Migrating Istio Sidecar to Ambient Mesh
Upgrading from Sidecar to Ambient Mesh
Istio ambient mode introduces a sidecar-less architecture using lightweight proxies called ztunnels (L4) that run as DaemonSets on each node and optionally a per-namespace (L7) proxy.
Ambient Mesh Canary Installation
Testing the Ambient Mesh installation in a canary setup before a full migration.
Istiod installation
Install Kubernetes Gateway API CRDs if not already installed:
kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml
Set profile to ambient and revision to canary during Istio installation:
helm install istiod-canary istio/istiod --namespace istio-system --set profile=ambient --set revision=canary
Check if the canary control plane is running:
❯ k get po
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-7bb74ff5cf-kjflm 1/1 Running 8 (57d ago) 95d
istiod-c6fdbdd88-b2kn9 1/1 Running 0 29d
istiod-canary-69968bcb8d-jm7w4 1/1 Running 0 20s
jaeger-66c8485cdf-ddmtv 1/1 Running 2 (57d ago) 76d
kiali-5fcbc4bc4-kvqt4 1/1 Running 2 (57d ago) 78d
otel-opentelemetry-collector-6588b8c54d-d788l 1/1 Running 7 (57d ago) 76d
CNI Node installation
❯ helm install istio-cni istio/cni -n istio-system --set profile=ambient --set revision=canary
istio-cni-node DaemonSet should be created on all nodes
❯ k get ds
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
istio-cni-node 5 5 5 5 5 kubernetes.io/os=linux 26s
ztunnel installation
ztunnels are lightweight proxies that run as DaemonSets on each node to handle L4 traffic.
helm install ztunnel istio/ztunnel -n istio-system --set revision=canary
Testing the Ambient Mesh
Create a test namespace and label it for ambient mode:
kubectl create namespace test-ambient
kubectl label namespace test-ambient istio.io/dataplane-mode=ambient
Verify no sidecar is injected to the pods created
Promote Canary to Stable
❯ istioctl tag list
TAG REVISION NAMESPACES
prod-canary canary
default default
❯ istioctl tag remove default
❯ istioctl tag set default --revision canary
Then remove the old istiod
❯ k get po
NAME READY STATUS RESTARTS AGE
istio-cni-node-8zjz8 1/1 Running 0 2d6h
istio-cni-node-dwm8c 1/1 Running 0 2d6h
istio-cni-node-h5zbn 1/1 Running 0 2d6h
istio-cni-node-jftj6 1/1 Running 0 2d6h
istio-cni-node-m86zd 1/1 Running 0 2d6h
istio-ingressgateway-68848647bf-5mgjt 1/1 Running 0 2d4h
istiod-canary-69968bcb8d-jm7w4 1/1 Running 0 2d6h
jaeger-66c8485cdf-ddmtv 1/1 Running 2 (59d ago) 78d
kiali-5fcbc4bc4-kvqt4 1/1 Running 2 (59d ago) 80d
otel-opentelemetry-collector-6588b8c54d-d788l 1/1 Running 7 (59d ago) 78d
ztunnel-94vpt 1/1 Running 0 2d6h
ztunnel-blxkt 1/1 Running 0 2d6h
ztunnel-jtsfv 1/1 Running 0 2d6h
ztunnel-nmhvw 1/1 Running 0 2d6h
ztunnel-rvmsd 1/1 Running 0 2d6h
Generate Waypoints
Install per-namespace Envoy proxy for L7 traffic management
❯ istioctl waypoint generate --for service -n default
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
istio.io/waypoint-for: service
name: waypoint
namespace: default
spec:
gatewayClassName: istio-waypoint
listeners:
- name: mesh
port: 15008
Apply the generated waypoint configuration:
❯ istioctl waypoint apply -n default
Verify the waypoint gateway is running and label the namespace
❯ k get po -n default
NAME READY STATUS RESTARTS AGE
waypoint-7b5cb97456-kzsdd 1/1 Running 0 22s
❯ k label ns default istio.io/use-waypoint=waypoint
Restart the Pods
kubectl label namespace default istio.io/dataplane-mode=ambient
kubectl label namespace default istio-injection- --overwrite
Verify the pods are running without sidecar and improved cpu/memory utilization.
Enjoy Reading This Article?
Here are some more articles you might like to read next: