istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.19/blog/2022/get-started-ambient/index.html

198 lines
38 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Get Started with Istio Ambient Mesh"><meta name=description content="Step by step guide to get started with Istio ambient mesh."><meta name=author content="Lin Sun (Solo.io), John Howard (Google)"><meta name=keywords content="microservices,services,mesh,ambient,demo,guide"><meta property="og:title" content="Get Started with Istio Ambient Mesh"><meta property="og:type" content="website"><meta property="og:description" content="Step by step guide to get started with Istio ambient mesh."><meta property="og:url" content="/v1.19/blog/2022/get-started-ambient/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.19 / Get Started with Istio Ambient Mesh</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.19/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.19/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.19/feed.xml><link rel="shortcut icon" href=/v1.19/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.19/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.19/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.19/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.19/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.19/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.19/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.19/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.19/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.19/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.19/favicons/favicon.svg><link rel=icon type=image/png href=/v1.19/favicons/favicon.png><link rel=mask-icon href=/v1.19/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.19/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.19/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.19/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.19",docTitle="Get Started with Istio Ambient Mesh",iconFile="/v1.19/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.19/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.19/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.19/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.19/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.19/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.19/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.19/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.19/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.19/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.19/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.19/news/releases/1.19.x/announcing-1.19.4/ class=banner data-title="Latest Release-2023-11-13 00:00:00 +0000 UTC" data-period-start=1699833600000 data-period-end=1700438400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.19.4 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Get Started with Istio Ambient Mesh</h1><p>Step by step guide to get started with Istio ambient mesh.</p></div><p class=post-author>Sep 7, 2022 <span>|</span> By Lin Sun - Solo.io, John Howard - Google</p><div><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-warning"/></svg></div><div class=content>Refer to the latest <a href=/v1.19/docs/ops/ambient/getting-started/>getting started with ambient mesh doc</a> for updated instructions.</div></aside></div><p>Ambient mesh is <a href=/v1.19/blog/2022/introducing-ambient-mesh/>a new data plane mode for Istio introduced today</a>. Following this getting started guide, you can experience how ambient mesh can simplify your application onboarding, help with ongoing operations, and reduce service mesh infrastructure resource usage.</p><h2 id=install-istio-with-ambient-mode>Install Istio with Ambient Mode</h2><ol><li><a href=https://gcsweb.istio.io/gcs/istio-build/dev/0.0.0-ambient.191fe680b52c1754ee72a06b3e0d3f9d116f2e82>Download the preview version</a> of Istio with support for ambient mesh.</li><li>Check out <a href=https://github.com/istio/istio/tree/experimental-ambient#supported-environments>supported environments</a>. We recommend using a Kubernetes cluster that is version 1.21 or newer that has two nodes or more. If you dont have a Kubernetes cluster, you can set up using locally (e.g. using kind as below) or deploy one in Google or AWS Cloud:</li></ol><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kind create cluster --config=- &lt;&lt;EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: ambient
nodes:
- role: control-plane
- role: worker
- role: worker
EOF
</code></pre><p>The <code>ambient</code> profile is designed to help you get started with ambient mesh.
Install Istio with the <code>ambient</code> profile on your Kubernetes cluster, using the <code>istioctl</code> downloaded above:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl install --set profile=ambient
</code></pre><p>After running the above command, youll get the following output that indicates these four components are installed successfully!</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete
</code></pre><p>By default, the ambient profile has the Istio core, Istiod, ingress gateway, zero-trust tunnel agent (ztunnel) and CNI plugin enabled.
The Istio CNI plugin is responsible for detecting which application pods are part of the ambient mesh and configuring the traffic redirection between the ztunnels.
Youll notice the following pods are installed in the istio-system namespace with the default ambient profile:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
istio-cni-node-97p9l 1/1 Running 0 29s
istio-cni-node-rtnvr 1/1 Running 0 29s
istio-cni-node-vkqzv 1/1 Running 0 29s
istio-ingressgateway-5dc9759c74-xlp2j 1/1 Running 0 29s
istiod-64f6d7db7c-dq8lt 1/1 Running 0 47s
ztunnel-bq6w2 1/1 Running 0 47s
ztunnel-tcn4m 1/1 Running 0 47s
ztunnel-tm9zl 1/1 Running 0 47s
</code></pre><p>The istio-cni and ztunnel components are deployed as <a href=https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/>Kubernetes <code>DaemonSets</code></a> which run on every node.
