Improve ambient mode docs (#14697)

* add docs * change ambient mode glossary back * re-add hyphen, good or bad? * re-remove hyphen and update spellings * Add snips * Update snips with new headings * fix snips
2024-03-08 04:27:27 +13:00 · 2024-03-08 04:27:27 +13:00 · 3a030e4ca5
parent 67eea90d9d
commit 3a030e4ca5
15 changed files with 126 additions and 142 deletions
--- a/.spelling
+++ b/.spelling
@ -44,6 +44,7 @@
 1.8.x.
 1.9.x
 1.x
+1.x.
 10ms
 10s
 123456789012.my
@ -1145,6 +1146,7 @@ v0.14.0
 v0.8.0
 v1
 v1.21
+v1.21.0
 v1.26
 v1.27
 v1.28
--- a/content/en/docs/ops/ambient/_index.md
+++ b/content/en/docs/ops/ambient/_index.md
@ -1,6 +1,6 @@
 ---
-title: Ambient Mesh
-description: Information for setting up and operating Istio ambient mesh.
+title: Ambient Mode
+description: Information for setting up and operating Istio in ambient mode.
 weight: 60
 keywords: [ambient]
 test: n/a
--- a/content/en/docs/ops/ambient/architecture/index.md
+++ b/content/en/docs/ops/ambient/architecture/index.md
@ -1,15 +1,11 @@
 ---
-title: Ambient Mesh Architecture
-description: Deep dive into ambient mesh architecture.
+title: Ambient Mode Architecture
+description: A deep dive into the architecture of ambient mode.
 weight: 20
 owner: istio/wg-networking-maintainers
 test: n/a
 ---

-This page is under construction.
-
-## Differences from sidecar architecture
-
 ## Traffic routing

 In {{< gloss "ambient" >}}ambient mode{{< /gloss >}}, workloads can fall into 3 categories:
@ -85,5 +81,3 @@ spec:
    - name: echo-v1
      port: 80
 {{< /text >}}
-
-## Security
--- a/content/en/docs/ops/ambient/getting-started/index.md
+++ b/content/en/docs/ops/ambient/getting-started/index.md
@ -1,6 +1,6 @@
 ---
-title: Getting Started with Ambient Mesh
-description: How to deploy and install ambient mesh.
+title: Getting Started with Ambient Mode
+description: How to deploy and install Istio in ambient mode.
 weight: 1
 owner: istio/wg-networking-maintainers
 test: yes
@ -8,19 +8,17 @@ test: yes

 {{< boilerplate ambient-alpha-warning >}}

-This guide lets you quickly evaluate Istio {{< gloss "ambient" >}}ambient service mesh{{< /gloss >}}. These steps require you to have
-a {{< gloss >}}cluster{{< /gloss >}} running a
+This guide lets you quickly evaluate Istio's {{< gloss "ambient" >}}ambient mode{{< /gloss >}}. These steps require you to have a {{< gloss >}}cluster{{< /gloss >}} running a
 [supported version](/docs/releases/supported-releases#support-status-of-istio-releases) of Kubernetes ({{< supported_kubernetes_versions >}}). You can use any supported platform, for
 example [Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) or
-others specified by the
-[platform-specific setup instructions](/docs/setup/platform-setup/).
+others specified by the [platform-specific setup instructions](/docs/setup/platform-setup/).

 {{< warning >}}
 Note that Ambient currently requires the use of [istio-cni](/docs/setup/additional-setup/cni) to configure Kubernetes nodes.
 `istio-cni` ambient mode does **not** currently support types of cluster CNI (namely, CNI implementations that do not use `veth` devices, such as [Minikube's](https://kubernetes.io/docs/tasks/tools/install-minikube/) `bridge` mode)
 {{< /warning >}}

-Follow these steps to get started with ambient:
+Follow these steps to get started with Istio's ambient mode:

 1. [Download and install](#download)
 1. [Deploy the sample application](#bookinfo)
@ -31,7 +29,7 @@ Follow these steps to get started with ambient:

 ## Download and install {#download}

-1.  Download the [latest version of Istio](/docs/setup/getting-started/#download) with `alpha` support for ambient mesh.
+1.  Download the [latest version of Istio](/docs/setup/getting-started/#download) (v1.21.0 or later) with Alpha support for ambient mode.

