What are the current exam facts for the ICA?

The Istio Certified Associate is a performance-based exam delivered as hands-on command-line tasks by CNCF and the Linux Foundation. It has a 68% passing score, a 120-minute time limit, and a $250 USD fee that includes one free retake.

Is the ICA multiple choice?

No. The ICA is performance-based: you solve practical tasks in a live command-line environment rather than answering multiple-choice questions. This free bank of 100 multiple-choice questions is knowledge prep to reinforce the underlying Istio concepts.

What does the ICA exam cover?

The curriculum has five domains: Istio Fundamentals (25%), Traffic Management (20%), Security (20%), Observability (20%), and Advanced Istio Features (15%). It tests routing, mTLS, authorization, telemetry, and advanced topics like multicluster and ambient mesh.

How long is the ICA certification valid?

The ICA credential is valid for 2 years. Certifications earned before April 1, 2024 are valid for 3 years, per the Linux Foundation certification renewal policy.

Does the ICA include a free retake?

Yes. The $250 USD registration fee includes one free retake, which must be scheduled within the eligibility period defined by the Linux Foundation.

What is the best way to prepare for the ICA?

Because the exam is hands-on, practice in a real cluster: write VirtualService and DestinationRule routing, enforce PeerAuthentication mTLS, build AuthorizationPolicies, and debug with istioctl proxy-config. Use this bank to lock in the concepts, then drill the CLI until each task is fast.

All Practice Exams

100+ Free Istio Certified Associate Practice Questions

Istio Certified Associate (ICA) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the difference between PeerAuthentication PERMISSIVE and STRICT modes?

There is no functional difference

PERMISSIVE disables encryption; STRICT enables TLS 1.0

PERMISSIVE requires JWTs; STRICT requires certificates

PERMISSIVE accepts both mTLS and plaintext; STRICT requires mTLS only

to track

Same family resources

Explore More Linux Foundation Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: Istio Certified Associate Exam

$250

Exam Fee (USD, includes one free retake)

CNCF / Linux Foundation

68%

Passing Score

CNCF / Linux Foundation

120 min

Exam Duration

CNCF / Linux Foundation

Performance-based

Exam Format (hands-on CLI tasks)

CNCF / Linux Foundation

5 domains

Curriculum areas (Fundamentals 25%, Traffic 20%, Security 20%, Observability 20%, Advanced 15%)

CNCF ICA curriculum

2 years

Credential Validity (3 years if earned before April 1, 2024)

Linux Foundation

The Istio Certified Associate (ICA) is a performance-based CNCF/Linux Foundation exam delivered as hands-on command-line tasks, with a 68% passing score, a 120-minute time limit, and a $250 USD fee that includes one free retake. The credential is valid for 2 years (3 years if earned before April 1, 2024). The curriculum has five domains: Istio Fundamentals (25%), Traffic Management (20%), Security (20%), Observability (20%), and Advanced Istio Features (15%).

Sample Istio Certified Associate Practice Questions

Try these sample questions to test your Istio Certified Associate exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In a traditional Istio sidecar deployment, which proxy is injected alongside each application pod to handle all inbound and outbound traffic for that workload?

A.A Rust-based ztunnel node agent

B.The istiod control-plane process

C.An Envoy proxy running in the istio-proxy container

D.A waypoint proxy shared across the namespace

Explanation: In the sidecar data plane, Istio injects an Envoy proxy into the pod as the istio-proxy container. This Envoy intercepts all traffic to and from the application container and enforces routing, security, and telemetry policy locally.

2Which single binary represents the consolidated Istio control plane responsible for service discovery, configuration, and certificate management?

A.ztunnel

B.Pilot, Galley, and Citadel as separate pods

C.Envoy

D.istiod

Explanation: Since Istio 1.5, the control-plane components Pilot, Galley, Citadel, and the sidecar injector were unified into a single binary called istiod. It handles configuration distribution (xDS), service discovery, and acts as the certificate authority.

3Which protocol does istiod use to push dynamic configuration such as routes, clusters, listeners, and endpoints to Envoy proxies?