Each Istio CNI pod checks all pods co-located on the same node to see if these pods are part of the ambient mesh.
For those pods, the CNI plugin configures traffic redirection so that all incoming and outgoing traffic to the pods are redirected to the co-located ztunnel first.
As new pods are deployed or removed on the node, CNI plugin continues to monitor and update the redirection logic accordingly.</p><h2 id=deploy-your-applications>Deploy Your Applications</h2><p>Youll use the sample <a href=/v1.19/docs/examples/bookinfo/>bookinfo application</a>, which is part of your Istio download from previous steps.
In ambient mode, you deploy applications to your Kubernetes cluster exactly the same way you would without Istio.
This means you can have your applications running in your Kubernetes before you enable ambient mesh, and have them join the mesh without needing to restart or reconfigure your applications.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
$ kubectl apply -f https://raw.githubusercontent.com/linsun/sample-apps/main/sleep/sleep.yaml
$ kubectl apply -f https://raw.githubusercontent.com/linsun/sample-apps/main/sleep/notsleep.yaml
</code></pre><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:28.22429906542056%><a data-skipendnotes=true href=/v1.19/blog/2022/get-started-ambient/app-not-in-ambient.png title="Applications not in the ambient mesh with plain text traffic"><img class=element-to-stretch src=/v1.19/blog/2022/get-started-ambient/app-not-in-ambient.png alt="Applications not in the ambient mesh with plain text traffic"></a></div><figcaption>Applications not in the ambient mesh with plain text traffic</figcaption></figure><p>Note: <code>sleep</code> and <code>notsleep</code> are two simple applications that can serve as curl clients.</p><p>Connect <code>productpage</code> to the Istio ingress gateway so you can access the bookinfo app from outside of the cluster:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
</code></pre><p>Test your bookinfo application, it should work with or without the gateway. Note: you can replace <code>istio-ingressgateway.istio-system</code> below with its load balancer IP (or hostname) if it has one:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><h2 id=adding-your-application-to-the-ambient-mesh>Adding your application to the ambient mesh</h2><p>You can enable all pods in a given namespace to be part of the ambient mesh by simply labeling the namespace:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label namespace default istio.io/dataplane-mode=ambient
</code></pre><p>Congratulations! You have successfully added all pods in the default namespace to the ambient mesh. The best part is that there is no need to restart or redeploy anything!</p><p>Send some test traffic:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><p>Youll immediately gain mTLS communication among the applications in the Ambient mesh.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.748681898066785%><a data-skipendnotes=true href=/v1.19/blog/2022/get-started-ambient/app-in-ambient-secure-overlay.png title="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay layer"><img class=element-to-stretch src=/v1.19/blog/2022/get-started-ambient/app-in-ambient-secure-overlay.png alt="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay layer"></a></div><figcaption>Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay layer</figcaption></figure><p>If you are curious about the X.509 certificate for each identity, you can learn more about it by stepping through a certificate:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl pc secret ds/ztunnel -n istio-system -o json | jq -r &#39;.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes&#39; | base64 --decode | openssl x509 -noout -text -in /dev/stdin
