to 100%
    ✓ Correct answer: C

    Request flow tracing across services for debugging and observability. Service mesh capabilities provide critical functionality for production Kubernetes deployments. These features enable organizations to manage complexity in microservice architectures.

    Why the other options are wrong
    • ARemove all DestinationRules is incorrect because this does not provide the specific technical capability required by the question.
    • BDisable Prometheus entirely is incorrect because this does not provide the specific technical capability required by the question.
    • DSet the trace sampling rate to 100% is incorrect because this does not provide the specific technical capability required by the question.
  9. Question 9Istio Architecture

    A newly created pod in an injection-enabled namespace starts but the Envoy sidecar container is missing. istioctl analyze reports the namespace label is correct. What should you investigate next?

    • Awhether the sidecar injector mutating webhook is healthy/reachable (istiod up, webhook not failing open or excluded)Correct
    • BWhether the node has enough disk for images
    • CWhether the pod has a PersistentVolumeClaim
    • DWhether CoreDNS has the pod's A record
    ✓ Correct answer: A

    Envoy is the sidecar proxy injected into each pod to intercept and manage all traffic. Envoy intercepts all pod traffic transparently without requiring application code modifications. The sidecar injection happens automatically in labeled namespaces, making adoption seamless.

    Why the other options are wrong
    • BWhether the node has enough disk for images is incorrect because this does not provide the specific technical capability required by the question.
    • CWhether the pod has a PersistentVolumeClaim is incorrect because this does not provide the specific technical capability required by the question.
    • DWhether CoreDNS has the pod's A record is incorrect because DNS is for name resolution, not for traffic management or service mesh control.
  10. Question 10Security

    A workload's SPIFFE identity in Istio takes the form spiffe://<trust-domain>/ns/<namespace>/sa/<service-account>. To uniquely scope an AuthorizationPolicy to a single calling workload, which attribute best identifies it?

    • AThe source pod IP address, which is stable for the workload
    • BThe source principal, which is derived from the caller's service account via its mTLS certificateCorrect
    • CThe destination port number used by the service
    • DThe Kubernetes node name where the pod is scheduled
    ✓ Correct answer: B

    Fine-grained access control between services using AuthorizationPolicy resources. Authorization policies enforce zero-trust security by explicitly defining which services can communicate. This provides network-level enforcement independent of application code.

    Why the other options are wrong
    • AThe source pod IP address, which is stable for the workload is incorrect because this does not provide the specific technical capability required by the question.
    • CThe destination port number used by the service is incorrect because this does not provide the specific technical capability required by the question.
    • DThe Kubernetes node name where the pod is scheduled is incorrect because this does not provide the specific technical capability required by the question.
Unlock all 299 Istio Certified Associate (ICA) questions

Istio Certified Associate (ICA) practice exam FAQ

How many questions are in the Istio Certified Associate (ICA) practice exam on CertGrid?

CertGrid has 299 practice questions for Istio Certified Associate (ICA), covering 4 exam domains. The real Istio Certified Associate (ICA) exam has about 60 questions.

What is the passing score for Istio Certified Associate (ICA)?

The Istio Certified Associate (ICA) exam passing score is 750, and you have about 90 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official Istio Certified Associate (ICA) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of Istio Certified Associate (ICA), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice Istio Certified Associate (ICA) for free?

Yes. You can start practicing Istio Certified Associate (ICA) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.