Tetrate Service BridgeVersion: nextTetrate support of Istio clusters running in Ambient mode
Ambient mode support requires Istio 1.24+.
In addition to TSB's support of Istio with sidecar proxies, clusters running Istio in Ambient mode are also supported starting TSB 1.12.1.
With TSB, users can configure security, traffic management, high-availability and observability just like TSB's support for Istio with sidecar proxies.
TSB installs and manages a private Istio distribution in Kubernetes clusters, so that users do not need to manage the configuration and lifecycle of Istio.
Users configure their traffic management policies using TSB's Bridged-mode APIs. These provide a richer abstraction on top of the low-level Istio APIs, and are multi-cluster, error-resistant, simpler to use and generate efficient, optimized Istio and Envoy configurations.
With care and wherever applicable, expert users can additionally partition the generated configuration and inject specific Istio configuration using Tetrate's Direct-mode APIs, giving precise, fine-grained configuration where necessary.
TSB maintains configuration for each cluster dynamically, in response to user configuration (Bridged and Direct APIs) and to the state of each cluster under control of TSB. This allows TSB to manage very complex, dynamic scenarios such as cross-cluster traffic, high availability, and multi-cloud service discovery.
TSB uses a private Istio distribution, and that brings the benefits of having support for features that still do not have support in upstream Istio - for example, TSB supports routing and traffic management of multi-cluster deployments.
What is Ambient mode?
Istio's ambient mode promises a reduced resource overhead in some use cases compared to the traditional sidecar deployment mode, which may result in lower costs and improved performance for some users by eliminating the need for a dedicated proxy container within each pod, while still providing service mesh capabilities like traffic management and security.
Ambient mode treats Node level traffic (at Layer 4 - designated as zTunnel) and Proxy level traffic (at Layer 7 - designated as Waypoint) as separate components, with the Waypoints associated only to a subset of services that specifically need Layer 7 capabilities support and thereby consuming fewer resources.
Most customers will be running a mesh with both the traditional, sidecar enabled Istio and ambient mode.
Feature Support
TSB Features are supported in ambient mode. Any feature that requires Layer 7 capabilities needs to have a waypoint configured for the associated service.
| Area | Description | Support |
|---|---|---|
| Control Plane Installation/Cluster Onboarding | ||
| helm | ✓ | |
| tctl | ✓ | |
| Isolation Boundaries | ✓ | |
| Configuration Hierarchy | ||
| Organization/Tenant/Workspace Settings | ✓ | |
| Configuration Profiles | ✓ (Beta) | |
| Segmentation | ✓ (Beta) | |
| Configuration | ||
| Traffic | ✓ (Bridge API support is Beta) | |
| Gateway | ✓ | |
| Security | ✓ | |
| Istio Internal | x | |
| Multi-cluster routing and failover for HTTP traffic | ✓ | |
| Observability | ||
| Metrics | ✓ | |
| Topology | ✓ | |
| Traces | ✓ (With workload instrumentation) | |
| Logs | ✓ (Only zTunnel and Waypoint logs) | |
| Extensions | ||
| WASM | ✓ (With Waypoint configured) | |
| WAF | ✓ (With Waypoint configured) | |
| Troubleshooting | ||
| Proxy Tools | ✓ (Only Waypoint proxies) | |
| TSB Component Status | ✓ (Beta) |