This is the first in my series of articles on the Istio ambient mode. In the next few posts, I’ll dive into the key components of the ambient pattern and how they work, including how ztunnel forwards traffic to the waypoint proxy, how the waypoint proxy handles traffic, and a complete understanding of the operation of the traffic path with the bookinfo example. Since traffic interception is a foundational feature of the Service Grid, I’ve chosen to start with it to provide a solid foundation of understanding.
The Istio ambient pattern is a service grid implementation that eliminates the need to inject a sidecar into each pod. By configuring transparent traffic interception and redirection in the pod’s network namespace, applications can enjoy the features of the Service Grid without modification. The following section analyzes the implementation of transparent traffic interception in detail, involving components such asIstio CNI Node Agent、ztunnel、network namespace和iptables 规则, and illustrated by flowcharts and schematics.
background knowledge
Linux Network Namespaces
Network Namespace (Network Namespace)is a Linux kernel feature that isolates the network environment for different processes. Each network namespace has a separate network device, IP address, routing table, and iptables rules. Container technologies (e.g., Docker, Kubernetes) utilize network namespaces to provide a separate network stack for each container (or pod).
Istio CNI Node Agent
Istio CNI Node AgentOne of the core components of ambient mode is responsible for detecting pods joining the ambient mesh on Kubernetes nodes and configuring traffic redirection rules for those pods. Note that the Istio CNI Node Agent is used here, rather than the traditional Istio CNI plugin, which is a daemon that works in conjunction with ztunnel rather than directly with the network plugin.
ztunnel
ztunnelis an important component in ambient mode, running as a DaemonSet on each node, and is responsible for:
- Receive and process redirected traffic;
- Implement Layer 4 policies such as mTLS encryption and access control;
- Communicate with the control plane to obtain configurations and certificates.
HBONE (HTTP-based tunneling protocol)
HBONE(HTTP-Based Overlay Network Encapsulation)HBONE is a protocol introduced by Istio to transport arbitrary TCP traffic between ztunnel and waypoint proxies.HBONE utilizes the multiplexing and encryption features of HTTP/2 and HTTP/3 to improve communication efficiency and security.
Traffic Interception Process Explained
In ambient mode, the application pod does not need to modify its code or inject a sidecar.The main process of traffic interception and redirection occurs in theThe pod’s network namespaceInternally, this approach avoids conflicts with the underlying CNI. Below is an overview of the steps involved:
Traffic interception process in Istio ambient mode
Traffic Interception Detailed Steps
- pod startup and network configuration:
- When Kubernetes creates a pod, the underlying CNI plugin (e.g. Calico, Cilium) is invoked through the Container Runtime Interface (CRI) to configure the network for the pod.
- At this point, the pod’s network namespace (netns) has been created.
- Istio CNI Node Agent Configuring Traffic Redirection:
- The Istio CNI Node Agent monitors that a new pod has been tagged in ambient mode (via labeling).
istio.io/dataplane-mode=ambient)。 - Go into the pod’s network namespace and set up iptables rules to block traffic.
- Passes the file descriptor (FD) of the network namespace to ztunnel.
- The Istio CNI Node Agent monitors that a new pod has been tagged in ambient mode (via labeling).
- ztunnel starts listening sockets in the pod network namespace:
- ztunnel receives the FD from the network namespace and starts a listening socket in it to handle the redirected traffic.
- Transparent Traffic Interception and Handling:
- Traffic sent by the application is intercepted by iptables rules within the pod and transparently redirected to the ztunnel.
- ztunnel performs policy checking, encryption, and other processing on the traffic and then forwards it to the target service.
- The returned response traffic is decrypted by ztunnel and returned to the application.
For more details on Istio CNI’s handling of iptables please see my other blog postExplanation of iptables rules in Istio ambient mode。
ztunnel log analysis
You can view all ztunnel logs about traffic interception with the following command, which can help you understand how ztunnel works:
kubectl -n istio-system logs -l app=ztunnel | grep -E "inbound|outbound"
You will see, for example, the following output, and note that theinbound和outboundis relative to ztunnel.
Example of inbound traffic
2024-11-16T10:33:01.410751Z info access connection complete src.addr=10.28.2.19:58000 src.workload="bookinfo-gateway-istio-64fc6d75d6-s442s" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-gateway-istio" dst.addr=10.28.2.18:15008 dst.hbone_addr=10.28.2.18:9080 dst.service="productpage.default.svc.cluster.local" dst.workload="productpage-v1-57ffb6658c-tgbjs" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" direction="inbound" bytes_sent=9603 bytes_recv=2052 duration="2110ms"
This log describes the data from thebookinfo-gateway-istio到productpageIncoming traffic on port 15008 of the ztunnel. The traffic passes through port 15008 of the ztunnel, encrypted using the HBONE tunnel, and the identity is confirmed by SPIFFE.
Example of outbound traffic
2024-11-16T10:32:59.360677Z info access connection complete src.addr=10.28.2.18:51960 src.workload="productpage-v1-57ffb6658c-tgbjs" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" dst.addr=10.28.2.14:15008 dst.hbone_addr=34.118.226.6:9080 dst.service="details.default.svc.cluster.local" dst.workload="waypoint-7594b5b786-vgjwz" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/waypoint" direction="outbound" bytes_sent=794 bytes_recv=414 duration="40ms"
This log describes theproductpagepod accessdetailsoutbound traffic during service. Traffic is forwarded by ztunnel to the waypoint pod using the HBONE tunnel (15008(port).
summarize
Istio ambient mode enables transparent traffic interception without the need for a sidecar through the collaboration of the Istio CNI Node Agent and ztunnel. Key features include:
- high compatibility: Avoid conflicts with the underlying CNI.
- Simplified Operations and Maintenance: Reduces resource consumption by eliminating the need to modify application code.
- High security: End-to-end encrypted transmission via HBONE.
Stay tuned for a follow-up post where I will further explore the advanced features of Istio ambient mode, including L7 traffic path analysis and the network topology building process.