istio.io/archive/v1.24/blog/2023/rust-based-ztunnel/index.html

106 lines
35 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Introducing Rust-Based Ztunnel for Istio Ambient Service Mesh"><meta name=description content="A purpose-built per-node proxy for Istio ambient mesh."><meta name=author content="Lin Sun (Solo.io), John Howard (Google)"><meta name=keywords content="microservices,services,mesh,istio,ambient,ztunnel"><meta property="og:title" content="Introducing Rust-Based Ztunnel for Istio Ambient Service Mesh"><meta property="og:type" content="website"><meta property="og:description" content="A purpose-built per-node proxy for Istio ambient mesh."><meta property="og:url" content="/v1.24/blog/2023/rust-based-ztunnel/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.24 / Introducing Rust-Based Ztunnel for Istio Ambient Service Mesh</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-5XBWY4YJ1E"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-5XBWY4YJ1E")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.24/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.24/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.24/feed.xml><link rel="shortcut icon" href=/v1.24/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.24/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.24/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.24/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.24/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.24/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.24/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.24/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.24/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.24/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.24/favicons/favicon.svg><link rel=icon type=image/png href=/v1.24/favicons/favicon.png><link rel=mask-icon href=/v1.24/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.24/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.24/css/style.min.38f1afbdf6f8efdb4fe991ff2a53ca1c801b5c4602dea2963da44df7ceaacfb8.css integrity="sha256-OPGvvfb479tP6ZH/KlPKHIAbXEYC3qKWPaRN986qz7g=" crossorigin=anonymous><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.24/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.24",docTitle="Introducing Rust-Based Ztunnel for Istio Ambient Service Mesh",iconFile="/v1.24//img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.24/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.24/ aria-label=logotype><span class=logo><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.24/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.24/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/training class=main-navigation-links-link>Training</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.24/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.24/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.24/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.24/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.24/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/istio-day/ class=banner data-title="Istio Day Europe-2025-01-31 00:00:00 +0000 UTC" data-period-start=1738281600000 data-period-end=1743465600000 data-max-impressions data-timeout><div class=content><p>Join us for Istio Day Europe, a KubeCon + CloudNativeCon Europe Co-located Event. 01 April 2025, London, England. Register now!</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Introducing Rust-Based Ztunnel for Istio Ambient Service Mesh</h1><p>A purpose-built per-node proxy for Istio ambient mesh.</p></div><p class=post-author>Feb 28, 2023 <span>| </span>By Lin Sun - Solo.io, John Howard - Google</p><div><p>The ztunnel (zero trust tunnel) component is a purpose-built per-node proxy for Istio ambient mesh. It is responsible for securely connecting and authenticating workloads within ambient mesh. Ztunnel is designed to focus on a small set of features for your workloads in ambient mesh such as mTLS, authentication, L4 authorization and telemetry, without terminating workload HTTP traffic or parsing workload HTTP headers. The ztunnel ensures traffic is efficiently and securely transported to the waypoint proxies, where the full suite of Istio&rsquo;s functionality, such as HTTP telemetry and load balancing, is implemented.</p><p>Because ztunnel is designed to run on all of your Kubernetes worker nodes, it is critical to keep its resource footprint small. Ztunnel is designed to be an invisible (or &ldquo;ambient&rdquo;) part of your service mesh with minimal impact on your workloads.</p><h2 id=ztunnel-architecture>Ztunnel architecture</h2><p>Similar to sidecars, ztunnel also serves as an xDS client and CA client:</p><ol><li>During startup, it securely connects to the Istiod control plane using its
service account token. Once the connection from ztunnel to Istiod is established