 1.  If you don’t have a Kubernetes cluster, you can deploy one locally using `kind` with the following command:

@ -47,7 +45,7 @@ Follow these steps to get started with ambient:
    EOF
    {{< /text >}}

-1.  Install Kubernetes Gateway CRDs, which don’t come installed by default on most Kubernetes clusters:
+1.  Install the Kubernetes Gateway API CRDs, which don’t come installed by default on most Kubernetes clusters:

    {{< text bash >}}
    $ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
@ -59,9 +57,8 @@ Follow these steps to get started with ambient:
    {{< boilerplate gateway-api-choose >}}
    {{< /tip >}}

-1.  The `ambient` profile is designed to help you get started with ambient mesh.
-    Install Istio with the `ambient` profile on your Kubernetes cluster, using
-    the `istioctl` command downloaded above:
+1.  Install Istio with the `ambient` profile on your Kubernetes cluster, using
+    the version of `istioctl` downloaded above:

 {{< tip >}}
 Note that if you are using [Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) (or any other platform using nodes configured with a nonstandard `netns` path for containers), you may need to append `--set values.cni.cniNetnsDir="/var/run/docker/netns"` to the `istioctl install` command so that the Istio CNI DaemonSet can correctly manage and capture pods on the node.
@ -78,7 +75,7 @@ $ istioctl install --set profile=ambient --set "components.ingressGateways[0].en
 {{< /text >}}

 After running the above command, you’ll get the following output that indicates
-five components (including {{< gloss "ztunnel" >}}Ztunnel{{< /gloss >}}) have been installed successfully!
+five components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!

 {{< text syntax=plain snip_id=none >}}
 ✔ Istio core installed
@ -98,7 +95,7 @@ $ istioctl install --set profile=ambient --skip-confirmation
 {{< /text >}}

 After running the above command, you’ll get the following output that indicates
-four components (including {{< gloss "ztunnel" >}}Ztunnel{{< /gloss >}}) have been installed successfully!
+four components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!

 {{< text syntax=plain snip_id=none >}}
 ✔ Istio core installed
@ -163,11 +160,11 @@ You’ll use the sample [bookinfo application](/docs/examples/bookinfo/), which
 the Istio distribution that you downloaded above. In ambient mode, you deploy applications to
 your Kubernetes cluster exactly the same way you would
 without Istio. This means that you can have your applications running in your cluster before
-you enable ambient mesh and have them join the mesh without needing to restart or
+you enable ambient mode, and have them join the mesh without needing to restart or
 reconfigure them.

 {{< warning >}}
-Make sure the default namespace does not include the label `istio-injection=enabled` because when using ambient you do not want Istio to inject sidecars into the application pods.
+Make sure the default namespace does not include the label `istio-injection=enabled` when using ambient mode, because you do not need Istio to inject sidecars into application pods.
 {{< /warning >}}

 1. Start the sample services:
@ -181,7 +178,7 @@ Make sure the default namespace does not include the label `istio-injection=enab
    $ kubectl apply -f @samples/sleep/notsleep.yaml@
    {{< /text >}}

-    Note: `sleep` and `notsleep` are two simple applications that can serve as curl clients.
+    `sleep` and `notsleep` are two simple applications that can serve as curl clients.

 1. Deploy an ingress gateway so you can access the bookinfo app from outside the cluster:

@ -235,7 +232,7 @@ $ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio

 {{< /tabset >}}

-3) Test your bookinfo application, it should work with or without the gateway:
+3) Test your bookinfo application. It should work with or without the gateway:

    {{< text syntax=bash snip_id=verify_traffic_sleep_to_ingress >}}
    $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
@ -252,9 +249,9 @@ $ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio
    <title>Simple Bookstore App</title>
    {{< /text >}}

-## Adding your application to ambient {#addtoambient}
+## Adding your application to the ambient mesh {#addtoambient}

-You can enable all pods in a given namespace to be part of the ambient mesh
+You can enable all pods in a given namespace to be part of an ambient mesh
 by simply labeling the namespace:

 {{< text bash >}}
@ -262,9 +259,9 @@ $ kubectl label namespace default istio.io/dataplane-mode=ambient
 {{< /text >}}

 Congratulations! You have successfully added all pods in the default namespace
-to the ambient mesh. The best part is that there was no need to restart or redeploy anything!
+to the mesh. Note that you did not have to restart or redeploy anything!

-Send some test traffic:
+Now, send some test traffic:

 {{< text bash >}}
 $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
@ -288,13 +285,13 @@ in Kiali’s dashboard:

 {{< image link="./kiali-ambient-bookinfo.png" caption="Kiali dashboard" >}}

-## Secure Application Access {#secure}
+## Secure application access {#secure}

-After you have added your application to ambient mesh, you can secure application access using L4
-authorization policies. This lets you control access to and from a service based on client workload
-identities, but not at the L7 level, such as HTTP methods like `GET` and `POST`.
+After you have added your application to an ambient mode mesh, you can secure application access using Layer 4
+authorization policies. This feature lets you control access to and from a service based on client workload
+identities, but not at the Layer 7 level, such as HTTP methods like `GET` and `POST`.

