Enable Ambient Mode
This section describes the processes required to work with Clusters and the workloads within that run or are attached to Istio running in ambient mode.
Before getting started, ensure that you have followed the procedures described in the Installation section and have set up your Management Plane and Control Plane with the correct settings.
Enable Ambient Mode for Workloads
After installing TSB with ambient mode support, you need to explicitly enable ambient mode for your namespaces and workloads.
Enable Ambient Mode for a Namespace
To enable ambient mode for all workloads in a namespace, add the istio.io/dataplane-mode=ambient
label:
kubectl label namespace <namespace-name> istio.io/dataplane-mode=ambient
For example, to enable ambient mode for the bookinfo
namespace, execute
kubectl label namespace bookinfo istio.io/dataplane-mode=ambient
Enable Ambient Mode for Specific Workloads
Alternatively, you can enable ambient mode for specific workloads by adding the label to individual pods or deployments:
kubectl label pod <pod-name> istio.io/dataplane-mode=ambient -n <namespace>
Verify Ambient Mode is Active
After enabling ambient mode, verify that your workloads are part of the ambient mesh by doing:
kubectl get pods -n <namespace> --show-labels
Verify that ztunnel is handling traffic for your pods
kubectl logs -l app=ztunnel -n istio-system
Test and validate
Deploy a simple client and server the verify that traffic is automatically encrypted.
Step 1: Deploy the Echo Server
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo
namespace: echo
spec:
replicas: 2
selector:
matchLabels:
app: echo
template:
metadata:
labels:
app: echo
version: v1
spec:
containers:
- name: echo
image: gcr.io/istio-release/app:latest
ports:
- containerPort: 8000
env:
- name: PORT
value: "8000"
- name: VERSION
value: "v1"
---
apiVersion: v1
kind: Service
metadata:
name: echo
namespace: echo
spec:
selector:
app: echo
ports:
- port: 8080
targetPort: 8000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-v2
namespace: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
version: v2
template:
metadata:
labels:
app: echo
version: v2
spec:
containers:
- name: echo
image: gcr.io/istio-release/app:latest
ports:
- containerPort: 8000
env:
- name: PORT
value: "8000"
- name: VERSION
value: "v2"
Step 2: Deploy the ambient HTTP client
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambient-http-client
namespace: client
spec:
replicas: 1
selector:
matchLabels:
app: ambient-http-client
template:
metadata:
labels:
app: ambient-http-client
version: v1
spec:
containers:
- name: client
image: curlimages/curl
command: ["/bin/sleep", "infinity"]
Step 3: Create Namespaces and Enable Ambient Mode
Enable ambient mode for both namespaces
kubectl label namespace client istio.io/dataplane-mode=ambient
kubectl label namespace echo istio.io/dataplane-mode=ambient
Step 4: Create a TSB Workspace
apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
name: ambient-demo-ws
organization: <your-organization>
tenant: <your-tenant>
spec:
displayName: "Ambient Mode Demo Workspace"
namespaceSelector:
names:
- "*/client"
- "*/echo"
Apply the workspace configuration using tctl
.
tctl apply -f ambient-demo-workspace.yaml
Step 5: Test Connectivity and Logs
Generate some traffic so that the service topology can be rendered in the TSB UI.
for i in {1..10}; do
kubectl exec deployment/ambient-http-client -n client -- curl -s echo.echo.svc.cluster.local:8080/version
sleep 1
done
Check ztunnel logs to see mTLS traffic between namespaces
kubectl logs -l app=ztunnel -n istio-system | grep -E "(client|echo|mTLS|inbound|outbound)"
Step 6: View the Topology in the UI
After generating traffic, you can view the service topology in the TSB UI. For detailed steps on navigating the topology view, see the TSB Topology and Metrics guide.
The topology view will show your ambient-enabled services with automatic mTLS encryption as shown below.
The topology display will include:
- Service nodes for both
ambient-http-client
andecho
- Traffic flow arrows indicating the direction of communication
- mTLS indicators showing that traffic is automatically encrypted
- Request metrics and success rates