Sidecarless Istio Ambient Mesh clears cloud interop hurdle

Istio's Ambient Mesh is now compatible with major cloud providers' managed Kubernetes services, available as an Amazon EKS add-on and slated for beta in the next release.

Istio's take on a sidecarless service mesh will soon be headed to beta, and to a cloud provider near you.

Istio Ambient Mesh, first introduced in September 2022, is a variation of the service mesh project that takes a simplified approach to the architecture of its sidecar proxies. In the past, the project, originally created by Google, IBM and Lyft, relied on software components called sidecars. Sidecars were deployed on every Kubernetes pod and used by a central control plane to execute distributed network management functions. This architecture has become associated with containerized microservices applications on Kubernetes, but sidecars can become cumbersome and complex to manage as clusters scale, and they aren't strictly necessary for every application.

Istio Ambient Mesh, which reached alpha status in early 2023, instead offers the option to use a shared proxy with certain traffic routing features such as mutual TLS and identity management for workloads that don't require application-level Layer 7 routing.

However, when project maintainers went to test the compatibility of Ambient Mesh with managed Kubernetes services from cloud providers, they ran into a problem.

In Kubernetes environments, Istio service mesh must connect with the Container Network Interface (CNI), a framework for dynamically configuring ephemeral container network resources within clusters. Each of the major cloud providers' managed services for Kubernetes -- Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) -- uses a different CNI, as do other cloud-native networking projects such as Calico and Cilium.

Istio Ambient Mesh maintainers discovered in alpha testing that different CNIs handle traffic redirection differently, some in ways that made them incompatible with Ambient Mesh.

This means that every Kubernetes distribution that is CNI compliant should be able to run Istio Ambient Mesh without changes.
Torsten VolkAnalyst, Enterprise Management Associates

"The fundamental problem with redirecting traffic in the host network namespace is that this is precisely the same spot where the cluster's primary CNI implementation must configure traffic routing/networking rules," a blog post by Istio maintainers stated. "This created inevitable conflicts."

To overcome this hurdle, project engineers found a way to handle traffic redirection at the Kubernetes pod level without having to revert to using sidecars.

"This means that every Kubernetes distribution that is CNI compliant should be able to run Istio Ambient Mesh without changes," said Torsten Volk, an analyst at Enterprise Management Associates. "There should be no performance overhead, as they aren't adding any containers or additional software. They are just using the Istio agent to directly inject the routing instructions into the pod network instead of running these same routing instructions at the node level."

Ambient mode comes to Amazon EKS

With this adjustment, as of Istio version 1.21, released March 13, Ambient Mesh "has been tested with GKE, AKS, and EKS and all the CNI implementations they offer, 3rd-party CNIs like Calico and Cilium, and platforms like OpenShift, all with solid results," according to a release blog post. The post also stated that Ambient Mesh is expected to reach beta in the next release of Istio service mesh; releases for the project have typically become available once per quarter.

In the meantime, cloud-native network platform vendor Solo.io added this version of Ambient Mesh to its Amazon EKS add-on this week. AWS also made EKS add-ons, previously delivered separately through the AWS Marketplace, available directly within the EKS management console on March 14.

Ambient Mesh still isn't recommended for production use, but availability of a compatible version directly within the Amazon EKS console marks a major step toward enterprise adoption, said Steven Dickens, an analyst at Futurum Group.

"Now that Solo's done the engineering work, it's just one less thing for an SRE [site reliability engineering] or development team to worry about," he said. "That's what drives adoption."

Diagram comparing Istio's service mesh ambient mode vs. a sidecar proxy.
Istio's Ambient Mesh simplifies the service mesh architecture to funnel most traffic through shared host-level proxies, rather than requiring a separate sidecar for every Kubernetes pod.

Ambient Mesh is the latest bid by the Istio service mesh and commercial vendors that support it to overcome its early reputation as a highly complex tool to operate. Ambient Mesh also charts a middle path between the completely sidecarless approach -- taken by Cisco's Isovalent and the Cilium project -- and the all-sidecars approach by Linkerd, which supporters argue maintains service mesh security while preserving sidecarless simplicity.

Ultimately, it's simplicity that will win out over tech specs, Dickens predicted.

"It's not Isovalent versus Solo or who's got the best technology," he said. "It's more about who's made it less [difficult] to deploy."

Istio has also gained momentum since Google donated it to the Cloud Native Computing Foundation, where it has 8,800 contributors, including 85 maintainers from 15 different companies. In addition to Solo.io, the project is supported by commercial vendor Tetrate.

Dickens said he's hesitant to declare Istio the winner of the early service mesh race, but he noted that it appears to have the lead as Kubernetes and its affiliated distributed application management tools approach enterprise market saturation.

"I've got enough gray in my hair to know not to pick winners," he said. "But I think if we fast-forward 18 months, we'll probably have a better view of that."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on Containers and virtualization