istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.18/blog/2022/introducing-ambient-mesh/index.html

45 lines
34 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Introducing Ambient Mesh"><meta name=description content="A new dataplane mode for Istio without sidecars."><meta name=author content="John Howard (Google), Ethan J. Jackson (Google), Yuval Kohavi (Solo.io), Idit Levine (Solo.io), Justin Pettit (Google), Lin Sun (Solo.io)"><meta name=keywords content="microservices,services,mesh,ambient"><meta property="og:title" content="Introducing Ambient Mesh"><meta property="og:type" content="website"><meta property="og:description" content="A new dataplane mode for Istio without sidecars."><meta property="og:url" content="/v1.18/blog/2022/introducing-ambient-mesh/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.18 / Introducing Ambient Mesh</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.18/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.18/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.18/feed.xml><link rel="shortcut icon" href=/v1.18/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.18/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.18/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.18/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.18/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.18/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.18/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.18/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.18/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.18/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.18/favicons/favicon.svg><link rel=icon type=image/png href=/v1.18/favicons/favicon.png><link rel=mask-icon href=/v1.18/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.18/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.18/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.18/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.18",docTitle="Introducing Ambient Mesh",iconFile="/v1.18/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.18/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.18/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.18/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.18/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.18/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.18/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.18/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.18/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.18/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.18/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.18/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.18/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.18/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Introducing Ambient Mesh</h1><p>A new dataplane mode for Istio without sidecars.</p></div><p class=post-author>Sep 7, 2022 <span>|</span> By John Howard - Google, Ethan J. Jackson - Google, Yuval Kohavi - Solo.io, Idit Levine - Solo.io, Justin Pettit - Google, Lin Sun - Solo.io</p><div><p>Today, we are excited to introduce &ldquo;ambient mesh&rdquo;, a new Istio data plane mode thats designed for simplified operations, broader application compatibility, and reduced infrastructure cost. Ambient mesh gives users the option to forgo sidecar proxies in favor of a mesh data plane thats integrated into their infrastructure, all while maintaining Istios core features of zero-trust security, telemetry, and traffic management. We are sharing a preview of ambient mesh with the Istio community that we are working to bring to production readiness in the coming months.</p><h2 id=istio-and-sidecars>Istio and sidecars</h2><p>Since its inception, a defining feature of Istios architecture has been the use of <em>sidecars</em> programmable proxies deployed alongside application containers. Sidecars allow operators to reap Istios benefits, without requiring applications to undergo major surgery and its associated costs.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:43.77782985704242%><a data-skipendnotes=true href=/v1.18/blog/2022/introducing-ambient-mesh/traditional-istio.png title="Istios traditional model deploys Envoy proxies as sidecars within the workloads pods"><img class=element-to-stretch src=/v1.18/blog/2022/introducing-ambient-mesh/traditional-istio.png alt="Istios traditional model deploys Envoy proxies as sidecars within the workloads pods"></a></div><figcaption>Istios traditional model deploys Envoy proxies as sidecars within the workloads pods</figcaption></figure><p>Although sidecars have significant advantages over refactoring applications, they do not provide a perfect separation between applications and the Istio data plane. This results in a few limitations:</p><ul><li><strong>Invasiveness</strong> - Sidecars must be &ldquo;injected&rdquo; into applications by modifying their Kubernetes pod spec and redirecting traffic within the pod. As a result, installing or upgrading sidecars requires restarting the application pod, which can be disruptive for workloads.</li><li><strong>Underutilization of resources</strong> - Since the sidecar proxy is dedicated to its associated workload, the CPU and memory resources must be provisioned for worst case usage of each individual pod. This adds up to large reservations that can lead to underutilization of resources across the cluster.</li><li><strong>Traffic breaking</strong> - Traffic capture and HTTP processing, as typically done by Istios sidecars, is computationally expensive and can break some applications with non-conformant HTTP implementations.</li></ul><p>While sidecars have their place — more on that later — we think there is a need for a less invasive and easier option that will be a better fit for many service mesh users.</p><h2 id=slicing-the-layers>Slicing the layers</h2><p>Traditionally, Istio implements all data plane functionality, from basic encryption through advanced L7 policy, in a single architectural component: the sidecar.
