Your company runs a microservices application on Google Kubernetes Engine (GKE) with a shared VPC. The security team requires that all pod-to-pod traffic be encrypted using TLS. Additionally, you need to restrict which pods can communicate with each other. The application uses a service mesh with Istio. You have enabled Istio mTLS in STRICT mode, but you notice that some pods are still able to communicate with other pods without TLS. You have verified that all pods have the Istio sidecar injected. What should you do to fix the issue?
Network Policies can restrict traffic to only that going through the sidecar, ensuring mTLS is used.
Why this answer
Option C is correct because Istio mTLS in STRICT mode only enforces encryption between sidecars that are properly configured and have discovered each other via the Istio control plane. However, if a pod bypasses the sidecar (e.g., by using a hostNetwork or a non-sidecar port), or if the sidecar is not enforcing the policy due to a misconfiguration, plaintext traffic can still flow. Applying a Kubernetes Network Policy that explicitly denies all non-mTLS traffic (e.g., by blocking TCP port 80 and allowing only port 443 or the Istio mTLS port) provides a defense-in-depth layer that blocks any unencrypted communication at the network layer, regardless of sidecar behavior.
Exam trap
Google Cloud often tests the misconception that Istio mTLS alone is sufficient to enforce encryption at all layers, but the trap here is that sidecar injection and STRICT mode do not cover traffic that bypasses the sidecar (e.g., via hostNetwork or non-mesh ports), so a Network Policy is needed as a fallback enforcement mechanism.
How to eliminate wrong answers
Option A is wrong because VPC Flow Logs only capture metadata about network flows (source, destination, ports, packets) and cannot inspect payload content to determine if TLS is used; they cannot enforce encryption or block traffic. Option B is wrong because restarting pods does not change the underlying Istio configuration or sidecar behavior; if the sidecar is already injected and mTLS is in STRICT mode, a restart will not fix a misconfiguration or a bypass scenario. Option D is wrong because the Istio add-on for GKE node pools is a legacy feature that installs Istio system components; it does not control per-pod mTLS enforcement or fix the issue of pods communicating without TLS when sidecars are already present.