Analysis of the Limitations of Istio Ambient Mode

In-depth discussion on the Ambient mode in Istio 1.22, comparison with the traditional Sidecar mode, and its limitations.

Copyright
This is an original article by Jimmy Song. You may repost it, but please credit this source: https://jimmysong.io/en/blog/istio-ambient-mode-limitations/

Istio 1.22 marks the official beta release of Ambient mode, accompanied by a blog titled Say goodbye to your sidecars: Istio’s ambient mode reaches Beta in v1.22, claiming that Layer 4 and Layer 7 features are now production-ready. This milestone was actually announced by the community at KubeCon EU a month earlier. Such exciting promotion seems to suggest that we can completely abandon the Sidecar mode, but is this really the case?

Why Not Hurry to Say Goodbye to Sidecar Mode?

While I am open to new technologies, it may be premature to completely abandon the Sidecar mode. Each mode has its specific application scenarios, advantages, and disadvantages. Below, I will share in detail some of the limitations of the Ambient mode compared to the Sidecar mode, to help everyone better understand the differences between the two.

Key Differences Between Ambient Mode and Sidecar Mode

Traffic Management

The L7 traffic management support in Ambient mode is not yet mature and production-ready. In contrast, Sidecar mode is more stable and reliable in this regard.

Security

In Ambient mode, mTLS is enforced at the namespace level, whereas Sidecar mode gives users more flexibility to choose whether to enable mTLS. This flexibility is particularly important for certain application scenarios.

Observability

For L7 layer telemetry data, it remains questionable whether Ambient mode can provide precise monitoring and tracing for each pod as effectively as Sidecar mode. Sidecar mode has been widely validated in terms of observability and is more mature.

Operations

In terms of deployment, Ambient mode recommends using Helm and only supports the Kubernetes platform, while Sidecar mode also supports VMs and hybrid cloud environments. Additionally, Ambient mode has not yet received official support from major cloud vendors. During upgrades, Ambient mode has a larger blast radius and currently does not support canary releases, recommending blue-green deployments instead. There is still a lack of best practices for migrating from Sidecar mode to Ambient mode or coexisting with both.

Extensibility

Currently, support for Wasm plugins in Ambient mode is still unclear, whereas Sidecar mode already has relatively complete support in this area.

Other Functional Features

While Dual Stack mode is still experimental in Sidecar mode, it has at least some implementation, whereas it remains unclear whether Ambient mode supports this feature.

Conclusion

Although Istio 1.22 brings the exciting Ambient mode, we need to carefully consider these limitations and differences before completely saying goodbye to Sidecar mode. Each mode has its unique advantages and applicable scenarios, and users should make informed choices based on their own needs. I will continue to test and track Ambient mode, so stay tuned to this blog for more in-depth analysis.

Last updated on Dec 3, 2024