-### L4 Authorization Policy
+### Layer 4 authorization policy

 Explicitly allow the `sleep` and gateway service accounts to call the `productpage` service:

@ -339,7 +336,7 @@ $ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<t
 command terminated with exit code 56
 {{< /text >}}

-### L7 Authorization Policy
+### Layer 7 authorization policy

 Using the Kubernetes Gateway API, you can deploy a {{< gloss "waypoint" >}}waypoint proxy{{< /gloss >}} for the `productpage` service that uses the `bookinfo-productpage` service account. Any traffic going to the `productpage` service will be mediated, enforced and observed by the Layer 7 (L7) proxy.

@ -366,7 +363,7 @@ status:
    type: Programmed
 {{< /text >}}

-Update our `AuthorizationPolicy` to explicitly allow the `sleep` and gateway service accounts to `GET` the `productpage` service, but perform no other operations:
+Update your `AuthorizationPolicy` to explicitly allow the `sleep` and gateway service accounts to `GET` the `productpage` service, but perform no other operations:

 {{< text bash >}}
 $ kubectl apply -f - <<EOF
@ -411,9 +408,9 @@ $ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<titl
 <title>Simple Bookstore App</title>
 {{< /text >}}

-## Control Traffic {#control}
+## Control traffic {#control}

-Deploy a waypoint proxy for the review service, using the `bookinfo-review` service account, so that any traffic going to the review service will be mediated by the waypoint proxy.
+Deploy a waypoint proxy for the `review` service, using the `bookinfo-review` service account, so that any traffic going to the `review` service will be mediated by the waypoint proxy.

 {{< text bash >}}
 $ istioctl x waypoint apply --service-account bookinfo-reviews --wait
@ -460,13 +457,13 @@ $ istioctl uninstall -y --purge
 $ kubectl delete namespace istio-system
 {{< /text >}}

-The label to instruct Istio to automatically include applications in the `default` namespace to ambient mesh is not removed by default. If no longer needed, use the following command to remove it:
+The label to instruct Istio to automatically include applications in the `default` namespace to an ambient mesh is not removed by default. If no longer needed, use the following command to remove it:

 {{< text bash >}}
-$ kubectl label namespace default istio.io/dataplane-mode-
+$ kubectl label namespace default istio.io/dataplane-mode
 {{< /text >}}

-To delete the Bookinfo sample application and its configuration, see [`Bookinfo` cleanup](/docs/examples/bookinfo/#cleanup).
+To delete the Bookinfo sample application and its configuration, see [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup).

 To remove the `sleep` and `notsleep` applications:

--- a/content/en/docs/ops/ambient/getting-started/snips.sh
+++ b/content/en/docs/ops/ambient/getting-started/snips.sh
@ -133,35 +133,35 @@ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<tit
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_adding_your_application_to_ambient_1() {
+snip_adding_your_application_to_the_ambient_mesh_1() {
 kubectl label namespace default istio.io/dataplane-mode=ambient
 }

-snip_adding_your_application_to_ambient_2() {
+snip_adding_your_application_to_the_ambient_mesh_2() {
 kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_adding_your_application_to_ambient_2_out <<\ENDSNIP
+! read -r -d '' snip_adding_your_application_to_the_ambient_mesh_2_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_adding_your_application_to_ambient_3() {
+snip_adding_your_application_to_the_ambient_mesh_3() {
 kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_adding_your_application_to_ambient_3_out <<\ENDSNIP
+! read -r -d '' snip_adding_your_application_to_the_ambient_mesh_3_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_adding_your_application_to_ambient_4() {
+snip_adding_your_application_to_the_ambient_mesh_4() {
 kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_adding_your_application_to_ambient_4_out <<\ENDSNIP
+! read -r -d '' snip_adding_your_application_to_the_ambient_mesh_4_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_l4_authorization_policy_1() {
+snip_layer_4_authorization_policy_1() {
 kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@ -182,46 +182,46 @@ spec:
 EOF
 }

-snip_l4_authorization_policy_2() {
+snip_layer_4_authorization_policy_2() {
 # this should succeed
 kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_l4_authorization_policy_2_out <<\ENDSNIP
+! read -r -d '' snip_layer_4_authorization_policy_2_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_l4_authorization_policy_3() {
+snip_layer_4_authorization_policy_3() {
 # this should succeed
 kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_l4_authorization_policy_3_out <<\ENDSNIP
+! read -r -d '' snip_layer_4_authorization_policy_3_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

-snip_l4_authorization_policy_4() {
+snip_layer_4_authorization_policy_4() {
 # this should fail with a connection reset error code 56
 kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_l4_authorization_policy_4_out <<\ENDSNIP
+! read -r -d '' snip_layer_4_authorization_policy_4_out <<\ENDSNIP
 command terminated with exit code 56
 ENDSNIP

