Production readiness

Documentation

Setup

When you’re ready to take ambient mesh to production, there are a few things we recommend you should monitor.

Configuration changes for production

Resource allocation & scaling

The ztunnel is a DaemonSet, which runs one per node. While ztunnel scales with the size of the cluster (in terms of pods and services) as well as traffic rates (connections, requests, and throughput), it is designed to have a small footprint and to handle large scale clusters out of the box. Typically, you should not expect to need any configuration changes unless:

The cluster has over 100,000 pods or 20,000 services
An individual node is serving over 20,000 connections, 100,000 requests per second, or 5Gb/s of traffic

Note: these are not limits of ztunnel — which can scale beyond these — and are merely the thresholds at which point we recommend analyzing usage and vertically scaling the CPU/memory reservations to match observed usage.

Upgrading

See the upgrading page for how to safely upgrade Istio when a new version is released.

Considerations for users already familiar with Istio

For people familar with Istio in sidecar mode, there are some considerations when using it in ambient mode.

Layer 7 metrics are only collected for workloads with a waypoint deployed, or when using Gloo Mesh.
Authorization policies with Layer 7 conditions will only work when bound to a waypoint.

Multiple clusters

As of v1.23.2, Istio in ambient mode only supports running in a single Kubernetes cluster.

Multi-cluster support is available in Gloo Mesh, an enterprise distribution of ambient mesh.

VMs

Istio does not yet support adding external (VM) workloads to an ambient mesh.

Support for VM workloads is available in Gloo Mesh, an enterprise distribution of ambient mesh.

Envoy extensibility

Waypoints can be extended with WebAssembly, but the EnvoyFilter extension point is not supported.

Configure waypoint proxies Traffic management