</code></pre><p>For example, the output shows the certificate for the sleep principle that is valid for 24 hours, issued by the local Kubernetes cluster.</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>Certificate:
Data:
Version: 3 (0x2)
Serial Number: 307564724378612391645160879542592778778 (0xe762cfae32a3b8e3e50cb9abad32b21a)
Signature Algorithm: SHA256-RSA
Issuer: O=cluster.local
Validity
Not Before: Aug 29 21:00:14 2022 UTC
Not After : Aug 30 21:02:14 2022 UTC
Subject:
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
ac:db:1a:77:72:8a:99:28:4a:0c:7e:43:fa:ff:35:
75:aa:88:4b:80:4f:86:ca:69:59:1c:b5:16:7b:71:
dd:74:57:e2:bc:cf:ed:29:7d:7b:fa:a2:c9:06:e6:
d6:41:43:2a:3c:2c:18:8e:e8:17:f6:82:7a:64:5f:
c4:8a:a4:cd:f1:4a:9c:3f:e0:cc:c5:d5:79:49:37:
30:10:1b:97:94:2c:b7:1b:ed:a2:62:d9:3b:cd:3b:
12:c9:b2:6c:3c:2c:ac:54:5b:a7:79:97:fb:55:89:
ca:08:0e:2e:2a:b8:d2:e0:3b:df:b2:21:99:06:1b:
60:0d:e8:9d:91:dc:93:2f:7c:27:af:3e:fc:42:99:
69:03:9c:05:0b:c2:11:25:1f:71:f0:8a:b1:da:4a:
da:11:7c:b4:14:df:6e:75:38:55:29:53:63:f5:56:
15:d9:6f:e6:eb:be:61:e4:ce:4b:2a:f9:cb:a6:7f:
84:b7:4c:e4:39:c1:4b:1b:d4:4c:70:ac:98:95:fe:
3e:ea:5a:2c:6c:12:7d:4e:24:ab:dc:0e:8f:bc:88:
02:f2:66:c9:12:f0:f7:9e:23:c9:e2:4d:87:75:b8:
17:97:3c:96:83:84:3f:d1:02:6d:1c:17:1a:43:ce:
68:e2:f3:d7:dd:9e:a6:7d:d3:12:aa:f5:62:91:d9:
8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Server Authentication, Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:93:49:C1:B8:AB:BF:0F:7D:44:69:5A:C3:2A:7A:3C:79:19:BE:6A:B7
X509v3 Subject Alternative Name: critical
URI:spiffe://cluster.local/ns/default/sa/sleep
</code></pre><p>Note: If you dont get any output, it may mean <code>ds/ztunnel</code> has selected a node that doesnt manage any certificates. You can specify a specific ztunnel pod (e.g. <code>istioctl pc secret ztunnel-tcn4m -n istio-system</code>) that manages either one of the sample application pods instead.</p><h2 id=secure-application-access>Secure application access</h2><p>After you have added your application to ambient mesh, you can secure application access using L4 authorization policies.
This lets you control access to and from a service based on client workload identities, but not at the L7 level, such as HTTP methods like <code>GET</code> and <code>POST</code>.</p><h3 id=l4-authorization-policies>L4 Authorization Policies</h3><p>Explicitly allow the <code>sleep</code> service account and <code>istio-ingressgateway</code> service accounts to call the <code>productpage</code> service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;, &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;]
EOF
</code></pre><p>Confirm the above authorization policy is working:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ # this should fail with an empty reply
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><h3 id=layer-7-authorization-policies>Layer 7 Authorization Policies</h3><p>Using the Kubernetes Gateway API, you can deploy a waypoint proxy for the <code>productpage</code> service that uses the <code>bookinfo-productpage</code> service account. Any traffic going to the <code>productpage</code> service will be mediated, enforced and observed by the Layer 7 (L7) proxy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: productpage
annotations:
istio.io/service-account: bookinfo-productpage
spec:
gatewayClassName: istio-mesh
EOF
</code></pre><p>Note the <code>gatewayClassName</code> has to be <code>istio-mesh</code> for the waypoint proxy.</p><p>View the <code>productpage</code> waypoint proxy status; you should see the details of the gateway resource with <code>Ready</code> status:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get gateway productpage -o yaml
...
