OpenShift Service Mesh Ambient Mode

Istio ambient mode introduces a new way to manage service mesh without using traditional sidecar proxies. The biggest change is how it separates network traffic processing into two distinct layers, which is the core architectural difference. This architecture simplifies networking, reduces resource usage, and improves security while supporting the same service mesh use cases.

Ambient mode uses a different data plane architecture that splits traffic processing between a per-node Layer 4 (L4) proxy called Ztunnel (Zero-Trust Tunnel) and an optional Layer 7 (L7) proxy called waypoint proxy.

Ambient Mode also exclusively uses the Kubernetes Gateway API (using Gateway, HTTPRoute, TCPRoute) for its traffic configuration, moving away from Istio’s legacy VirtualService and DestinationRule for L7 routing.

This lab is divided into several modules that guide you through the process of installing, configuring, and using OpenShift Service Mesh in Ambient Mode. Each module focuses on a specific aspect of Ambient Mode, providing hands-on experience and practical knowledge.

Navigate to Install OpenShift Service Mesh Ambient Mode and follow the instructions.

Red Hat OpenShift Observability provides real-time visibility, monitoring, and analysis of various system metrics, logs, and events to help you quickly diagnose and troubleshoot issues before they impact systems or applications.

Navigate to Enable Service Mesh Observability and follow the instructions.

You can integrate Red Hat OpenShift Service Mesh with Red Hat OpenShift distributed tracing data collection to instrument, generate, collect, and export OpenTelemetry traces, metrics, and logs to analyze and understand your software’s performance and behavior.

Important!!

If you want to see traces, you need to enable the Waypoint Proxies (L7) for the services you are observing, because it is not possible to see full distributed traces (with spans for each service hop) with Tempostack (Tempo/Jaeger) when your workloads are using only the L4 Ztunnel.

Navigate to Install the Distributed Tracing Stack and follow the instructions.

This demo application is based on the Kiali Travel Demo Tutorial and will deploy several services grouped into three namespaces.

The Travel Demo application simulates two business domains organized in different namespaces.

Navigate to Install the Kiali Travel demo application and follow the instructions.

Istio’s ambient mode is ideal for new mesh deployments. But it can be combined with sidecars within the same mesh. The sidecar proxy knows to use the HBONE protocol since the destination has been discovered to be an HBONE destination.

But the combination comes with some caveats:

Navigate to Combining ambient and sidecar mode and follow the instructions.

Ambient Mode provides the full suite of Istio traffic management capabilities through a two-tiered architecture that prioritizes efficiency and incremental adoption. The key to traffic management in Ambient Mode is understanding when traffic is handled at Layer 4 (L4) versus when it is escalated to Layer 7 (L7).

Navigate to Traffic Management and follow the instructions.

Istio and OpenShift Service Mesh provides powerful built-in features to implement resilience at the service mesh level, without changing application code. Key features include:

Navigate to Implementing Resilience and follow the instructions.

Istio provides strong, built-in security capabilities at the service mesh level:

With Istio, authentication and authorization become infrastructure concerns rather than application concerns. This module will show how to secure service-to-service communication and APIs in a uniform, declarative, and production-ready way.

Navigate to Authentication and Authorization and follow the instructions.