DEV Community

Uri Peled
Uri Peled

Posted on

Zero-Trust Security in K8s Made Simple: Istio Ambient Mesh, No Sidecar Needed

Service meshes have become a critical tool for managing the complexity and security of microservices architectures. However, the sidecar-based model, while powerful, has often introduced notable operational and resource overheads.

Enter Ambient Mesh: Istio’s new, sidecar-free alternative that simplifies service mesh adoption and reduces resource demands. Introduced as a GA feature, Ambient Mesh offers an innovative way to leverage Istio's robust zero-trust security without the complexity of sidecar proxies.

The Sidecar Challenge

Sidecar proxies are essential in traditional service mesh architectures, providing traffic management, security, and observability features alongside each service. However, they also bring substantial trade-offs, especially in large clusters where each service instance requires its own sidecar. This model often leads to high memory and CPU usage and increased operational complexity due to sidecar management and application restarts. For many teams, these drawbacks can hinder scalability and adoption. Ambient Mesh addresses these pain points by decoupling traffic control and security from individual application containers.

istioctl install --set profile=ambient --skip-confirmation

        |\
        | \
        |  \
        |   \
      /||    \
     / ||     \
    /  ||      \
   /   ||       \
  /    ||        \
 /     ||         \
/______||__________\
____________________
  \__       _____/
     \_____/

✔ Istio core installed ⛵️
✔ Istiod installed 🧠
✔ CNI installed 🪢
✔ Ztunnel installed 🔒
✔ Installation complete
The ambient profile has been installed successfully, enjoy Istio without sidecars!
Enter fullscreen mode Exit fullscreen mode

How Ambient Mesh Works

Ambient Mesh introduces ztunnels (zero-trust tunnels) on each node instead of injecting sidecar proxies into individual services. These ztunnels create a secure Layer 4 overlay network, supporting essential functions like mTLS encryption and basic traffic routing with significantly reduced resource demands. Since ztunnels handle only Layer 4 traffic, their lightweight nature makes Ambient Mesh resource-efficient and straightforward to implement.

For teams needing more advanced Layer 7 functionality, such as detailed routing, retries, and telemetry, waypoint proxies can be deployed selectively to handle these tasks. This division of responsibilities between ztunnels and waypoint proxies offers fine-grained control, allowing teams to adopt a zero-trust foundation and layer on additional features only when needed.

Image description

You now have mTLS encryption between all your pods — 
without even restarting or redeploying any of the applications!

Enter fullscreen mode Exit fullscreen mode

Istio's model for redirecting traffic within pods:

The core design principle of Istio's in-pod traffic redirection model in ambient mode is that the ztunnel proxy can capture data paths within the Linux network namespace of the workload pod. This capability is made possible through the collaboration between the istio-cni node agent and the ztunnel node proxy. A significant advantage of this model is that it allows Istio's ambient mode to function seamlessly with any Kubernetes CNI plugin, without disrupting Kubernetes networking features.

mTLS status between the services

Key Benefits of Ambient Mesh

  1. Resource Efficiency: By eliminating sidecars, Ambient Mesh cuts CPU and memory requirements by over 90% in many cases, freeing resources across the Kubernetes cluster.
  2. Simplified Operations: Ambient Mesh streamlines mesh deployment by removing the need for sidecar injection, enabling users to add applications to the mesh without downtime or container restarts.
  3. Flexible Security and Traffic Management: Organizations can begin with lightweight Layer 4 security through ztunnels, adding waypoint proxies only for services that require advanced Layer 7 traffic management, aligning with zero-trust principles and scalability needs.

Ideal Use Cases

Ambient Mesh is particularly suited to organizations aiming to implement a zero-trust architecture with minimal resource and operational overhead. It’s also a perfect fit for teams looking to incrementally scale mesh adoption, starting with security and expanding to more complex traffic management only when required.

In Mesh: a pod that is included in the ambient data plane, 
and has traffic intercepted at the Layer 4 level by ztunnel. 
In this mode, L4 policies can be enforced for pod traffic. 
This mode can be enabled by setting the
 ״istio.io/dataplane-mode=ambient״ label. 

Enter fullscreen mode Exit fullscreen mode

Dataplane example for Layer 4 traffic

Conclusion

Istio's Ambient Mesh mode offers a streamlined approach to service mesh architecture, removing the complexity of sidecar proxies while maintaining robust security and observability. For teams previously deterred by sidecar management, Ambient Mesh provides a compelling path forward, with reduced resource costs and an adaptable model that grows with application needs. As the feature matures, Ambient Mesh is poised to become an essential tool for Kubernetes users managing large, secure, and efficient clusters.

For more details, check out the official Istio documentation on Ambient Mesh

Top comments (0)