-snip_l7_authorization_policy_1() {
+snip_layer_7_authorization_policy_1() {
 istioctl x waypoint apply --service-account bookinfo-productpage --wait
 }

-! read -r -d '' snip_l7_authorization_policy_1_out <<\ENDSNIP
+! read -r -d '' snip_layer_7_authorization_policy_1_out <<\ENDSNIP
 waypoint default/bookinfo-productpage applied
 ENDSNIP

-snip_l7_authorization_policy_2() {
+snip_layer_7_authorization_policy_2() {
 kubectl get gtw bookinfo-productpage -o yaml
 }

-! read -r -d '' snip_l7_authorization_policy_2_out <<\ENDSNIP
+! read -r -d '' snip_layer_7_authorization_policy_2_out <<\ENDSNIP
 ...
 status:
  conditions:
@ -233,7 +233,7 @@ status:
    type: Programmed
 ENDSNIP

-snip_l7_authorization_policy_3() {
+snip_layer_7_authorization_policy_3() {
 kubectl apply -f - <<EOF
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@ -258,30 +258,30 @@ spec:
 EOF
 }

-snip_l7_authorization_policy_4() {
+snip_layer_7_authorization_policy_4() {
 # this should fail with an RBAC error because it is not a GET operation
 kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" -X DELETE
 }

-! read -r -d '' snip_l7_authorization_policy_4_out <<\ENDSNIP
+! read -r -d '' snip_layer_7_authorization_policy_4_out <<\ENDSNIP
 RBAC: access denied
 ENDSNIP

-snip_l7_authorization_policy_5() {
+snip_layer_7_authorization_policy_5() {
 # this should fail with an RBAC error because the identity is not allowed
 kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
 }

-! read -r -d '' snip_l7_authorization_policy_5_out <<\ENDSNIP
+! read -r -d '' snip_layer_7_authorization_policy_5_out <<\ENDSNIP
 RBAC: access denied
 ENDSNIP

-snip_l7_authorization_policy_6() {
+snip_layer_7_authorization_policy_6() {
 # this should continue to work
 kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
 }

-! read -r -d '' snip_l7_authorization_policy_6_out <<\ENDSNIP
+! read -r -d '' snip_layer_7_authorization_policy_6_out <<\ENDSNIP
 <title>Simple Bookstore App</title>
 ENDSNIP

@ -314,7 +314,7 @@ kubectl delete namespace istio-system
 }

 snip_uninstall_2() {
-kubectl label namespace default istio.io/dataplane-mode-
+kubectl label namespace default istio.io/dataplane-mode
 }

 snip_uninstall_3() {
--- a/content/en/docs/ops/ambient/getting-started/test.sh
+++ b/content/en/docs/ops/ambient/getting-started/test.sh
@ -62,24 +62,24 @@ _verify_contains snip_verify_traffic_sleep_to_ingress "$snip_verify_traffic_slee
 _verify_contains snip_verify_traffic_sleep_to_productpage "$snip_verify_traffic_sleep_to_productpage_out"
 _verify_contains snip_verify_traffic_notsleep_to_productpage "$snip_verify_traffic_notsleep_to_productpage_out"

-snip_adding_your_application_to_ambient_1
+snip_adding_your_application_to_the_ambient_mesh_1

 # test traffic after ambient mode is enabled
-_verify_contains snip_adding_your_application_to_ambient_2 "$snip_adding_your_application_to_ambient_2_out"
-_verify_contains snip_adding_your_application_to_ambient_3 "$snip_adding_your_application_to_ambient_3_out"
-_verify_contains snip_adding_your_application_to_ambient_4 "$snip_adding_your_application_to_ambient_4_out"
+_verify_contains snip_adding_your_application_to_the_ambient_mesh_2 "$snip_adding_your_application_to_the_ambient_mesh_2_out"
+_verify_contains snip_adding_your_application_to_the_ambient_mesh_3 "$snip_adding_your_application_to_the_ambient_mesh_3_out"
+_verify_contains snip_adding_your_application_to_the_ambient_mesh_4 "$snip_adding_your_application_to_the_ambient_mesh_4_out"

-snip_l4_authorization_policy_1
-_verify_contains snip_l4_authorization_policy_2 "$snip_l4_authorization_policy_2_out"
-_verify_contains snip_l4_authorization_policy_3 "$snip_l4_authorization_policy_3_out"
-_verify_failure snip_l4_authorization_policy_4
+snip_layer_4_authorization_policy_1
+_verify_contains snip_layer_4_authorization_policy_2 "$snip_layer_4_authorization_policy_2_out"
+_verify_contains snip_layer_4_authorization_policy_3 "$snip_layer_4_authorization_policy_3_out"
+_verify_failure snip_layer_4_authorization_policy_4

