As the cost and operational complexity of sidecar-based service meshes persists, we’re excited to see another option for service mesh without sidecar emerge: Istio ambient mode. Ambient mode introduces a layered architecture that separates concerns between two key components: the per-node L4 proxy (ztunnel) and the per-namespace L7 proxy (Waypoint proxy). ztunnel ensures that L3 and L4 traffic is transported efficiently and securely. It powers the ambient data plane by fetching certificates for all node identities and handles traffic redirection to and from ambient-enabled workloads. The Waypoints proxy, an optional ambient mode component, enables richer Istio features such as traffic management, security and observability. We’ve had good experience with ambient mode in small-scale clusters and look forward to gaining more large-scale insights and best practices as adoption grows.
服务网格的通常实现形式为与每个服务实例一并部署的反向代理进程,即“边车 (Sidecar)”。尽管这些“边车”属于轻量级进程,但每个新服务实例的创建都意味着一个“边车”的新增,采用服务网格的整体开销和运维复杂度也会随之增加。然而,随着 eBPF 的发展,我们发现一种被称为无边车服务网格的模式能够将网格的功能安全地下沉到操作系统内核层,从而使得相同节点上的服务可以通过套接字透明地通信,而无需额外的代理。您可以通过Cilium 服务网格对上述模式进行尝试,并从“每个服务一个代理”的部署模式简化为“每个节点一个代理”。我们对 eBPF 的能力十分感兴趣,并发现这一服务网格的演进十分重要且值得评估。
