Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

Ambient Mesh is Istio’s sidecar-less operating mode that moves proxy responsibilities away from per-pod sidecars and splits them into two components: ztunnel and Waypoint Proxy. This design reduces per-pod resource overhead and simplifies workload deployments while keeping core service-mesh features like mTLS, authentication, authorization, and logging. Key characteristics:
  • Sidecar-less: no injected Envoy per-pod by default.
  • L4 (transport) handled at the node level by ztunnel.
  • L7 (HTTP) handled optionally by Waypoint proxies in namespaces that need application-layer features.

Core components

ComponentRoleDeployment pattern
ztunnelRust-based agent that intercepts inbound/outbound pod traffic at the node (Layer 4). Handles mTLS (encryption/decryption), authentication, authorization, logging, and L4 policy enforcement.Deployed as a DaemonSet (one per node).
Waypoint ProxyEnvoy-based proxy that performs Layer 7 functions: path/header routing, rewrites, fault injection, aborts, and other HTTP features.Deployed as a namespace-scoped workload (e.g., Deployment); created only when L7 features are needed.
Waypoint proxies are optional — if you don’t require Layer 7 functionality, traffic remains at Layer 4 and is handled by ztunnel. Note: ztunnel is Rust-based while Waypoint uses Envoy for L7 features.

What ztunnel and Waypoint do (L4 vs L7)

  • ztunnel (L4): Intercepts TCP/UDP at the node, enforces transport-layer policy, and integrates with the Istio control plane and Kubernetes service model for service discovery and routing decisions.
  • Waypoint (L7): Runs Envoy to provide HTTP-level routing and policies. Use Waypoint when you need L7 capabilities such as URL/path-based routing, header manipulation, or advanced HTTP traffic controls.

Important limitations and guidance

  • Feature parity: Ambient Mesh doesn’t yet provide all the L7 features available in sidecar mode. Some L7 features (for example, certain timeouts, retries, or mirroring behaviors) may not be fully supported via Waypoint.
  • Gateway API & Kubernetes-native resources: For advanced L7 routing, you may need to use Kubernetes-native APIs such as the Gateway API (e.g., HTTPRoute) or Kubernetes gateway resources instead of Istio-specific CRDs. These native APIs express L7 routing differently than sidecar-mode Istio configuration and can be more verbose or have different semantics.
Example HTTPRoute using the Kubernetes Gateway API to split traffic between two backend services: 
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: hello-http-route
  namespace: hello
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: helloworld
    port: 5000
  rules:
  - backendRefs:
    - name: helloworld-v1
      port: 5000
      weight: 5
    - name: helloworld-v2
      port: 5000
      weight: 95
This example demonstrates how Layer 7 routing is expressed with native Kubernetes resources rather than Istio sidecar CRDs. When preparing for production or certification, validate whether the required L7 behaviors are supported in Waypoint + Gateway API.

Comparison: Ambient Mesh vs Sidecar mode

AspectSidecar modeAmbient mode
Proxy placementEnvoy sidecar injected beside each pod (per-pod)ztunnel DaemonSet (per-node) + optional Waypoint (per-namespace)
L4 handlingSidecar Envoy handles L4 on the podztunnel handles L4 at the node
L7 handlingEnvoy sidecars handle L7 for each podWaypoint Envoy handles L7 only when deployed in a namespace
Resource overheadHigher (per-pod proxies)Lower (fewer total proxies)
Feature completenessMature, full L7 feature setEvolving — some L7 features may be limited or require Kubernetes-native APIs
A diagram titled "Sidecarless" showing a Kubernetes Service Mesh across three nodes, each containing namespaces with apps and services. It illustrates Waypoint A components and zTunnel proxies connecting and routing traffic between services.
In the diagram above:
  • ztunnel instances run as a DaemonSet on each node to intercept and enforce L4 traffic for that node’s pods.
  • Waypoint proxies are deployed into namespaces that require L7 processing; these are namespace-scoped workloads running Envoy.

Benefits of Ambient Mesh

  • Reduced number of proxies to manage (no per-pod sidecars by default).
  • Lower compute and memory overhead across the cluster.
  • Simpler workload manifests and fewer injected containers per pod.

Caveats and best practices

  • Check the current Istio/Ambient Mesh documentation for the latest supported features and limitations—feature parity is evolving.
  • When you need advanced L7 behavior, prefer Waypoint combined with Kubernetes Gateway API resources. Test Gateway API routing semantics carefully, as they differ from classic Istio sidecar CRDs.
  • For production, validate mTLS and policy behaviors end-to-end (node-level interception plus namespace-level Waypoint integration).

ICA exam relevance

The Istio Certified Associate (ICA) exam emphasizes installing Ambient Mesh and labeling namespaces to enable ambient mode. For exam preparation, focus on:
  • Installing Ambient Mesh components (including ztunnel DaemonSet).
  • Labeling namespaces to opt workloads into ambient mode.
  • Understanding when to add Waypoint proxies and how L4/L7 responsibilities are split.
References and further reading:
This lesson covered Ambient Mesh architecture, the roles of ztunnel and Waypoint, differences from sidecar mode, limitations, and the ICA exam focus—installing Ambient Mesh and labeling namespaces to opt into ambient mode.

Watch Video