
Before you install Istio in ambient mode, review the following considerations and requirements.

Gloo 2.6 lifecycle manager changes

The Solo Istio Lifecycle Manager helps you manage your Istio installations and upgrades more easily. In Gloo Mesh Core version 2.6 and later, the Istio lifecycle manager feature is changed so that an Istio lifecycle agent now deploys and manages the Istio installations to your clusters, instead of the Gloo agent. Additionally, the Istio lifecycle agent now translates input IstioOperator configuration into Istio Helm chart values to deploy the installations, instead of deploying installations based on the IstioOperator configuration directly.


  • In Gloo Mesh Core version 2.6, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (1.22.3-solo).
  • In Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS environment variable must be set to false. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.

Single-cluster limitation

Currently, Istio in ambient mode is supported only for single clusters. Ambient mode in a multicluster environment where apps in different clusters can communicate through east-west routing as part of a single service mesh is not supported. However, you can still use your management cluster to deploy separate ambient service meshes to multiple, individual workload clusters.

Revision and canary upgrade limitations

Currently, revisions are not supported for ambient installations. This limitation is planned to be addressed in a future release. To ensure that you can install and upgrade your ambient service mesh smoothly, do not specify a named revision in the spec.installations.revision field. If necessary, you can explicitly set spec.installations.revision to "".

Because revisions are not supported yet, canary upgrades are also not supported. Instead, you can use the lifecycle manager to perform only in-place upgrades of ambient Istio installations.

Prepare your environment

  1. Install Gloo Mesh Core by following the multicluster getting started guide or the Helm setup guide. Do not install Istio as part of your setup.

  2. Set the names of your clusters from your infrastructure provider. If your clusters have different names, specify those names instead.

      export MGMT_CLUSTER=mgmt
    export REMOTE_CLUSTER=cluster1
  3. Save the kubeconfig contexts for your clusters. Run kubectl config get-contexts, look for your cluster in the CLUSTER column, and get the context name in the NAME column. Note: Do not use context names with underscores. The generated certificate that connects workload clusters to the management cluster uses the context name as a SAN specification, and underscores in SAN are not FQDN compliant. You can rename a context by running kubectl config rename-context "<oldcontext>" <newcontext>.
      export MGMT_CONTEXT=<management-cluster-context>
    export REMOTE_CONTEXT=<remote-cluster-context>
  4. Set environment variables for the Solo distribution of Istio repository and image version that you want to install. You can find these values in the Istio images built by support article.

      export REPO=<repo-key>
    export ISTIO_IMAGE=1.22.3-solo
  5. If other Istio installations already exist in your clusters, you must first uninstall any existing Istio installations. You currently cannot use the lifecycle manager alongside or to takeover unmanaged Istio installations that you install by using Helm, istioctl, or an IstioOperator.

  6. If you use Google Kubernetes Engine (GKE) clusters, create the following ResourceQuota in the istio-system namespace of the workload cluster. For more information about this requirement, see the community Istio documentation.

      kubectl --context $REMOTE_CONTEXT create namespace istio-system
    kubectl --context $REMOTE_CONTEXT -n istio-system apply -f - <<EOF
    apiVersion: v1
    kind: ResourceQuota
      name: gcp-critical-pods
      namespace: istio-system
        pods: 1000
        - operator: In
          scopeName: PriorityClass
          - system-node-critical

Deploy the Istio ambient control plane

  1. Create an IstioLifecycleManager resource in your management cluster to deploy an istiod control plane in ambient mode to the workload cluster.

      kubectl apply --context $MGMT_CONTEXT -f- <<EOF
    kind: IstioLifecycleManager
      name: istiod-control-plane
      namespace: gloo-mesh
        - clusters:
            - name: $REMOTE_CLUSTER
            hub: $REPO
            tag: $ISTIO_IMAGE
            profile: ambient
                namespace: istio-system
                enabled: true
                  L7_ENABLED: true
  2. Verify that the components of the Istio ambient mesh and the Istio CNI pods are successfully installed. Because the ztunnel and the CNI are deployed as daemon sets, the number of ztunnel pods and CNI pods each equal the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.

      kubectl get pods --context $REMOTE_CONTEXT -A | grep istio

    Example output:

      istio-cni-node-6q26l                    1/1     Running   0          1m43s
    istio-cni-node-7gg8k                    1/1     Running   0          1m43s
    istio-cni-node-lcrcd                    1/1     Running   0          1m43s
    istiod-d765ff7cf-46dbm                  1/1     Running   0          2m4s
    ztunnel-648wc                           1/1     Running   0          2m8s
    ztunnel-6rhp5                           1/1     Running   0          2m8s
    ztunnel-hllxg                           1/1     Running   0          2m8s
  3. To send requests to sample apps from outside your Gloo Mesh Core setup, you can use the following gateway lifecycle manager resource to also deploy an Istio ingress gateway. Note that in an ambient service mesh, gateways do not require an ambient profile.

      kubectl --context $MGMT_CONTEXT -n gloo-mesh apply -f - <<EOF
    kind: GatewayLifecycleManager
      name: istio-ingressgateway
      namespace: gloo-mesh
        - clusters:
            - name: $REMOTE_CLUSTER
            hub: $REPO
            tag: $ISTIO_IMAGE
            profile: empty
              - enabled: true
                      # Port for health checks on path /healthz/ready.
                      # For AWS ELBs, must be listed as the first port
                      - name: status-port
                        port: 15021
                        targetPort: 15021
                      - name: http2
                        port: 80
                        targetPort: 8080
                      - name: https
                        port: 443
                        targetPort: 8443
                      - name: tls
                        port: 15443
                        targetPort: 15443
                      istio: ingressgateway
                    type: LoadBalancer
                  app: istio-ingressgateway
                  istio: ingressgateway
                name: istio-ingressgateway
                namespace: gloo-mesh-gateways
  4. In the workload cluster, verify that the ingress gateway pod has a status of RUNNING and that the load balancer service has an external address.

      kubectl get pods,svc -n gloo-mesh-gateways --context $REMOTE_CONTEXT

    Example output:

      NAME                                    READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-665d46686f-nhh52   1/1     Running   0          106s
    NAME                        TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                                                      AGE
    istio-ingressgateway        LoadBalancer    <externalip>  15021:32378/TCP,80:30315/TCP,443:32186/TCP,31400:30313/TCP,15443:31632/TCP                                   2m2s


Deploy sample apps and add them to the ambient mesh.