securely using TLS, it starts to fetch xDS configuration as an xDS client. This
works similarly to sidecars or gateways or waypoint proxies, except that Istiod
recognizes the request from ztunnel and sends the purpose-built xDS configuration
for ztunnel, which you will learn more about soon.</li><li>It also serves as a CA client to manage and provision mTLS certificates on behalf of all co-located workloads it manages.</li><li>As traffic comes in or goes out, it serves as a core proxy that handles the inbound and outbound traffic (either out-of-mesh plain text or in-mesh HBONE) for all co-located workloads it manages.</li><li>It provides L4 telemetry (metrics and logs) along with an admin server with debugging information to help you debug ztunnel if needed.</li></ol><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:67.74193548387096%><a data-skipendnotes=true href=/v1.24/blog/2023/rust-based-ztunnel/ztunnel-architecture.png title="Ztunnel architecture"><img class=element-to-stretch src=/v1.24/blog/2023/rust-based-ztunnel/ztunnel-architecture.png alt="Ztunnel architecture"></a></div><figcaption>Ztunnel architecture</figcaption></figure><h2 id=why-not-reuse-envoy>Why not reuse Envoy?</h2><p>When Istio ambient service mesh was announced on Sept 7, 2022, the ztunnel was implemented using an Envoy proxy. Given that we use Envoy for the rest of Istio - sidecars, gateways, and waypoint proxies - it was natural for us to start implementing ztunnel using Envoy.</p><p>However, we found that while Envoy was a great fit for other use cases, it was challenging to implement ztunnel in Envoy, as many of the tradeoffs, requirements, and use cases are dramatically different than that of a sidecar proxy or ingress gateway. In addition, most of the things that make Envoy such a great fit for those other use cases, such as its rich L7 feature set and extensibility, went to waste in ztunnel which didn&rsquo;t need those features.</p><h2 id=a-purpose-built-ztunnel>A purpose-built ztunnel</h2><p>After having trouble bending Envoy to our needs, we started investigating making a purpose-built implementation of the ztunnel. Our hypothesis was that by designing with a single focused use case in mind from the beginning, we could develop a solution that was simpler and more performant than molding a general purpose project to our bespoke use cases. The explicit decision to make ztunnel simple was key to this hypothesis; similar logic wouldn&rsquo;t hold up to rewriting the gateway, for example, which has a huge list of supported features and integrations.</p><p>This purpose-built ztunnel involved two key areas:</p><ul><li>The configuration protocol between ztunnel and its Istiod</li><li>The runtime implementation of ztunnel</li></ul><h3 id=configuration-protocol>Configuration protocol</h3><p>Envoy proxies use the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol>xDS Protocol for configuration</a>. This is a key part of what makes Istio work well, offering rich and dynamic configuration updates. However, as we tread off the beaten path, the config becomes more and more bespoke, which means it&rsquo;s much larger and more expensive to generate. In a sidecar, a single Service with 1 pod, generates roughly ~350 lines of xDS (in YAML), which already has been challenging to scale. The Envoy-based ztunnel was far worse, and in some areas had N^2 scaling attributes.</p><p>To keep the ztunnel configuration as small as possible, we investigated using a purpose built configuration protocol, that contains precisely the information we need (and nothing more), in an efficient format. For example, a single pod could be represented concisely:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>name: helloworld-v1-55446d46d8-ntdbk
namespace: default
serviceAccount: helloworld
node: ambient-worker2
protocol: TCP
status: Healthy
waypointAddresses: []
workloadIp: 10.244.2.8
canonicalName: helloworld
canonicalRevision: v1
workloadName: helloworld-v1
workloadType: deployment</code></pre><p>This information is transported over the xDS transport API, but uses a custom ambient-specific type. Refer to the <a href=/v1.24/blog/2023/rust-based-ztunnel/#workload-xds-configuration>workload xDS configuration section</a> to learn more about the configuration details.</p><p>By having a purpose built API, we can push logic into the proxy instead of in Envoy configuration. For example, to configure mTLS in Envoy, we need to add an identical large set of configuration tuning the precise TLS settings for each service; with ztunnel, we need only a single enum to declare whether mTLS should be used or not. The rest of the complex logic is embedded directly into ztunnel code.</p><p>With this efficient API between Istiod and ztunnel, we found we could configure ztunnels with information about large meshes (such as those with 100,000 pods) with orders of magnitude less configuration, which means less CPU, memory, and network costs.