-_verify_contains snip_l7_authorization_policy_1 "$snip_l7_authorization_policy_1_out"
-_verify_contains snip_l7_authorization_policy_2 "Resource programmed, assigned to service"
-snip_l7_authorization_policy_3
-_verify_contains snip_l7_authorization_policy_4 "$snip_l7_authorization_policy_4_out"
-_verify_contains snip_l7_authorization_policy_5 "$snip_l7_authorization_policy_5_out"
-_verify_contains snip_l7_authorization_policy_6 "$snip_l7_authorization_policy_6_out"
+_verify_contains snip_layer_7_authorization_policy_1 "$snip_layer_7_authorization_policy_1_out"
+_verify_contains snip_layer_7_authorization_policy_2 "Resource programmed, assigned to service"
+snip_layer_7_authorization_policy_3
+_verify_contains snip_layer_7_authorization_policy_4 "$snip_layer_7_authorization_policy_4_out"
+_verify_contains snip_layer_7_authorization_policy_5 "$snip_layer_7_authorization_policy_5_out"
+_verify_contains snip_layer_7_authorization_policy_6 "$snip_layer_7_authorization_policy_6_out"

 _verify_contains snip_control_traffic_1 "$snip_control_traffic_1_out"

--- a/content/en/docs/ops/ambient/install/helm-installation/index.md
+++ b/content/en/docs/ops/ambient/install/helm-installation/index.md
@ -1,15 +1,14 @@
 ---
 title: Install with Helm
-description: How to install Ambient Mesh with Helm.
+description: Install Istio in Ambient mode with Helm.
 weight: 4
 owner: istio/wg-environments-maintainers
 test: yes
 ---

-This guide shows you how to install ambient mesh with Helm.
-Besides the demo in [Getting Started with Ambient Mesh](/docs/ops/ambient/getting-started/),
-we **encourage** you to follow this guide to install ambient mesh.
-Helm helps you manage components separately, and you can easily upgrade the components to the latest version.
+This guide shows you how to install Istio in ambient mode with Helm.
+Aside from following the demo in [Getting Started with Ambient Mesh](/docs/ops/ambient/getting-started/),
+we encourage the use of Helm to install Istio for use in ambient mode. Helm helps you manage components separately, and you can easily upgrade the components to the latest version.

 ## Prerequisites

@ -28,9 +27,9 @@ Helm helps you manage components separately, and you can easily upgrade the comp

 *See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation.*

-## Installing the Components
+## Installing the components

-### Installing the base Component
+### Installing the base component

 The `base` chart contains the basic CRDs and cluster roles required to set up Istio.
 This should be installed prior to any other Istio component.
@ -41,14 +40,13 @@ $ helm install istio-base istio/base -n istio-system --create-namespace

 ### Installing the CNI Component

-The **CNI** chart installs the Istio CNI Plugin. It is responsible for detecting the pods that belong to the ambient mesh,
-and configuring the traffic redirection between the ztunnel DaemonSet, which will be installed later.
+The `cni` chart installs the Istio CNI plugin. It is responsible for detecting the pods that belong to the ambient mesh, and configuring the traffic redirection between pods and the ztunnel node proxy (which will be installed later).

 {{< text syntax=bash snip_id=install_cni >}}
 $ helm install istio-cni istio/cni -n istio-system --set profile=ambient
 {{< /text >}}

-### Installing the discovery Component
+### Installing the discovery component

 The `istiod` chart installs a revision of Istiod. Istiod is the control plane component that manages and
 configures the proxies to route traffic within the mesh.
@ -59,13 +57,13 @@ $ helm install istiod istio/istiod --namespace istio-system --set profile=ambien

 ### Installing the ztunnel component

-The `ztunnel` chart installs the ztunnel DaemonSet, which is the node-proxy component of ambient.
+The `ztunnel` chart installs the ztunnel DaemonSet, which is the node proxy component of Istio's ambient mode.

 {{< text syntax=bash snip_id=install_ztunnel >}}
 $ helm install ztunnel istio/ztunnel -n istio-system
 {{< /text >}}

-### (Optional) Install an ingress gateway
+### Install an ingress gateway (optional)

 {{< warning >}}
 The namespace the gateway is deployed in must not have a `istio-injection=disabled` label.
@ -86,7 +84,7 @@ To view supported configuration options and documentation, run:
 $ helm show values istio/istiod
 {{< /text >}}

-## Verifying the Installation
+## Verifying the installation

 ### Verifying the workload status

@ -111,12 +109,10 @@ istiod-5f4c75464f-gskxf          1/1     Running   0          10m
 ztunnel-c2z4s                    1/1     Running   0          10m
 {{< /text >}}

-### Verifying with the Sample Application
+### Verifying with the sample application

-After installing ambient with Helm, you can follow
-[Deploy the sample application](/docs/ops/ambient/getting-started/#bookinfo)
-guide to deploy the sample application and ingress gateways, and then you can
-[add your application to ambient](/docs/ops/ambient/getting-started/#addtoambient).
+After installing ambient mode with Helm, you can follow the [Deploy the sample application](/docs/ops/ambient/getting-started/#bookinfo) guide to deploy the sample application and ingress gateways, and then you can
+[add your application to the ambient mesh](/docs/ops/ambient/getting-started/#addtoambient).

 ## Uninstall

@ -141,25 +137,25 @@ installed above.
    $ kubectl delete namespace istio-ingress
    {{< /text >}}

-1. Delete Istio CNI chart:
+1. Delete the Istio CNI chart:

    {{< text syntax=bash snip_id=delete_cni >}}
    $ helm delete istio-cni -n istio-system
    {{< /text >}}

-1. Delete Istio ztunnel chart:
+1. Delete the Istio ztunnel chart:

    {{< text syntax=bash snip_id=delete_ztunnel >}}
    $ helm delete ztunnel -n istio-system
    {{< /text >}}

-1. Delete Istio discovery chart:
+1. Delete the Istio discovery chart:

    {{< text syntax=bash snip_id=delete_discovery >}}
    $ helm delete istiod -n istio-system
    {{< /text >}}

-1. Delete Istio base chart:
+1. Delete the Istio base chart:

    {{< tip >}}
    By design, deleting a chart via Helm doesn't delete the installed Custom
@ -170,7 +166,7 @@ installed above.
    $ helm delete istio-base -n istio-system
    {{< /text >}}

-1. Delete CRDs Installed by Istio (Optional)
+1. Delete CRDs installed by Istio (optional)

    {{< warning >}}
    This will delete all created Istio resources.
--- a/content/en/docs/ops/ambient/upgrade/helm-upgrade/index.md
+++ b/content/en/docs/ops/ambient/upgrade/helm-upgrade/index.md
@ -1,28 +1,25 @@
 ---
 title: Upgrade with Helm
-description: How to upgrade Ambient Mesh with Helm.
+description: Upgrading an ambient mode installation with Helm.
 weight: 5
 owner: istio/wg-environments-maintainers
 test: yes
 status: Experimental
 ---

-Follow this guide to upgrade and configure ambient mesh using
-[Helm](https://helm.sh/docs/).  This guide assumes you have already performed an ambient mesh
-[installation with Helm](/docs/ops/ambient/install/helm-installation/) with a previous minor or patch version of Istio.
+Follow this guide to upgrade and configure an ambient mode installation using
+[Helm](https://helm.sh/docs/). This guide assumes you have already performed an [ambient mesh installation with Helm](/docs/ops/ambient/install/helm-installation/) with a previous minor or patch version of Istio.

 {{< boilerplate ambient-alpha-warning >}}

 {{< warning >}}
-In contrast to sidecar mode, `Ambient` supports moving application pods to an upgraded data plane without a mandatory restart or reschedule of running application pods. However, upgrading the data plane **will** briefly disrupt all workload traffic on the upgraded node, and ambient does not currently support canary upgrades of the data plane.
+In contrast to sidecar mode, ambient mode supports moving application pods to an upgraded data plane without a mandatory restart or reschedule of running application pods. However, upgrading the data plane **will** briefly disrupt all workload traffic on the upgraded node, and ambient mode does not currently support canary upgrades of the data plane.

 Node cordoning and blue/green node pools are recommended to control blast radius of application pod traffic disruption during production upgrades. See your Kubernetes provider documentation for details.
 {{< /warning >}}

 ## Prerequisites

-1. Install ambient mesh with Helm by following [Install with Helm](/docs/ops/ambient/install/helm-installation/) and meeting all prerequisites in that guide.
-
 1. Update the Helm repository:

    {{< text syntax=bash snip_id=update_helm >}}
@ -62,7 +59,7 @@ $ istioctl x precheck

 ### Upgrade the Istio discovery Component

-Istiod is the control plane component that manages and configures the proxies to route traffic within the ambient mesh.
+Istiod is the control plane component that manages and configures the proxies to route traffic within an ambient mesh.

 {{< text syntax=bash snip_id=upgrade_istiod >}}
 $ helm upgrade istiod istio/istiod -n istio-system
@ -70,13 +67,13 @@ $ helm upgrade istiod istio/istiod -n istio-system

 ### Upgrade the ztunnel component

-The ztunnel DaemonSet is the L4 node-proxy component of ambient.
+The ztunnel DaemonSet is the node proxy component.