In practice, this makes sidecars an all-or-nothing proposition.
Even if a workload just needs simple transport security, administrators still need to pay the operational cost of deploying and maintaining a sidecar.
Sidecars have a fixed operational cost per workload that does not scale to fit the complexity of the use case.</p><p>Ambient mesh takes a different approach.
It splits Istios functionality into two distinct layers.
At the base, theres a secure overlay that handles routing and zero trust security for traffic.
Above that, when needed, users can enable L7 processing to get access to the full range of Istio features.
The L7 processing mode, while heavier than the secure overlay, still runs as an ambient component of the infrastructure, requiring no modifications to application pods.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:51.501597444089455%><a data-skipendnotes=true href=/v1.18/blog/2022/introducing-ambient-mesh/ambient-layers.png title="Layers of the ambient mesh"><img class=element-to-stretch src=/v1.18/blog/2022/introducing-ambient-mesh/ambient-layers.png alt="Layers of the ambient mesh"></a></div><figcaption>Layers of the ambient mesh</figcaption></figure><p>This layered approach allows users to adopt Istio in a more incremental fashion, smoothly transitioning from no mesh, to the secure overlay, to full L7 processing — on a per-namespace basis, as needed. Furthermore, workloads running in different ambient modes, or with sidecars, interoperate seamlessly, allowing users to mix and match capabilities based on the particular needs as they change over time.</p><h2 id=building-an-ambient-mesh>Building an ambient mesh</h2><p>Ambient mesh uses a shared agent, running on each node in the Kubernetes cluster. This agent is a zero-trust tunnel (or <strong><em>ztunnel</em></strong>), and its primary responsibility is to securely connect and authenticate elements within the mesh. The networking stack on the node redirects all traffic of participating workloads through the local ztunnel agent. This fully separates the concerns of Istios data plane from those of the application, ultimately allowing operators to enable, disable, scale, and upgrade the data plane without disturbing applications. The ztunnel performs no L7 processing on workload traffic, making it significantly leaner than sidecars. This large reduction in complexity and associated resource costs make it amenable to delivery as shared infrastructure.</p><p>Ztunnels enable the core functionality of a service mesh: zero trust. A secure overlay is created when ambient is enabled for a namespace. It provides workloads with mTLS, telemetry, authentication, and L4 authorization, without terminating or parsing HTTP.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:43.77782985704242%><a data-skipendnotes=true href=/v1.18/blog/2022/introducing-ambient-mesh/ambient-secure-overlay.png title="Ambient mesh uses a shared, per-node ztunnel to provide a zero-trust secure overlay"><img class=element-to-stretch src=/v1.18/blog/2022/introducing-ambient-mesh/ambient-secure-overlay.png alt="Ambient mesh uses a shared, per-node ztunnel to provide a zero-trust secure overlay"></a></div><figcaption>Ambient mesh uses a shared, per-node ztunnel to provide a zero-trust secure overlay</figcaption></figure><p>After ambient mesh is enabled and a secure overlay is created, a namespace can be configured to utilize L7 features.
This allows a namespace to implement the full set of Istio capabilities, including the <a href=/v1.18/docs/reference/config/networking/virtual-service/>Virtual Service API</a>, <a href=/v1.18/docs/reference/config/telemetry/>L7 telemetry</a>, and <a href=/v1.18/docs/reference/config/security/authorization-policy/>L7 authorization policies</a>.
Namespaces operating in this mode use one or more Envoy-based <strong><em>waypoint proxies</em></strong> to handle L7 processing for workloads in that namespace.
Istios control plane configures the ztunnels in the cluster to pass all traffic that requires L7 processing through the waypoint proxy.
Importantly, from a Kubernetes perspective, waypoint proxies are just regular pods that can be auto-scaled like any other Kubernetes deployment.
