Browse Linux Foundation and CNCF Guides

Linux Foundation ICA Cheat Sheet: Service Mesh Basics and Traffic Flow

April 24, 2026

Linux Foundation ICA cheat sheet for service mesh basics, traffic flow, traps, and final review.

On this page

Use this cheat sheet for Istio Certified Associate (ICA) after you know the basics but before you start a timed practice block. The goal is not to memorize a vendor catalog; the goal is to classify the scenario and reject attractive wrong answers quickly.

ICA answer sequence

Use this when the stem mixes traffic policy, mTLS, authorization, observability, or operations.

    flowchart TD
	  S["Scenario"] --> T["Classify the traffic and trust lane"]
	  T --> P["Check policy, identity, or route rule"]
	  P --> O["Check observability or resilience behavior"]
	  O --> V["Verify route, telemetry, or fault handling"]

First-pass question triage

  1. Name the tested lane before reading the answer choices.
  2. Underline the constraint: security, cost, reliability, latency, governance, implementation effort, or evidence.
  3. Reject answers that solve a neighboring problem but not the stated requirement.
  4. Prefer the smallest correct control, service, workflow, or command that satisfies the constraint.
  5. Look for proof: logs, tests, metrics, policy evidence, deployment status, evaluation results, or user-visible recovery.

What to know cold

Lane Decision rule Reject when
Traffic management Use gateways, virtual services, destination rules, subsets, retries, timeouts, and traffic shifting. Editing Kubernetes services when the mesh route rule is the deciding layer.
Security Apply mTLS, authorization policies, peer authentication, request authentication, and trust boundaries. Assuming service mesh automatically means every path is authorized.
Observability Use telemetry, tracing, metrics, logs, and dashboards to understand mesh behavior. Tuning traffic without observing route, response, latency, and error evidence.
Installation and operations Understand sidecars, control plane, data plane, upgrades, injection, and configuration scope. Forgetting namespace labels or revision-based injection behavior.
Resilience Apply circuit breaking, outlier detection, retries, timeouts, and fault injection deliberately. Adding retries that amplify failures or violate latency requirements.

Common traps and better instincts

Trap Better instinct
Mesh equals security Configure authentication and authorization policies explicitly.
Retries everywhere Check idempotency, timeout budget, and downstream pressure before adding retries.
Wrong policy scope Verify namespace, workload selector, host, subset, and gateway.
No data plane awareness Know how sidecars intercept and enforce traffic behavior.

Final 15-minute review

If the stem says Start with
least privilege, private access, compliance, or audit identity scope, data boundary, policy enforcement, logging, and ownership
least operational effort managed service, native integration, simple workflow, and fewer moving parts
high availability, recovery, or outage failure domain, recovery objective, health check, rollback, and validation
performance, scale, or cost bottleneck evidence, traffic pattern, sizing, caching, batching, and quotas
troubleshoot, diagnose, or investigate symptom, recent change, logs, metrics, status, dependency, and smallest safe test

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: ICA on MasteryExamPrep.

Decision order

Istio questions are traffic and trust questions: route rule, destination policy, identity, telemetry, and failure behavior.

Revised on Sunday, May 10, 2026
Study Plan