A.gRPC health checking

B.The xDS (Discovery Service) APIs

C.Kubernetes informers only

D.HTTP/1.1 long polling

Explanation: Istiod communicates with Envoy proxies using the xDS APIs (LDS, RDS, CDS, EDS, and aggregated ADS), delivered over gRPC. These let the control plane dynamically update listeners, routes, clusters, and endpoints without restarting the proxy.

4Which command-line tool is the primary CLI for installing, configuring, and debugging Istio?

A.istioctl

B.kubectl mesh

C.meshctl

D.envoyctl

Explanation: istioctl is the official Istio command-line tool used to install Istio, validate configuration with istioctl analyze, inspect proxy state with istioctl proxy-config, and manage the mesh. It wraps both installation and diagnostic workflows.

5When installing Istio with istioctl, which built-in configuration profile is recommended as a starting point for most production deployments?

A.The demo profile

B.The empty profile

C.The default profile

D.The external profile

Explanation: The default profile enables the components recommended for production and is the recommended starting point. The demo profile enables a broad feature set with high resource usage suitable for evaluation, not production.

6By default, how does Istio enable automatic sidecar injection for workloads in a namespace?

A.By adding the annotation sidecar.istio.io/inject to each deployment

B.By setting meshConfig.autoInject to global

C.By installing a DaemonSet in the namespace

D.By labeling the namespace with istio-injection=enabled

Explanation: Labeling a namespace with istio-injection=enabled tells the mutating admission webhook to inject the Envoy sidecar into new pods in that namespace. Revision-based injection uses istio.io/rev instead.

7Which istioctl command validates Istio and Kubernetes resources for configuration problems before or after applying them?

A.istioctl dashboard

B.istioctl verify-install

C.istioctl analyze

D.istioctl experimental describe

Explanation: istioctl analyze detects potential configuration issues such as conflicting VirtualServices, missing namespace injection labels, or references to undefined hosts. It can run against live cluster state or local YAML files.

8In Istio's ambient data-plane mode, which component is the per-node, Rust-based proxy that handles L4 traffic, mTLS, and basic authorization?

A.The waypoint proxy

B.The Envoy sidecar

C.ztunnel

D.istiod

Explanation: ztunnel (zero-trust tunnel) is a purpose-built, per-node proxy written in Rust that powers the ambient data plane. It handles L3/L4 functions such as mTLS, L4 authorization, and telemetry without a per-pod sidecar.

9In ambient mode, when are waypoint proxies required for a workload?

A.Only when L7 features such as HTTP routing, traffic shifting, or L7 authorization are needed

B.Always, for any traffic between meshed workloads

C.Only for traffic leaving the cluster

D.Never, because ztunnel handles all L7 processing

Explanation: Ztunnel provides L4 mTLS and basic authorization, but L7 capabilities such as HTTP routing, traffic splitting, retries, and L7 AuthorizationPolicies require a waypoint proxy. Waypoints are deployed per namespace or service account and run Envoy.

10Which Istio Custom Resource Definition (CRD) defines how requests are routed to a service, including host matching, path rules, and weighted traffic splitting?

A.VirtualService

B.DestinationRule

C.Gateway

D.ServiceEntry

Explanation: A VirtualService defines routing rules that control how requests are directed to a service within the mesh, including host and URI matching, header manipulation, and weighted subsets for canary or A/B routing.

About the Istio Certified Associate Practice Questions

Verified exam format metadata for Istio Certified Associate (ICA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free Istio Certified Associate Practice Questions

Explore More Linux Foundation Certifications

Linux Foundation Certified System Administrator (LFCS)

Besu Certified Professional (BCP)

Certified Backstage Associate (CBA)

Certified Open Source Developer for Enterprise (CODE)

Cilium Certified Associate (CCA)

FinOps Certified Engineer (FOCE)

Key Facts: Istio Certified Associate Exam

Sample Istio Certified Associate Practice Questions

About the Istio Certified Associate Practice Questions