We expect this to yield significant resource savings for users, as the waypoint proxies can be auto-scaled to fit the real time traffic demand of the namespaces they serve, not the maximum worst-case load operators expect.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:43.77782985704242%><a data-skipendnotes=true href=/v1.18/blog/2022/introducing-ambient-mesh/ambient-waypoint.png title="When additional features are needed, ambient mesh deploys waypoint proxies, which ztunnels connect through for policy enforcement"><img class=element-to-stretch src=/v1.18/blog/2022/introducing-ambient-mesh/ambient-waypoint.png alt="When additional features are needed, ambient mesh deploys waypoint proxies, which ztunnels connect through for policy enforcement"></a></div><figcaption>When additional features are needed, ambient mesh deploys waypoint proxies, which ztunnels connect through for policy enforcement</figcaption></figure><p>Ambient mesh uses HTTP CONNECT over mTLS to implement its secure tunnels and insert waypoint proxies in the path, a pattern we call HBONE (HTTP-Based Overlay Network Environment). HBONE provides for a cleaner encapsulation of traffic than TLS on its own while enabling interoperability with common load-balancer infrastructure. FIPS builds are used by default to meet compliance needs. More details on HBONE, its standards-based approach, and plans for UDP and other non-TCP protocols will be provided in a future blog.</p><p>Mixing sidecars and ambient in a single mesh does not introduce limitations on the capabilities or security properties of the system. The Istio control plane ensures that policies are properly enforced regardless of the deployment model chosen. Ambient simply introduces an option that has better ergonomics and more flexibility.</p><h2 id=why-no-l7-processing-on-the-local-node>Why no L7 processing on the local node?</h2><p>The ambient mesh uses a shared ztunnel agent on the node, which handles the zero trust aspects of the mesh, while L7 processing happens in the waypoint proxy in separately scheduled pods. Why bother with the indirection, and not just use a shared full L7 proxy on the node? There are several reasons for this:</p><ul><li>Envoy is not inherently multi-tenant. As a result, we have security concerns with commingling complex processing rules for L7 traffic from multiple unconstrained tenants in a shared instance. By strictly limiting to L4 processing, we reduce the vulnerability surface area significantly.</li><li>The mTLS and L4 features provided by the ztunnel need a much smaller CPU and memory footprint when compared to the L7 processing required in the waypoint proxy. By running waypoint proxies as a shared namespace resource, we can scale them independently based on the needs of that namespace, and its costs are not unfairly distributed across unrelated tenants.</li><li>By reducing ztunnels scope we allow for it to be replaced by other secure tunnel implementations that can meet a well-defined interoperability contract.</li></ul><h2 id=but-what-about-those-extra-hops>But what about those extra hops?</h2><p>With ambient mesh, a waypoint isnt necessarily guaranteed to be on the same node as the workloads it serves. While at first glance this may appear to be a performance concern, were confident that latency will ultimately be in-line with Istios current sidecar implementation. Well discuss more in a dedicated performance blog post, but for now well summarize with two points:</p><ul><li>The majority of Istios network latency does not, in fact, come from the network (<a href=https://www.clockwork.io/there-is-no-upside-to-vm-colocation/>modern cloud providers have extremely fast networks)</a>. Instead the biggest culprit is the intensive L7 processing Istio needs to implement its sophisticated feature set. Unlike sidecars, which implement two L7 processing steps for each connection (one for each sidecar), ambient mesh collapses these two steps into one. In most cases, we expect this reduced processing cost to compensate for an additional network hop.</li><li>Users often deploy a mesh to enable a zero-trust security posture as a first-step and then selectively enable L7 capabilities as needed. Ambient mesh allows those users to bypass the cost of L7 processing entirely when its not needed.</li></ul><h2 id=resource-overhead>Resource overhead</h2><p>Overall we expect ambient mesh to have fewer and more predictable resource requirements for most users.
The ztunnels limited responsibilities allows it to be deployed as a shared resource on the node.
This will substantially reduce the per-workload reservations required for most users.
Furthermore, since the waypoint proxies are normal Kubernetes pods, they can be dynamically deployed and scaled based on the real-time traffic demands of the workloads they serve.</p><p>Sidecars, on the other hand, need to reserve memory and CPU for the worst case for each workload.
Making these calculations are complicated, so in practice administrators tend to over-provision.
This leads to underutilized nodes due to high reservations that prevent other workloads from being scheduled.