</p><h3 id=runtime-implementation>Runtime implementation</h3><p>As the name suggests, ztunnel uses an <a href=/v1.24/blog/2022/introducing-ambient-mesh/#building-an-ambient-mesh>HTTPS tunnel</a> to carry users requests. While Envoy supports this tunneling, we found the configuration model limiting for our needs. Roughly speaking, Envoy operates by sending requests through a series of &ldquo;filters&rdquo;, starting with accepting a request and ending with sending a request. With our requirements, which have multiple layers of requests (the tunnel itself and the users&rsquo; requests), as well as a need to apply per-pod policy after load balancing, we found we would need to loop through these filters 4 times per connection when implementing our prior Envoy-based ztunnel. While Envoy has <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/other_features/internal_listener>some optimizations</a> for essentially &ldquo;sending a request to itself&rdquo; in memory, this was still very complex and expensive.</p><p>By building out our own implementation, we could design around these constraints from the ground up. In addition, we have more flexibility in all aspects of the design. For example, we could choose to share connections across threads or implement more bespoke requirements around isolation between service accounts. After establishing that a purpose built proxy was viable, we set out to choose the implementation details.</p><h4 id=a-rust-based-ztunnel>A Rust-based ztunnel</h4><p>With the goal to make ztunnel fast, secure, and lightweight, <a href=https://www.rust-lang.org/>Rust</a> was an obvious choice. However, it wasn&rsquo;t our first. Given Istio&rsquo;s current extensive usage of Go, we had hoped we could make a Go-based implementation meet these goals. In initial prototypes, we built out some simple versions of both a Go-based implementation as well as a Rust-based one. From our tests, we found that the Go-based version didn&rsquo;t meet our performance and footprint requirements. While it&rsquo;s likely we could have optimized it further, we felt that a Rust-based proxy would give us the long-term optimal implementation.</p><p>A C++ implementation &ndash; likely reusing parts of Envoy &ndash; was also considered. However, this option was not pursued due to lack of memory safety, developer experience concerns, and a general industry trend towards Rust.</p><p>This process of elimination left us with Rust, which was a perfect fit. Rust has a strong history of success in high performance, low resource utilization applications, especially in network applications (including service mesh). We chose to build on top of the <a href=https://tokio.rs/>Tokio</a> and <a href=https://hyper.rs/>Hyper</a> libraries, two of the de-facto standards in the ecosystem that are extensively battle-tested and easy to write highly performant asynchronous code with.</p><h2 id=a-quick-tour-of-the-rust-based-ztunnel>A quick tour of the Rust-based ztunnel</h2><h3 id=workload-xds-configuration>Workload xDS configuration</h3><p>The workload xDS configurations are very easy to understand and debug. You can view them by sending a request to <code>localhost:15000/config_dump</code> from one of your ztunnel pods, or use the convenient <code>istioctl pc workload</code> command. There are two key workload xDS configurations: workloads and policies.</p><p>Before your workloads are included in your ambient mesh, you will still be able to see them in ztunnels config dump, as ztunnel is aware of all of the workloads regardless of whether they are ambient enabled or not. For example, below contains a sample workload configuration for a newly deployed helloworld v1 pod which is out-of-mesh indicated by <code>protocol: TCP</code>:</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>{
&#34;workloads&#34;: {
&#34;10.244.2.8&#34;: {
&#34;workloadIp&#34;: &#34;10.244.2.8&#34;,
&#34;protocol&#34;: &#34;TCP&#34;,
&#34;name&#34;: &#34;helloworld-v1-cross-node-55446d46d8-ntdbk&#34;,
&#34;namespace&#34;: &#34;default&#34;,
&#34;serviceAccount&#34;: &#34;helloworld&#34;,
&#34;workloadName&#34;: &#34;helloworld-v1-cross-node&#34;,
&#34;workloadType&#34;: &#34;deployment&#34;,
&#34;canonicalName&#34;: &#34;helloworld&#34;,
&#34;canonicalRevision&#34;: &#34;v1&#34;,
&#34;node&#34;: &#34;ambient-worker2&#34;,
&#34;authorizationPolicies&#34;: [],
&#34;status&#34;: &#34;Healthy&#34;
}
}
}</code></pre><p>After the pod is included in ambient (by labeling the namespace default with <code>istio.io/dataplane-mode=ambient</code>), the <code>protocol</code> value is replaced with <code>HBONE</code>, instructing ztunnel to upgrade all incoming and outgoing communications from the helloworld-v1 pod to be HBONE.</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>{
&#34;workloads&#34;: {
&#34;10.244.2.8&#34;: {
&#34;workloadIp&#34;: &#34;10.244.2.8&#34;,
&#34;protocol&#34;: &#34;HBONE&#34;,
...
}</code></pre><p>After you deploy any workload level authorization policy, the policy configuration will be pushed as xDS configuration from Istiod to ztunnel and shown under <code>policies</code>:</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>{
&#34;policies&#34;: {
&#34;default/hw-viewer&#34;: {
&#34;name&#34;: &#34;hw-viewer&#34;,
&#34;namespace&#34;: &#34;default&#34;,
&#34;scope&#34;: &#34;WorkloadSelector&#34;,
&#34;action&#34;: &#34;Allow&#34;,
&#34;groups&#34;: [[[{
&#34;principals&#34;: [{&#34;Exact&#34;: &#34;cluster.local/ns/default/sa/sleep&#34;}]
}]]]
}
}
...
}</code></pre><p>Youll also notice the workload&rsquo;s configuration is updated with reference to the authorization policy.</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>{
&#34;workloads&#34;: {
&#34;10.244.2.8&#34;: {
&#34;workloadIp&#34;: &#34;10.244.2.8&#34;,
...
&#34;authorizationPolicies&#34;: [
&#34;default/hw-viewer&#34;
],
}
...
}</code></pre><h3 id=l4-telemetry-provided-by-ztunnel>L4 telemetry provided by ztunnel</h3><p>You may be pleasantly surprised that the ztunnel logs are easy to understand. For example, youll see the HTTP Connect request on the destination ztunnel that indicates the source pod IP (<code>peer_ip</code>) and destination pod IP.</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>2023-02-15T20:40:48.628251Z INFO inbound{id=4399fa68cf25b8ebccd472d320ba733f peer_ip=10.244.2.5 peer_id=spiffe://cluster.local/ns/default/sa/sleep}: ztunnel::proxy::inbound: got CONNECT request to 10.244.2.8:5000</code></pre><p>You can view L4 metrics of your workloads by accessing the <code>localhost:15020/metrics</code> API which provides the full set of TCP <a href=/v1.24/docs/reference/config/metrics/>standard metrics</a>, with same labels that sidecars expose. For example:</p><pre><code class=language-plaintext data-expandlinks=true data-repo=istio>istio_tcp_connections_opened_total{
reporter=&#34;source&#34;,
source_workload=&#34;sleep&#34;,
source_workload_namespace=&#34;default&#34;,
source_principal=&#34;spiffe://cluster.local/ns/default/sa/sleep&#34;,
destination_workload=&#34;helloworld-v1&#34;,
destination_workload_namespace=&#34;default&#34;,
destination_principal=&#34;spiffe://cluster.local/ns/default/sa/helloworld&#34;,
request_protocol=&#34;tcp&#34;,
connection_security_policy=&#34;mutual_tls&#34;
...
