KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Istio Ambient separates the L4/L7 functions found in the traditional sidecar model and introduces the ztunnel component, which implement the L4 network load balancing and secure zero-trust. However, as ztunnel is deployed at the node level with DaemonSet, any malfunction or anomaly in ztunnel may impact the traffic of all mesh-related pods under that node. Furthermore, performance tests of Ambient Mesh have not delivered the anticipated outcomes; ztunnel often becomes a performance bottleneck. These factors make it challenging to apply Ambient Mesh in production environments. it appears that we require a more optimized and practical implementation solution. This session will share: 1. An introduction to the architecture of Istio Ambient Mesh, along with current known issues with the existing implement. 2. using eBPF to implement zero-trust and L4 network traffic capabilities, enhancing the stability of the Mesh network, and significantly improving overall performance.

Istio Ambient将传统的边车模型中发现的L4/L7功能分离，并引入了ztunnel组件，实现了L4网络负载均衡和安全的零信任。然而，由于ztunnel部署在节点级别的DaemonSet上，ztunnel中的任何故障或异常可能会影响该节点下所有与网格相关的Pod的流量。此外，Ambient Mesh的性能测试并未达到预期的结果；ztunnel经常成为性能瓶颈。这些因素使得在生产环境中应用Ambient Mesh变得具有挑战性。看起来我们需要一个更优化和实用的实现解决方案。 本次会话将分享： 1. Istio Ambient Mesh架构的介绍，以及现有实现中已知的问题。 2. 使用eBPF实现零信任和L4网络流量功能，增强Mesh网络的稳定性，并显著提高整体性能。