Ambient meshs lower fixed per-node overhead and dynamically scaled waypoint proxies will require far fewer resource reservations in aggregate, leading to more efficient use of a cluster.</p><h2 id=what-about-security>What about security?</h2><p>With a radically new architecture naturally comes questions around security. The <a href=/v1.18/blog/2022/ambient-security/>ambient security blog</a> does a deep dive, but well summarize here.</p><p>Sidecars co-locate with the workloads they serve and as a result, a vulnerability in one compromises the other.
In the ambient mesh model, even if an application is compromised, the ztunnels and waypoint proxies can still enforce strict security policy on the compromised applications traffic.
Furthermore, given that Envoy is a mature battle-tested piece of software used by the world&rsquo;s largest network operators, it is likely less vulnerable than the applications it runs alongside.</p><p>While the ztunnel is a shared resource, it only has access to the keys of the workloads currently on the node its running.
Thus, its blast radius is no worse than any other encrypted CNI that relies on per-node keys for encryption.
Also, given the ztunnels limited L4 only attack surface area and Envoys aforementioned security properties, we feel this risk is limited and acceptable.</p><p>Finally, while the waypoint proxies are a shared resource, they are limited to serving just one service account.
This makes them no worse than sidecars are today; if one waypoint proxy is compromised, the credential associated with that waypoint is lost, and nothing else.</p><h2 id=is-this-the-end-of-the-road-for-the-sidecar>Is this the end of the road for the sidecar?</h2><p>Definitely not.
While we believe ambient mesh will be the best option for many mesh users going forward, sidecars continue to be a good choice for those that need dedicated data plane resources, such as for compliance or performance tuning.
Istio will continue to support sidecars, and importantly, allow them to interoperate seamlessly with ambient mesh.
In fact, the ambient mesh code were releasing today already supports interoperation with sidecar-based Istio.</p><h2 id=learn-more>Learn more</h2><p>Take a look at a short video to watch Christian run through the Istio ambient mesh components and demo some capabilities:</p><iframe width=560 height=315 src=https://www.youtube.com/embed/nupRBh9Iypo title="YouTube video player" frameborder=0 allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe><h3 id=get-involved>Get involved</h3><p>What we have released today is an early version of ambient mesh in Istio, and it is very much still under active development. We are excited to share it with the broader community and look forward to getting more people involved in shaping it as we move to production readiness in 2023.</p><p>We would love your feedback to help shape the solution.
A build of Istio which supports ambient mesh is available to <a href=/v1.18/blog/2022/get-started-ambient/>download and try</a> in the <a href=https://github.com/istio/istio/tree/experimental-ambient>Istio Experimental repo</a>.
A list of missing features and work items is available in the <a href=https://github.com/istio/istio/blob/experimental-ambient/README.md>README</a>.
Please try it out and <a href=https://slack.istio.io/>let us know what you think!</a></p><p><em>Thank you to the team that contributed to the launch of ambient mesh!</em></p><ul><li><em>Google: Craig Box, John Howard, Ethan J. Jackson, Abhi Joglekar, Steven Landow, Oliver Liu, Justin Pettit, Doug Reid, Louis Ryan, Kuat Yessenov, Francis Zhou</em></li><li><em>Solo.io: Aaron Birkland, Kevin Dorosh, Greg Hanson, Daniel Hawton, Denis Jannot, Yuval Kohavi, Idit Levine, Yossi Mesika, Neeraj Poddar, Nina Polshakova, Christian Posta, Lin Sun, Eitan Yarmush</em></li></ul></div><nav class=pagenav><div class=left><a title="Step by step guide to get started with Istio ambient mesh." href=/v1.18/blog/2022/get-started-ambient/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.18/img/icons.svg#left-arrow"/></svg>Get Started with Istio Ambient Mesh</a></div><div class=right><a title="A standard API for service mesh, in Istio and in the broader community." href=/v1.18/blog/2022/gateway-api-beta/ class=next-link>Extending Gateway API support in Istio<svg class="icon right-arrow"><use xlink:href="/v1.18/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.18/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.18/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.18/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.18/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.18/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.18/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.18/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.18/content/en/blog/2022/introducing-ambient-mesh/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2023 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.18.2</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2022/introducing-ambient-mesh/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2022/introducing-ambient-mesh/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.18/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink