Google Cloud Professional Cloud Developer — Question 202

You manage a microservices application on Google Kubernetes Engine (GKE) using Istio. You secure the communication channels between your microservices by implementing an Istio AuthorizationPolicy, a Kubernetes NetworkPolicy, and mTLS on your GKE cluster. You discover that HTTP requests between two Pods to specific URLs fail, while other requests to other URLs succeed. What is the cause of the connection issue?

Answer options

• A. A Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.
• B. The Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.
• C. The Authorization Policy of your cluster is blocking HTTP requests for specific paths within your application.
• D. The cluster has mTLS configured in permissive mode, but the Pod's sidecar proxy is sending unencrypted traffic in plain text.

Correct answer: C

Explanation

The correct answer is C because the Istio AuthorizationPolicy can restrict access to specific paths, which would cause certain HTTP requests to fail while allowing others. Option A is incorrect as it would affect all traffic, not just specific URLs. Option B is not relevant since the issue is related to authorization and not port configuration. Option D is also wrong because if mTLS is in permissive mode, it should still allow traffic, albeit unencrypted.