status:
conditions:
- lastTransitionTime: &#34;2022-09-06T20:24:41Z&#34;
message: Deployed waypoint proxy to &#34;default&#34; namespace for &#34;bookinfo-productpage&#34;
service account
observedGeneration: 1
reason: Ready
status: &#34;True&#34;
type: Ready
</code></pre><p>Update our <code>AuthorizationPolicy</code> to explicitly allow the <code>sleep</code> service account and <code>istio-ingressgateway</code> service accounts to <code>GET</code> the <code>productpage</code> service, but perform no other operations:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;, &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
EOF
</code></pre><p>Confirm the above authorization policy is working:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ # this should fail with an RBAC error because it is not a GET operation
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ -X DELETE | head -n1
$ # this should fail with an RBAC error because the identity is not allowed
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
$ # this should continue to work
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:57.01298701298702%><a data-skipendnotes=true href=/v1.19/blog/2022/get-started-ambient/app-in-ambient-l7.png title="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers"><img class=element-to-stretch src=/v1.19/blog/2022/get-started-ambient/app-in-ambient-l7.png alt="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers"></a></div><figcaption>Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers</figcaption></figure><p>With the <code>productpage</code> waypoint proxy deployed, youll also automatically get L7 metrics for all requests to the <code>productpage</code> service:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/bookinfo-productpage-waypoint-proxy -- curl -s http://localhost:15020/stats/prometheus | grep istio_requests_total
</code></pre><p>Youll notice the metric with <code>response_code=403</code> and some metrics <code>response_code=200</code>, like below:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>istio_requests_total{
response_code=&#34;403&#34;,
source_workload=&#34;notsleep&#34;,
source_workload_namespace=&#34;default&#34;,
source_principal=&#34;spiffe://cluster.local/ns/default/sa/notsleep&#34;,
destination_workload=&#34;productpage-v1&#34;,
destination_principal=&#34;spiffe://cluster.local/ns/default/sa/bookinfo-productpage&#34;,
connection_security_policy=&#34;mutual_tls&#34;,
...
}
</code></pre><p>The metric shows two <code>403</code> responses when the source workload (<code>notsleep</code>) calls the destination workload(<code>productpage-v1</code>) along with source and destination principals via mutual TLS connection.</p><h2 id=control-traffic>Control Traffic</h2><p>Deploy a waypoint proxy for the <code>review</code> service, using the <code>bookinfo-review</code> service account, so that any traffic going to the <code>review</code> service will be mediated by the waypoint proxy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: reviews
annotations:
istio.io/service-account: bookinfo-reviews
spec:
gatewayClassName: istio-mesh
EOF
</code></pre><p>Apply the <code>reviews</code> virtual service to control 90% traffic to reviews v1 and 10% traffic to reviews v2.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
$ kubectl apply -f samples/bookinfo/networking/destination-rule-reviews.yaml
</code></pre><p>Confirm that roughly 10% traffic from the 100 requests go to <code>reviews-v2</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it deploy/sleep -- sh -c &#39;for i in $(seq 1 100); do curl -s http://istio-ingressgateway.istio-system/productpage | grep reviews-v.-; done&#39;
</code></pre><h2 id=wrapping-up>Wrapping up</h2><p>The existing Istio resources continue to work, regardless if you choose to use the sidecar or ambient data plane mode.</p><p>Take a look at the short video to watch Lin run through the Istio ambient mesh demo in 5 minutes:</p><iframe width=560 height=315 src=https://www.youtube.com/embed/wTGF4S4ZmJ0 title="YouTube video player" frameborder=0 allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe><h2 id=whats-next>What&rsquo;s next</h2><p>We are super excited about the new Istio ambient data plane with its simple &ldquo;ambient&rdquo; architecture. Onboarding your applications onto a service mesh with ambient mode is now as easy as labeling a namespace. Your applications will gain instant benefits such as mTLS with cryptographic identity for mesh traffic and L4 observability. If you need to control access or routes or increase resiliency or gain L7 metrics among your applications in ambient mesh, you can apply waypoint proxies to your applications as needed. Were big fans of paying for only what we need, as it not only saves resources but also saves operation cost from constantly updating many proxies! We invite you to try the new Istio ambient data plane architecture to experience how simple it is. We look forward to your <a href=http://slack.istio.io>feedback</a> in the Istio community!</p></div><nav class=pagenav><div class=left><a title="Digging into the security implications of the recently announced Istio ambient mesh, a sidecar-less data plane for Istio." href=/v1.19/blog/2022/ambient-security/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.19/img/icons.svg#left-arrow"/></svg>Ambient Mesh Security Deep Dive</a></div><div class=right><a title="A new dataplane mode for Istio without sidecars." href=/v1.19/blog/2022/introducing-ambient-mesh/ class=next-link>Introducing Ambient Mesh<svg class="icon right-arrow"><use xlink:href="/v1.19/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.19/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.19/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.19/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.19/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.19/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.19/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.19/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.19/content/en/blog/2022/get-started-ambient/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2023 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.19.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2022/get-started-ambient/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2022/get-started-ambient/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.19/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink