Add workloads to the mesh

Documentation

Setup

With your ambient mesh installed, you can now go ahead and add your workloads to it. This process is as simple as applying the istio.io/dataplane-mode=ambient label to a namespace or an individual pod. Similarily, to remove worklads from the ambient mesh, you simply remove that label again. Unlike in sidecar-based service mesh architectures, there is no need to restart applications to add or remove them from the ambient mesh.

Label a namespace:

$ kubectl label namespace $NAMESPACE istio.io/dataplane-mode=ambient

Label a pod:

$ kubectl label pod $POD istio.io/dataplane-mode=ambient

After the label is applied, all Layer 4 traffic to and from your ambient mesh workloads is automatically intercepted and secured via mutual TLS (mTLS) by the ztunnel that is co-located on the same node as your workload. No further configuration is required.

Congratulations! You successfully added workloads to your ambient mesh.

Next steps

Let’s explore how you can verify and further secure your applications in the mesh.

Verify mTLS is active Add an L4 authorization policy

Want to use L7 functionality in your mesh, such as advanced traffic routing or Layer 7 authorization policies? Deploy a waypoint proxy and enroll your workloads to use it.

Installation Configure waypoint proxies