Add apps to an ambient mesh

You can add all pods in a namespace to an ambient mesh by labeling the namespace.

  1. Label the bookinfo namespace to onboard Bookinfo to the ambient mesh.

    kubectl label namespace bookinfo
  2. Verify that the label was applied. After you label the namespace, all ingoing and outgoing traffic to the pods is automatically redirected to the ztunnel that is co-located on the same node as the pod. If pods exist on different nodes, the ztunnel forwards the traffic to the ztunnel that is located on the other node. The communication between ztunnels is secured via mutual TLS (mTLS). However, because the pods are deployed without an Istio sidecar, the traffic from the pod to the ztunnel and vice versa is sent via plain text. For more information, see the Architecture overview.

    kubectl describe namespace bookinfo
  3. Send a request to the ratings app again.

    kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0]}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1
  4. Get the logs of the ztunnel that is co-located with the ratings app.

    1. Get the name of the node that the ratings app is deployed to.

      kubectl get pods -n bookinfo -o wide | grep ratings
    2. List the ztunnels in your cluster and note the name of the ztunnel that is deployed to the same node as the ratings app.

      kubectl get pods -n istio-system -o wide | grep ztunnel
    3. Get the logs of the ztunnel and make sure that you see an inbound log message for the request that the product page app sent to ratings.

      kubectl logs <ztunnel-pod-name> -n istio-system

      Example output:

      2023-08-02T19:21:10.842039Z  INFO inbound{id=258fba6255ba9a04e6352f576d930b31 peer_ip= peer_id=spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage}: ztunnel::proxy::inbound: got CONNECT request to
    4. Log in to the ztunnel pod to view Istio Layer 4 metrics that were emitted by the ztunnel, such as istio_tcp_sent_bytes_total or istio_tcp_connections_closed_total. These metrics are forwarded to the built-in Prometheus server and are used by the Gloo UI to visualize traffic between workloads in the ambient mesh.

      kubectl exec -n istio-system <ztunnel_pod_name> -- curl http://localhost:15020/stats/prometheus | grep istio_tcp

      Example output:

      istio_tcp_sent_bytes_total{reporter="destination",source_workload="productpage-v1",source_canonical_service="productpage",source_canonical_revision="v1",source_workload_namespace="bookinfo",source_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage",source_app="productpage",source_version="v1",source_cluster="gloo-mesh-docs-ambient-mgt",destination_service="unknown",destination_service_namespace="unknown",destination_service_name="unknown",destination_workload="ratings-v1",destination_canonical_service="ratings",destination_canonical_revision="v1",destination_workload_namespace="bookinfo",destination_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings",destination_app="ratings",destination_version="v1",destination_cluster="gloo-mesh-docs-ambient-mgt",request_protocol="tcp",response_flags="-",connection_security_policy="mutual_tls",response_code="",grpc_response_status=""} 398


Apply an L4 access policy