 {{< warning >}}
-As ambient is not yet stable, the following statement is not a compatibility guarantee and is subject to change, or removal. Prior to reaching stable status, this component and/or the control plane may receive breaking changes that prevent compatibility between minor versions.
+As ambient mode is not yet Stable, the following statement is not a compatibility guarantee, and is subject to change, or removal. Prior to reaching Stable status, this component and/or the control plane may receive breaking changes that prevent compatibility between minor versions.
 {{< /warning >}}

-The ztunnel at version 1.x is generally compatible with control plane at version 1.x+1 and 1.x, which means the control plane must be upgraded before ztunnel, as long as their version difference is within one minor version.
+The ztunnel at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before ztunnel, as long as their version difference is within one minor version.

 {{< warning >}}
 Upgrading ztunnel in-place will briefly disrupt all ambient mesh traffic on the node.
@ -87,25 +84,25 @@ Node cordoning and blue/green node pools are recommended to mitigate blast radiu
 $ helm upgrade ztunnel istio/ztunnel -n istio-system
 {{< /text >}}

-### Upgrade the CNI Component
+### Upgrade the CNI component

 The Istio CNI agent is responsible for detecting pods added to the ambient mesh, informing ztunnel that proxy ports should be established within added pods, and configuring traffic redirection within the pod network namespace. It is not part of the data plane or control plane.

 {{< warning >}}
-As ambient is not yet stable, the following statement is not a compatibility guarantee and is subject to change, or removal. Prior to reaching stable status, this component and/or the control plane may receive breaking changes that prevent compatibility between minor versions.
+As ambient mode is not yet Stable, the following statement is not a compatibility guarantee, and is subject to change, or removal. Prior to reaching Stable status, this component and/or the control plane may receive breaking changes that prevent compatibility between minor versions.
 {{< /warning >}}

-The CNI at version 1.x is generally compatible with control plane at version 1.x+1 and 1.x, which means the control plane must be upgraded before Istio CNI, as long as their version difference is within one minor version.
+The CNI at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before Istio CNI, as long as their version difference is within one minor version.

 {{< warning >}}
-Upgrading the Istio CNI agent to a compatible version in-place will not disrupt networking for running pods already successfully added to ambient mesh, but no ambient-captured pods will be successfully scheduled (or rescheduled) on the node until the upgrade is complete and the upgraded Istio CNI agent on the node passes readiness checks. If this is a significant disruption concern, or stricter blast radius controls are desired for CNI upgrades, node taints and/or node cordons are recommended.
+Upgrading the Istio CNI agent to a compatible version in-place will not disrupt networking for running pods already successfully added to an ambient mesh, but no ambient-captured pods will be successfully scheduled (or rescheduled) on the node until the upgrade is complete and the upgraded Istio CNI agent on the node passes readiness checks. If this is a significant disruption concern, or stricter blast radius controls are desired for CNI upgrades, node taints and/or node cordons are recommended.
 {{< /warning >}}

 {{< text syntax=bash snip_id=upgrade_cni >}}
 $ helm upgrade istio-cni istio/cni -n istio-system
 {{< /text >}}

-### (Optional) Upgrade the Gateway component
+### Upgrade the Gateway component (optional)

 Gateway components manage east-west and north-south dataplane traffic between ambient mesh boundaries, as well as some aspects of the L7 dataplane.

@ -121,7 +118,7 @@ To view supported configuration options and documentation, run:
 $ helm show values istio/istiod
 {{< /text >}}