} 1</code></pre><p>If you install Prometheus and Kiali, you can view these metrics easily from Kialis UI.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.997690531177824%><a data-skipendnotes=true href=/v1.24/blog/2023/rust-based-ztunnel/kiali-ambient.png title="Kiali dashboard - L4 telemetry provided by ztunnel"><img class=element-to-stretch src=/v1.24/blog/2023/rust-based-ztunnel/kiali-ambient.png alt="Kiali dashboard - L4 telemetry provided by ztunnel"></a></div><figcaption>Kiali dashboard - L4 telemetry provided by ztunnel</figcaption></figure><h2 id=wrapping-up>Wrapping up</h2><p>We are super excited that the new <a href=https://github.com/istio/ztunnel/>Rust-based ztunnel</a> is drastically simplified, more lightweight and performant than the prior Envoy-based ztunnel. With the purposefully designed workload xDS for the Rust-based ztunnel, youll not only be able to understand the xDS configuration much more easily, but also have drastically reduced network traffic and cost between the Istiod control plane and ztunnels. With Istio ambient now merged to upstream master, you can try the new Rust-based ztunnel by following our <a href=/v1.24/docs/ambient/getting-started/>getting started guide</a>.</p></div><div class=share-social><div class=heading>Share this post</div><div class=share-buttons><a href="https://www.linkedin.com/shareArticle?mini=true&url=%2fv1.24%2fblog%2f2023%2frust-based-ztunnel%2f" target=_blank><img class=share-icon src=/v1.24/img/social/linkedin.svg alt="Share to LinkedIn">
</a><a href="https://twitter.com/intent/tweet?text=Introducing%20Rust-Based%20Ztunnel%20for%20Istio%20Ambient%20Service%20Mesh&url=%2fv1.24%2fblog%2f2023%2frust-based-ztunnel%2f" target=_blank><img class=share-icon src=/v1.24/img/social/twitterx.svg alt="Share to X">
</a><a href="https://www.facebook.com/sharer/sharer.php?u=%2fv1.24%2fblog%2f2023%2frust-based-ztunnel%2f" target=_blank><img class=share-icon src=/v1.24/img/social/facebook.svg alt="Share to Facebook"></a></div></div><nav class=pagenav><div class=left><a title="Experimental support for Dual Stack Kubernetes Clusters." href=/v1.24/blog/2023/experimental-dual-stack/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.24/img/icons.svg#left-arrow"/></svg>Support for Dual Stack Kubernetes Clusters</a></div><div class=right><a title="A significant milestone for ambient mesh." href=/v1.24/blog/2023/ambient-merged-istio-main/ class=next-link>Istio Ambient Service Mesh Merged to Istios Main Branch<svg class="icon right-arrow"><use xlink:href="/v1.24/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.24/img/icons.svg#github"/></svg>
</a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.24/img/icons.svg#drive"/></svg>
</a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.24/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.24/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='Follow us on LinkedIn to get the latest news' href=https://www.linkedin.com/company/istio/ aria-label=LinkedIn><svg class="icon linkedin"><use xlink:href="/v1.24/img/icons.svg#linkedin"/></svg>
</a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.24/img/icons.svg#twitter"/></svg>
</a><a class=channel title='Follow us on Bluesky to get the latest news' href=https://bsky.app/profile/istio.io aria-label=Bluesky><svg class="icon bluesky"><use xlink:href="/v1.24/img/icons.svg#bluesky"/></svg>
</a><a class=channel title='Follow us on Mastodon to get the latest news' href=https://mastodon.social/@istio aria-label=Mastodon rel=me><svg class="icon mastodon"><use xlink:href="/v1.24/img/icons.svg#mastodon"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.24/ aria-label=logotype><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.24/img/icons.svg#tick"/></svg>
English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文
</a><a tabindex=-1 lang=uk id=switch-lang-uk class=footer-languages-item>Українська</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>Trademarks
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.24/content/en/blog/2023/rust-based-ztunnel/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.24.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2023/rust-based-ztunnel/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2023/rust-based-ztunnel/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.24/img/icons.svg#top"/></svg></button></div></body></html>