Skip to main content
logoTetrate Service BridgeVersion: 1.12.x

Enable Ambient Mode

This section describes the processes required to work with Clusters and the workloads within that run or are attached to Istio running in ambient mode.

warning

Before getting started, ensure that you have followed the procedures described in the Installation section and have set up your Management Plane and Control Plane with the correct settings.

Enable Ambient Mode for Workloads

After installing TSB with ambient mode support, you need to explicitly enable ambient mode for your namespaces and workloads.

Enable Ambient Mode for a Namespace

To enable ambient mode for all workloads in a namespace, add the istio.io/dataplane-mode=ambient label:

kubectl label namespace <namespace-name> istio.io/dataplane-mode=ambient

For example, to enable ambient mode for the bookinfo namespace, execute

kubectl label namespace bookinfo istio.io/dataplane-mode=ambient

Enable Ambient Mode for Specific Workloads

Alternatively, you can enable ambient mode for specific workloads by adding the label to individual pods or deployments:

kubectl label pod <pod-name> istio.io/dataplane-mode=ambient -n <namespace>

Verify Ambient Mode is Active

After enabling ambient mode, verify that your workloads are part of the ambient mesh by doing:

 kubectl get pods -n <namespace> --show-labels

Verify that ztunnel is handling traffic for your pods

kubectl logs -l app=ztunnel -n istio-system

Test and validate

Deploy a simple client and server the verify that traffic is automatically encrypted.

Step 1: Deploy the Echo Server

apiVersion: apps/v1
kind: Deployment
metadata:
name: echo
namespace: echo
spec:
replicas: 2
selector:
matchLabels:
app: echo
template:
metadata:
labels:
app: echo
version: v1
spec:
containers:
- name: echo
image: gcr.io/istio-release/app:latest
ports:
- containerPort: 8000
env:
- name: PORT
value: "8000"
- name: VERSION
value: "v1"
---
apiVersion: v1
kind: Service
metadata:
name: echo
namespace: echo
spec:
selector:
app: echo
ports:
- port: 8080
targetPort: 8000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-v2
namespace: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
version: v2
template:
metadata:
labels:
app: echo
version: v2
spec:
containers:
- name: echo
image: gcr.io/istio-release/app:latest
ports:
- containerPort: 8000
env:
- name: PORT
value: "8000"
- name: VERSION
value: "v2"

Step 2: Deploy the ambient HTTP client

apiVersion: apps/v1
kind: Deployment
metadata:
name: ambient-http-client
namespace: client
spec:
replicas: 1
selector:
matchLabels:
app: ambient-http-client
template:
metadata:
labels:
app: ambient-http-client
version: v1
spec:
containers:
- name: client
image: curlimages/curl
command: ["/bin/sleep", "infinity"]

Step 3: Create Namespaces and Enable Ambient Mode

Enable ambient mode for both namespaces

kubectl label namespace client istio.io/dataplane-mode=ambient
kubectl label namespace echo istio.io/dataplane-mode=ambient

Step 4: Create a TSB Workspace

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
name: ambient-demo-ws
organization: <your-organization>
tenant: <your-tenant>
spec:
displayName: "Ambient Mode Demo Workspace"
namespaceSelector:
names:
- "*/client"
- "*/echo"

Apply the workspace configuration using tctl.

tctl apply -f ambient-demo-workspace.yaml

Step 5: Test Connectivity and Logs

Generate some traffic so that the service topology can be rendered in the TSB UI.

for i in {1..10}; do
kubectl exec deployment/ambient-http-client -n client -- curl -s echo.echo.svc.cluster.local:8080/version
sleep 1
done

Check ztunnel logs to see mTLS traffic between namespaces

kubectl logs -l app=ztunnel -n istio-system | grep -E "(client|echo|mTLS|inbound|outbound)"

Step 6: View the Topology in the UI

After generating traffic, you can view the service topology in the TSB UI. For detailed steps on navigating the topology view, see the TSB Topology and Metrics guide.

The topology view will show your ambient-enabled services with automatic mTLS encryption as shown below.

AmbientTopology

The topology display will include:

  • Service nodes for both ambient-http-client and echo
  • Traffic flow arrows indicating the direction of communication
  • mTLS indicators showing that traffic is automatically encrypted
  • Request metrics and success rates