-## Verify the Installation
+## Verify the installation

 ### Verify the workload status

@ -139,4 +136,4 @@ $ kubectl get pods -n istio-system

 ## Uninstall

-Please refer to the uninstall section in our [Helm ambient install guide](/docs/ops/ambient/install/helm-installation/#uninstall).
+Please refer to the uninstall section in the [Helm installation guide](/docs/ops/ambient/install/helm-installation/#uninstall).
--- a/content/en/docs/ops/ambient/usage/_index.md
+++ b/content/en/docs/ops/ambient/usage/_index.md
@ -1,9 +1,7 @@
 ---
-title: Ambient Mesh User Guides
-description: How to use ambient mesh.
+title: Ambient Mode User Guides
+description: How to configure a mesh in ambient mode.
 weight: 15
 owner: istio/wg-networking-maintainers
 test: n/a
 ---
-
- This page is under construction.
--- a/content/en/docs/ops/ambient/usage/waypoint/index.md
+++ b/content/en/docs/ops/ambient/usage/waypoint/index.md
@ -1,9 +1,9 @@
 ---
-title: L7 Networking & Services with Waypoint
-description: User guide for Istio Ambient L7 networking and services using waypoint proxy.
+title: Layer 7 Networking & Services with Waypoint Proxies
+description: Gain the full set of Istio feature with optional waypoint proxies.
 weight: 2
 owner: istio/wg-networking-maintainers
 test: no
 ---
-
- This page is under construction.
+
+This page is under construction.
--- a/content/en/docs/ops/ambient/usage/ztunnel/index.md
+++ b/content/en/docs/ops/ambient/usage/ztunnel/index.md
@ -1,6 +1,6 @@
 ---
-title: L4 Networking & mTLS with Ztunnel
-description: User guide for Istio Ambient L4 networking and mTLS using ztunnel proxy.
+title: Layer 4 Networking & mTLS with Ztunnel
+description: Understand and manage Istio's "zero-trust tunnel" proxy.
 weight: 2
 owner: istio/wg-networking-maintainers
 test: no
@ -10,7 +10,7 @@ test: no

 ## Introduction {#introsection}

-This guide describes in-depth the functionality and usage of the ztunnel proxy and Layer-4 networking functions in Istio ambient mesh. To simply try out Istio ambient mesh, follow the [Ambient Quickstart](/docs/ops/ambient/getting-started/) instead. This guide follows a user journey and works through multiple examples to detail the design and architecture of Istio ambient. It is highly recommended to follow the topics linked below in sequence.
+This guide describes in-depth the functionality and usage of the ztunnel proxy and Layer 4 networking functions in Istio ambient mesh. To simply try out Istio ambient mesh, follow the [Ambient Quickstart](/docs/ops/ambient/getting-started/) instead. This guide follows a user journey and works through multiple examples to detail the design and architecture of Istio ambient. It is highly recommended to follow the topics linked below in sequence.

 * [Introduction](#introsection)
 * [Current Caveats](#caveats)
--- a/content/en/docs/reference/glossary/ambient.md
+++ b/content/en/docs/reference/glossary/ambient.md
@ -3,5 +3,5 @@ title: Ambient
 test: n/a
 ---

-Ambient refers to a [data plane mode](/docs/reference/glossary/#data-plane-mode) consisting of a per-node and optionally a per-namespace component.
-Ambient mode is an alternative to a [sidecar](/docs/reference/glossary/#sidecar) based deployment.
+Ambient mode refers to a [data plane mode](/docs/reference/glossary/#data-plane-mode) consisting of a per-node and optionally a per-namespace component. The mesh created when Istio is installed in ambient *mode* can be referred to as an ambient *mesh*.
+Ambient mode is an alternative to a [sidecar mode](/docs/reference/glossary/#sidecar) deployment.
--- a/content/en/docs/reference/glossary/dataplane-mode.md
+++ b/content/en/docs/reference/glossary/dataplane-mode.md
@ -4,4 +4,4 @@ test: n/a
 ---

 The data plane mode refers to which deployment mode the [data plane](/docs/reference/glossary/#data-plane) is using.
-Istio currently supports three modes: [sidecar](/docs/reference/glossary/#sidecar), [ambient](/docs/reference/glossary/#ambient), and [proxyless](/docs/reference/glossary/#proxyless).
+Istio currently supports three modes: [sidecar mode](/docs/reference/glossary/#sidecar), [ambient mode](/docs/reference/glossary/#ambient), and [proxyless](/docs/reference/glossary/#proxyless).
--- a/content/en/docs/reference/glossary/sidecar.md
+++ b/content/en/docs/reference/glossary/sidecar.md
@ -4,5 +4,5 @@ test: n/a
 ---

 A sidecar, generally, is a container that runs alongside a primary application to provide additional functionality.
-In Istio, sidecar is a [data plane mode](/docs/reference/glossary/#data-plane-mode) that runs an [Envoy](/docs/reference/glossary/#envoy) proxy alongside each
+In Istio, sidecar mode is a [data plane mode](/docs/reference/glossary/#data-plane-mode) that runs an [Envoy](/docs/reference/glossary/#envoy) proxy alongside each
 [Pod](/docs/reference/glossary/#pod).
--- a/content/en/docs/reference/glossary/waypoint.md
+++ b/content/en/docs/reference/glossary/waypoint.md
@ -3,5 +3,5 @@ title: Waypoint
 test: n/a
 ---

-A waypoint refers to the HTTP proxy component of [ambient](/docs/reference/glossary/#ambient) data plane mode.
-A waypoint runs on a per-namespace on per-service account basis and handles all traffic entering that namespace.
+A waypoint is the Layer 7 proxy component in [ambient mode](/docs/reference/glossary/#ambient).
+Waypoints run on a per-namespace on per-service account basis and handle all traffic entering that namespace.