Trying out istio ambient mode

Explore Istio’s Ambient Mode with a quick setup guide for a Kubernetes cluster. Let’s get started!

Prerequisites

Ensure you have a Kubernetes cluster (v1.27–1.30). If you need one, you can use tools like kind to spin up a local cluster or use EKS (thats what i am using with t3.medium node)

Step 1: Download the Istio CLI

The Istio CLI, istioctl, helps configure Istio. Download it and set up your environment.

curl -L https://istio.io/downloadIstio | sh -
cd istio-1.23.2
export PATH=$PWD/bin:$PATH

Confirm the istioctl installation:

istioctl version

Step 2: Install Istio with Ambient Mode

To enable Ambient Mode, use the ambient profile:

  istioctl install --set profile=ambient --skip-confirmation

Verify the installation:

istioctl verify-install

Step 3: Install Kubernetes Gateway API CRDs

Ambient Mode requires the Kubernetes Gateway API :

kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Step 4: Deploy the Bookinfo Sample Application

Deploy Istio’s Bookinfo app to test traffic routing and Ambient Mode features.

kubectl apply -f./samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f ./samples/bookinfo/platform/kube/bookinfo-versions.yaml

Step 5: Configure an Ingress Gateway

Expose the Bookinfo app using a gateway. Deploy the gateway and change the service type to ClusterIP.

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default

Use port-forwarding to access the app:

kubectl port-forward svc/bookinfo-gateway-istio 8080:80

Navigate to http://localhost:8080/productpage in your browser.

Add Bookinfo to the service mesh

kubectl label namespace default istio.io/dataplane-mode=ambient

Step 7: Visualize with Kiali ,Grafana and Prometheus

Deploy Kiali, Grafana & Prometheus to visualize the Bookinfo app traffic:

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/addons/prometheus.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/addons/kiali.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/addons/grafana.yaml
istioctl dashboard kiali

Step 8: Enforce Layer 4 Authorization Policy

Limit access to the productpage service:

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/bookinfo-gateway-istio
EOF

Let’s try accessing Bookinfo application from a sleep pod:

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/sleep/sleep.yaml

Since the sleep pod is using a different service account, it will not have access the productpage service:

kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage"

Step 9: Layer 7 Authorization with Waypoint Proxy

Apply a waypoint proxy for Layer 7 policy control.

istioctl waypoint apply --enroll-namespace --wait

Allow GET requests to productpage from sleep service:

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  targetRefs:
  - kind: Service
    group: ""
    name: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    to:
    - operation:
        methods: ["GET"]
EOF

Confirm the new waypoint proxy is enforcing the updated authorization policy:

# This fails with an RBAC error because we're not using a GET operation
kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE

# This fails with an RBAC error because the identity of the reviews-v1 service is not allowed
kubectl exec deploy/reviews-v1 -- curl -s http://productpage:9080/productpage

# This works as we're explicitly allowing GET requests from the sleep pod
kubectl exec deploy/sleep -- curl -s http://productpage:9080/productpage | grep -o "<title>.*</title>"

Step 10: Traffic Splitting

Split traffic to test between multiple versions of the reviews service.

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: reviews
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: reviews
    port: 9080
  rules:
  - backendRefs:
    - name: reviews-v1
      port: 9080
      weight: 90
    - name: reviews-v2
      port: 9080
      weight: 10
EOF

Test traffic distribution:

kubectl exec deploy/sleep -- sh -c "for i in $(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"

Wrap-Up

With Istio’s Ambient Mode, you have deployed, secured, and visualized a microservice application without modifying the app code. Next, explore advanced Istio features to enhance your microservices further!