Ambient Mesh by Istio Community
, is essentially to separate the L4 and L7 functions in the sidecar proxy (Envoy), so that some users who only need security functions can use Istio with the least resistance (low resource consumption, operation and maintenance costs). This article will introduce you to Ambient Mesh, why you need it, and its current limitations.
Why launch Ambient Mesh?
Istio uses the data plane in sidecar mode at the beginning of its launch, injecting a sidecar proxy into each pod or VM of the mesh, so that users can
The earliest data plane mode supported by Istio is sidecar, which is currently the data plane mode selected by most service meshes; the proxyless mode was introduced later, which is also a mode to simplify the Istio data plane.
Benefits of Using Ambient Mode
This data plane model simplifies the operation and maintenance of the data plane, expands application compatibility and reduces infrastructure costs.
Users can choose to integrate Ambient Mesh into the mesh data plane of their infrastructure, forgoing sidecar proxies, while maintaining Istio’s core capabilities of zero-trust security, telemetry, and traffic management. The mode is currently in preview, and the Istio community is ready to push it to production ready in the coming months.
The news of Ambient Mesh may seem a bit sudden to the community, but in fact, the sidecar model consumes too much resources and the voice of simplifying the service mesh has existed in the community for a long time. Google has been looking for HBONE ( HTTP-Based Overlay Network Environment) solutions, as well as various sidecar deployment modes proposed by the community
, proxyless mode
etc. are to solve this problem.
Ambient Mode Architecture
Views on Ambient Mode
In this article, I will talk about a few views on ambient mode:
- About the naming of Ambient Mesh : I think it would be better to call it Ambient Mode . Some beginners who are exposed to Istio may think that it is a brand new service mesh that is different from Istio; in addition, the Chinese translation of this mode, if it is directly translated as ” “Ambient grid” seems to be difficult to understand. I also thought of other words, such as “periphery”, “atmosphere”, “surrounding”, “surrounding”, “scenario”, etc. There is no Chinese word that can accurately express the meaning of this ambient. Meaning, because the ambient mode is not intrusive to the application pod compared to the sidecar mode, let’s call it the peripheral mode for the time being.
- The essence of Ambient Mode : its
- The significance of Ambient Mode : Because it is compatible with sidecar mode, users can obtain L4 functions such as mTLS and limited observability and TPC routing after adopting Ambient Mode, and then it is more convenient to transition to sidecar mode to obtain full L7 functions. This provides users with more model choices for adopting Istio and optimizes the Istio adoption path.
- Disadvantages of Ambient Mode : Proxyless, sidecar, and ambient modes make Istio more and more complicated, and it is more difficult for users to understand; in order to support multiple data plane deployment modes, the implementation of the control plane will be more complicated.
- Relationship with other service meshes : some service meshes have changed from the original per-proxy per-node mode to sidecar mode, such as Linkerd; some have implemented service meshes from CNI, such as Cilium using per-proxy per-node mode; Today, Istio has added ambient mode to the sidecar mode, which is currently the only service mesh that supports both deployment modes, providing users with a variety of choices.
- Security issues : Although the Istio service mesh ambient mode security details
It is explained that the design purpose of ambient mode is to separate the application from the data plane, so that the component of the security overlay (ztunnel) is at the bottom of the grid similar to CNI. Considering the limited L4 attack surface of ztunnel, the security risk of this mode is Acceptable; however, ztunnel is deployed as a DaemonSet on each node and needs to process and distribute certificates for all pods scheduled to that node to establish mTLS connections, once a ztunnel is compromised, its blast radius is indeed larger than a sidecar , the security detailed blog said that the CVE problem of Envoy will affect all sidecars, and upgrading sidecars will also bring a lot of operating costs, so after weighing the choice of ambient mode, the security problem once again caused confusion to users, but the right to choose in the end Still in the user himself.
Limitations of Ambient Mode
The current ambient mode code is located in the experimental-ambient
branch of the Istio codebase
, according to Matt Klein and Louis Ryan
, ztunnel and Waypoint proxy are implemented with Envoy, of which ztunnel is a simplified Envoy, which is only responsible for L4 functions and continues to use the xDS protocol to control. But ambient mode still has many limitations
,E.g:
-
EnvoyFilter
is not supported; - Direct requests to the Pod IP instead of the service will not work in some cases;
- Services in Ambient mode cannot be accessed through
LoadBalancer
andNodePort
, but you can deploy an ingress gateway (ambient mode is not enabled) to access services from the outside;
However, the code of ztunnel and waypoint proxy has not been seen in the experimental-ambient
branch, and we do not know more details.
More
That’s what I think about ambient mode, which is still experimental, but by no means a toy, and is believed to have been tested in some scenarios. The author will also continue to track the latest progress of this mode, please stay tuned. Also welcome more friends who follow Istio to join the cloud native community Istio discussion group
, discuss it with community leaders, or share your thoughts in the comments below this article.
This article is reprinted from https://jimmysong.io/blog/what-is-ambient-mesh/
This site is for inclusion only, and the copyright belongs to the original author.