True – It is the end user's responsibility to rotate certificates and keys that have been defined for the Ingress gateway in order to secure traffic from external clients and send it to the edge microservice. Note that Istio's Citadel rotates certificates for microservices.
True – There can only be one MeshPolicy (with name as the default) that will apply mTLS mesh-wide.
True – Mutual TLS can be as granular as possible from the namespace level to the service level by defining a policy.
True – Mutual TLS can be enabled through destination rules or by using MeshPolicy.
True – Istio is capable of shielding modern microservices applications from running in a zero-trust network without any changes needing to be made to the application code.
True – Istio makes VPNs and firewalls redundant if security has been implemented properly.
True – It is the responsibility of the edge microservice to manage JWT for authorizations.
True – Istio's Secret Discovery Service mounts secrets in pods automatically.
True – Istio's Citadel will rotate certificates and keys every 90 days by default.
True – The Envoy sidecar checks the TTL of the certificates. The Istio node agent, if enabled, can request a new certificate from Citadel. It is Citadel that pushes certificates to Envoy, not the node agent.