CONTENTS

You've successfully subscribed to The DevOps Bootcamp 🚀
Great! Next, complete checkout for full access to The DevOps Bootcamp 🚀
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Lab 4/4 🔬Istio Ambiant Mesh

Yiadh TLIJANI
Yiadh TLIJANI

Ambient interoperability with sidecars

All the Pods don't need to use the new Ambient mode.

You can have some Pods using sidecars while others are using Ambient.

Let's create a new namespace called httpbin:

kubectl create namespace httpbin

To use sidecars in this namespace, you need to label it accordingly:

kubectl label namespace httpbin istio-injection=enabled

Then, you can deploy the httpbin application:

kubectl apply -n httpbin -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

EOF

Finally, we can send a request from the sleep Pod (ambient mode) to the httpbin Pod (sidecar):

kubectl exec deploy/sleep -- curl http://httpbin.httpbin.svc.cluster.local:8000/get

You should get something like this:

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.httpbin.svc.cluster.local:8000",
    "User-Agent": "curl/7.69.1",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "6077510bb5518fe9",
    "X-B3-Traceid": "000e61ea1432b6bb6077510bb5518fe9",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/httpbin/sa/httpbin;Hash=38cd6dbe6ad7695f7d76ed110e6acdc90e842397b7c968e0ecee3e67f96634e1;Subject=\"\";URI=spiffe://cluster.local/ns/default/sa/sleep"
  },
  "origin": "127.0.0.1",
  "url": "https://httpbin.httpbin.svc.cluster.local:8000/get"
}

You can see that the httpbin application has received the request with the X-Forwarded-Client-Cert indicating that the request was sent by a Pod with the identity corresponding to the sleep service account.

LabsKubernetesNetworkingSecurityService Mesh
Yiadh TLIJANI

Yiadh TLIJANI

Founder of The DevOps Bootcamp | Senior DevSecOps Engineer | Certified Kubernetes Developer, Administrator and Security Specialist

You might also like

Lab 3/4 🔬Istio Ambiant Mesh

Lab 3/4 🔬Istio Ambiant Mesh
Members Public

L7 authorization policiesL4 policies are useful but may not be sufficient for your needs. For example, you’ll be able to send any request to the web-api service from the sleep pod while you may only want to allow requests with the GET method. In order to have any L7

Yiadh TLIJANI
Yiadh TLIJANI
Labs
Lab 2/3 🔬Istio Ambiant Mesh

Lab 2/3 🔬Istio Ambiant Mesh
Members Public

Add services to AmbientAdding services to Ambient is very simple. You just need to add the istio.io/dataplane-mode=ambient label to your namespace to have all the corresponding pods managed by Ambient. kubectl label namespace default istio.io/dataplane-mode=ambientNow, take a look at the logs of the Istio

Yiadh TLIJANI
Yiadh TLIJANI
Labs