Navigating the Service Mesh Architecture Debate: Sidecar vs. Sidecarless
Explore the evolving debate between sidecar and sidecarless service mesh architectures with insights from top industry experts on performance, security, and complexity.
Click to show the outline
Service meshes have become an integral part of modern cloud-native application architectures, helping teams manage microservices communications, enhance security, and optimize performance. However, as technology evolves, intense debates over the best practices for service mesh architecture have surfaced, particularly around the choice between sidecar and sidecarless models. The core of this debate revolves around finding the best balance between performance, resource utilization, security, and operational complexity. Recently, Cilium introduced a sidecarless architecture using eBPF technology, while Istio launched the Ambient model, blending traditional sidecar benefits with sidecarless advantages. Meanwhile, Linkerd remains committed to the sidecar architecture and maintains a conservative stance towards emerging sidecarless approaches. This article delves into the main viewpoints and controversies surrounding these service mesh architectures and analyzes the strengths and challenges of each approach.
The Sidecar vs. Sidecarless Service Mesh Debate
The debate over sidecar versus sidecarless service mesh architectures has intensified following the introduction of Cilium and the evolution of major service mesh technologies, especially after 2021:
-
Launch of Cilium Service Mesh (December 2021): Cilium introduced a sidecarless service mesh architecture via eBPF technology, sparking discussions about the traditional sidecar model. This marked the rise of sidecarless architectures.
-
Reactions from Linkerd and Istio (December 2021 to Early 2022): Linkerd’s founder William Morgan and his team expressed concerns about Cilium’s sidecarless approach, fearing it could introduce security and performance issues. This discussion gradually evolved into a broader debate between sidecar and sidecarless architectures.
-
Istio’s Ambient Mesh Concept (May 2022): Istio proposed the Ambient Mesh, attempting to combine the advantages of sidecars and host-level proxies, further intensifying the debate among different stakeholders regarding service mesh architectures. At this point, the industry’s perspectives on different service mesh architectures began to diverge.
-
Publication of Expert Opinions (December 2021 to 2023): Several industry experts such as Thomas Graf and William Morgan expressed their views on sidecar versus sidecarless architectures in various forums, leading to a more systematic debate. These opinions have been widely discussed at multiple conferences and in articles, fostering a deeper understanding of service mesh architectures.
Perspectives from Different Stakeholders
Below is a summarized table of the public viewpoints from various service mesh providers and users.
| Person | Position/Company | Viewpoint |
|---|---|---|
| Andrey Rybka | Bloomberg | Prefers Istio for its maturity, especially with support from major companies like Google. |
| Ara Pulido | Datadog Developer Relations Specialist | Believes eBPF tools like Cilium solve Kubernetes networking expansion issues and can fully replace kube-proxy, simplifying operations and enhancing performance. |
| Dale Ragan | SAP Concur Technologies Chief Software Engineer | Thinks eBPF offers better security, applicable across entire clusters and services; uses Cilium to replace Flannel as the container network interface (CNI) plugin in their production environment. |
| Dan Wendlandt | Isovalent CEO | Considers eBPF and service meshes complementary, with eBPF serving as a foundation that efficiently manages data ingress and egress for service mesh proxies like Envoy. |
| David Ortiz | Constant Contact Chief Software Engineer | Highly interested in Istio’s Ambient Mesh for its significant simplification of Istio’s operational processes, especially during upgrades. Plans to adopt it soon. |
| Filip Nikolic | PostFinance | Finds that eBPF-based sidecarless service meshes offer higher network performance and efficiency, with evolving security practices. |
| Greg Otto | Comcast Cloud Services Executive | Interested in evaluating Istio Ambient Mesh upon maturity; seeks to separately extend and serve L7 and L4 functions, believing that reducing unnecessary L7 filtering can decrease security exposure and vulnerability risks. |
| John Mitchell | Independent Digital Transformation Consultant | Believes eBPF is currently hyped but genuinely has the potential to provide advanced network security features for Kubernetes without altering application code. |
| Kasper Nissen | Lunar Chief Platform Architect | Supports the sidecar architecture for its simplicity and compatibility with other container technologies; notes that resource consumption increased modestly post-full service mesh deployment. |
| Louis Ryan | Solo.io CTO | Highlights the benefits of Istio’s Ambient Mesh introduced in version 1.23, including reduced use of sidecars, simplified architecture, and enhanced performance and flexibility. |
| Thomas Graf | Isovalent CTO | Advocates for a sidecarless service mesh using eBPF and Cilium to optimize mTLS authentication and eliminate sidecars, thereby boosting performance and security. |
| William Morgan | Linkerd Founder and CEO of Buoyant | Strongly criticizes the sidecarless eBPF approach, maintaining that sidecars provide better security isolation and performance predictability. |
Personal Insight
Having witnessed and participated in numerous discussions and implementations regarding service mesh architecture choices, I believe that choosing a service mesh should not solely be based on a technical feature comparison but should consider the team’s specific needs, compatibility with the existing tech stack, and future scalability.
In the debate between sidecar and sidecarless models, I see merits in both. While the sidecar model may introduce increased resource occupancy and management complexity in some scenarios, it provides finer-grained traffic control and security policy enforcement, which is invaluable in highly regulated enterprise environments. Conversely, the sidecarless model, especially when implemented via eBPF technology, brings unprecedented performance optimizations and resource efficiency to the service mesh, making it crucial for building efficient large-scale service meshes.
Thus, my advice to enterprises when choosing a service mesh architecture is to start from their business needs and consider security, performance, costs, and the team’s operational capability to select the most suitable service mesh solution.
Conclusion
This article summarized the current mainstream views on three popular service mesh projects:
- Linkerd: Emphasizes the security isolation and performance stability of the sidecar model, critically views the sidecarless eBPF approach as increasing complexity and security risks.
- Istio: Introduced Ambient Mesh, partially adopting a sidecarless method to reduce complexity and enhance performance while retaining some features of the traditional sidecar architecture, showing a preservation and innovation approach.
- Cilium: Advocates for optimizing network performance and security with a sidecarless model using eBPF, simplifying operations while maintaining support for various protocols, pushing service mesh functionalities into the Linux kernel.
The diverse viewpoints reflect the different preferences and concerns regarding service mesh architecture design, and enterprises should choose the most suitable service mesh solution based on their needs and technical background.
References
- Sidecarless eBPF service mesh sparks debate
- eBPF or not: Sidecars are the future of the service mesh
- eBPF Service Mesh
- Linux kernel utility could solve Kubernetes networking woes
- Service Mesh Security
- Istio 1.23 drops the sidecars for a simpler ambient mesh
- Ambient Mesh: What you need to know about this experimental new deployment model for Istio
- Sidecarless service mesh: fad or the future?