Module 1: Install OpenShift Service Mesh Ambient Mode

Istio ambient mode introduces a new way to manage service mesh without using traditional sidecar proxies. The biggest change is how it separates network traffic processing into two distinct layers, which is the core architectural difference. This architecture simplifies networking, reduces resource usage, and improves security while supporting the same service mesh use cases.

Ambient mode uses a different data plane architecture that splits traffic processing between a per-node Layer 4 (L4) proxy called Ztunnel (Zero-Trust Tunnel) and an optional Layer 7 (L7) proxy called waypoint proxy.

Navigate to the subdirectory: 010-ambient-install

Task 1: Configure OVN CNI

Configure the OVN-Kubernetes Container Network Interface (CNI) to use local gateway mode by setting the routingViaHost field as true in the gatewayConfig specification for the Cluster Network Operator.

oc patch networks.operator.openshift.io cluster --type=merge -p '{
  "spec": {
    "defaultNetwork": {
      "ovnKubernetesConfig": {
        "gatewayConfig": {
          "routingViaHost": true
        }
      }
    }
  }
}'

This tells OVN-Kubernetes to route pod traffic to the outside world through the node’s host networking stack rather than through OVN’s distributed gateway routing.

Task 2: Install OpenShift Service Mesh Ambient Mode

Create the namespaces istio-system, istio-cni and ztunnel:

oc apply -f 01-ns-create.yaml

Now install the controlplane by applying the Istio, IstioCNI resource with profile ambient. We also use discovery selectors to scope the mesh:

apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  version: v1.27-latest
  values:
    pilot:
      trustedZtunnelNamespace: ztunnel
    profile: ambient
    meshConfig:
      discoverySelectors:
      - matchLabels:
          istio-discovery: enabled

and

apiVersion: sailoperator.io/v1
kind: IstioCNI
metadata:
  name: default
spec:
  version: v1.27-latest
  namespace: istio-cni
  profile: ambient

oc apply -f 02-istio-control-plane.yaml

Next install the dataplane by applying the ZTunnel resource:

apiVersion: sailoperator.io/v1
kind: ZTunnel
metadata:
  name: default
spec:
  namespace: ztunnel
  values:
    ztunnel:
      logLevel: info
      terminationGracePeriodSeconds: 30
  version: v1.27-latest
  profile: ambient

oc apply -f 03-istio-dataplane.yaml

Task 3: Verify the installation

oc get pods -n istio-system

NAME                      READY   STATUS    RESTARTS   AGE
istiod-69b5fc4898-b7x4x   1/1     Running   0          82s

oc get daemonset -n istio-cni

NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
istio-cni-node   3         3         3       3            3           kubernetes.io/os=linux   110s

oc get daemonset -n ztunnel

NAME      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
ztunnel   3         3         3       3            3           kubernetes.io/os=linux   2m24s

Congratulations! You have successfully installed Red Hat OpenShift Service Mesh in Ambient Mode.