Ambient Mesh: Sidestepping the Sidecar
Last fall, Solo.io and Google introduced Istio ambient mesh, a new mode for Istio that leverages a mesh data plane instead of deploying sidecar proxies, without sacrificing key strengths such as zero trust security.
IDC research vice president Brad Casemore told The New Stack that the offering reflects a broader trend in the market. Cilium Service Mesh, he noted, also offers the option of running without sidecars.
“It’s a trend, I think, that’s related to the cost of sidecars, both in the complexity of injecting them and managing them into the mesh, and also the cost of overhead, because they are extra containers running within the service mesh,” he said.
Avoiding sidecars, Casemore said, also reduces the barrier to entry for organizations that lack key expertise.
“As we see more containers and cloud native application architectures proliferating in enterprises, most folks don’t have the very high-skilled, high-price-tag Kubernetes folks in-house, and they’re looking for simple ways to adopt this technology – and when they look at things like sidecars, it often is very intimidating to them,” he said.
Torsten Volk, managing research director at Enterprise Management Associates, said that ambient mesh can free developers to focus on what they do best.
“The concept of the ambient mesh enables DevOps engineers to provide all the individual components required to establish connectivity, security, compliance and reliability directly through a unified API that is attached to each node of each Kubernetes cluster,” he said.
“The core layer of ambient mesh basically delivers zero trust on demand in a very simple manner and in the form of an open source project,” Volk said. “I would expect Kubernetes platform vendors and product vendors from other CNCF [Cloud Native Computing Foundation] categories to incorporate ambient mesh into their solutions, as it could be an easy way toward offering zero trust security for their products.
According to Solo.io vice president and global field CTO Christian Posta, the two key benefits of ambient mesh are ease of application onboarding and of managing upgrades.
“Service mesh is infrastructure-level technology, but since a component of it is tied very, very intimately with the application, it creates that friction that if I want to upgrade a piece of the infrastructure, I also have to coordinate with the application, restart all the applications, change out their proxies,” he said.
Without a sidecar, that friction goes away – and it also makes it far less disruptive to respond to vulnerabilities. “If we have a CVE and we need to patch something, we’ve got to do it quickly, and we’ve got to do it without disruption of the running apps. It’s much easier to do it if the components of the service mesh are running outside of that,” Posta said.
For Solo.io, Posta said, those were the core drivers for the development of the new offering.
“What we are really interested in is, how do we simplify onboarding, which could potentially open up new cases, and keep the mesh running in Day 2 with minimal interference to the running applications?”
Upgrades Without Disruption
Imagine, Posta said, that a vulnerability is found in Envoy.
“Istio uses Envoy Proxy as a sidecar, so if you start to see these CVEs in Envoy, then we’ve got to go upgrade Envoy – and if Envoy is deployed with the applications, you think, ‘All right, I’ve got to go upgrade the applications because I have to change out the proxy,'” he said.
Doing so requires careful planning.
“You have to say, ‘Well, let’s restart this application first, and then we have to wait for that to come up, and then we’re going to restart this application,’ and so on,” Posta said. “There’s coordination that has to happen so you don’t get any unexpected outages, because the proxy’s tied to the app.”
With ambient mesh, Posta said, the process is far easier.
“Since nothing is in the app, whatever steps you have to take to upgrade the service mesh, you don’t have to restart any of the applications,” Posta said. “You don’t have to think about, ‘Well, I’ve got to restart A first, because that would otherwise impact B or C.’ It doesn’t matter to the applications. That orchestration and planning and rolling upgrades, and all this stuff that has to happen that could potentially cause an outage, doesn’t happen anymore.”
You can restart and upgrade the ambient mesh waypoint proxies, Posta said, without the applications even being aware of the change.
“Obviously, we’re not going to take every single waypoint proxy down at once, but we’ll do a rolling upgrade of the waypoint proxy – and again, we’re not coordinating anything with the app developers or with the application,” he said.
A Place for Sidecars
Still, sidecars will likely still have their place, at least for the foreseeable future. For some organizations, Volk said, compliance concerns can encourage their continuing use.
“The fact that sidecars attach the service networking layer to the application instead of to the underlying infrastructure cluster can enable a higher degree of workload separation and therefore be relevant from a compliance perspective,” he said.
More generally, Posta said a sidecar can be useful when you need to focus on settings and capabilities that only apply on the client side.
“The waypoint proxy that we use in ambient, which is assigned per workload type, represents the target workload … but now you don’t have the capabilities representing the client directly,” he said.
As an example, Posta said, Istio’s retry policy allows you to configure the client to retry a request if that client calls a service and the request fails.
“That decision is made on the client side, because the proxy is deployed with the client,” he said.
In ambient mode, on the other hand, the request goes from the client to the waypoint proxy, which implements retries on the client’s behalf.
“So we’re pushing all of the policies – whether, in the sidecar mode, it was on the client side or the service side – we’re pushing all of that to the server side,” Posta said. “But if there are client-side-specific things that we want to tune, we might need to allocate dedicated resources specifically for certain clients.”
Casemore said the wide range of established service mesh deployments, particularly those that require FIPS (Federal Information Processing Standards) compliance, will ensure that sidecars don’t disappear any time soon. “Those environments aren’t going away, but more and more, I think you will see the greater degree of growth in those non-sidecar environments,” he said.