Add apps to the ambient mesh
Deploy the Bookinfo sample app without sidecars to try out ambient.
Deploy Bookinfo
Deploy Bookinfo, the Istio sample app.
Create the
bookinfonamespace.kubectl create ns bookinfoDeploy the Bookinfo app.
# deploy bookinfo application components for all versions kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.20.6/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app' # deploy all bookinfo service accounts kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.20.6/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'Verify that the Bookinfo app is deployed successfully.
kubectl get pods -n bookinfo kubectl get svc -n bookinfoVerify that you can access the ratings app from the product page app.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1Example output:
... Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-type: application/json < Date: Thu, 08 Sep 2022 18:56:59 GMT < Connection: keep-alive < Transfer-Encoding: chunked < * Connection #0 to host ratings left intact {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
Add Bookinfo to the ambient mesh
Add the Bookinfo services to the ambient mesh, and verify that traffic is routed through the ztunnels in your cluster.
Label the
bookinfonamespace to onboard Bookinfo to the ambient mesh. You can add all pods in a namespace to an ambient mesh by labeling the namespace.kubectl label namespace bookinfo istio.io/dataplane-mode=ambientVerify that the label was applied. After you label the namespace, all ingoing and outgoing traffic to the pods is automatically redirected to the ztunnel that is co-located on the same node as the pod. If pods exist on different nodes, the ztunnel forwards the traffic to the ztunnel that is located on the other node. The communication between ztunnels is secured via mutual TLS (mTLS). However, because the pods are deployed without an Istio sidecar, the traffic from the pod to the ztunnel and vice versa is sent via plain text. For more information, see the component overview.
kubectl describe namespace bookinfoSend a request to the ratings app again.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1Get the logs of the ztunnel that is co-located with the ratings app.
Get the name of the node that the ratings app is deployed to.
kubectl get pods -n bookinfo -o wide | grep ratingsList the ztunnels in your cluster and note the name of the ztunnel that is deployed to the same node as the ratings app.
kubectl get pods -n istio-system -o wide | grep ztunnelGet the logs of the ztunnel pod that runs on the same node as the ratings app. Make sure that you see an
inboundlog message for the request that the product page app sent to ratings.kubectl logs <ztunnel-pod-name> -n istio-systemExample output:
2023-08-02T19:21:10.842039Z INFO inbound{id=258fba6255ba9a04e6352f576d930b31 peer_ip=10.44.2.12 peer_id=spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage}: ztunnel::proxy::inbound: got CONNECT request to 10.44.1.13:9080Log in to the ztunnel pod to view Istio Layer 4 metrics that were emitted by the ztunnel, such as
istio_tcp_sent_bytes_totaloristio_tcp_connections_closed_total. These metrics are forwarded to the built-in Prometheus server and are used by the Gloo UI to visualize traffic between workloads in the ambient mesh.kubectl exec -n istio-system <ztunnel_pod_name> -- curl http://localhost:15020/stats/prometheus | grep istio_tcpExample output:
istio_tcp_sent_bytes_total{reporter="destination",source_workload="productpage-v1",source_canonical_service="productpage",source_canonical_revision="v1",source_workload_namespace="bookinfo",source_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage",source_app="productpage",source_version="v1",source_cluster="gloo-mesh-docs-ambient-mgt",destination_service="unknown",destination_service_namespace="unknown",destination_service_name="unknown",destination_workload="ratings-v1",destination_canonical_service="ratings",destination_canonical_revision="v1",destination_workload_namespace="bookinfo",destination_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings",destination_app="ratings",destination_version="v1",destination_cluster="gloo-mesh-docs-ambient-mgt",request_protocol="tcp",response_flags="-",connection_security_policy="mutual_tls",response_code="",grpc_response_status=""} 398
- If you plan to use L7 traffic policies, be sure to apply the CRDs for the Kubernetes Gateway API in your cluster, which are required to create waypoint proxies.
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || (kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply -f -)
You now have a functioning ambient service mesh in your cluster, and Gloo Mesh Core is running in ambient mode! To start applying policies and configure traffic routing, see the next steps.
Next
- Launch the Gloo UI to review the Istio insights that were captured for your ambient setup. Gloo Mesh Core comes with an insights engine that automatically analyzes your Istio and Cilium setups for health issues. Then, Gloo shares these issues along with recommendations to harden your Istio and Cilium setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information, see Insights.
- Check out the Istio docs to:
- Check out Gloo Mesh Enterprise in ambient mode for additional ambient features, such as automated waypoint proxy creation and management, Layer 4 and 7 policy translation, and more.