{"id":18833997,"url":"https://github.com/jetstack/fleetops-gke-ambient","last_synced_at":"2026-01-27T14:05:16.950Z","repository":{"id":254264972,"uuid":"841928821","full_name":"jetstack/fleetops-gke-ambient","owner":"jetstack","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-10T14:04:04.000Z","size":24669,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-12-30T07:27:16.507Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-13T10:26:14.000Z","updated_at":"2024-08-22T13:48:13.000Z","dependencies_parsed_at":"2024-08-22T12:12:59.531Z","dependency_job_id":"1d172303-7e0a-44d8-a188-baec64fc2cbf","html_url":"https://github.com/jetstack/fleetops-gke-ambient","commit_stats":null,"previous_names":["jetstack/fleetops-gke-ambient"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ffleetops-gke-ambient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ffleetops-gke-ambient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ffleetops-gke-ambient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Ffleetops-gke-ambient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/fleetops-gke-ambient/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239768930,"owners_count":19693764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:06:05.149Z","updated_at":"2026-01-26T02:30:21.474Z","avatar_url":"https://github.com/jetstack.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Istio Ambient on GKE\n\n\n## Deploy cluster\n\n```sh\nmake cluster\n```\n\n## Install Istio with ambient mode\n\nBy default in GKE, only kube-system has a defined ResourceQuota for the node-critical class. istio-cni and ztunnel both require the node-critical class, check the [docs](https://istio.io/latest/docs/ambient/install/platform-prerequisites/#google-kubernetes-engine-gke)\n\nCreate ResourceQuota into istio-system namespace:\n\n```sh\nkubectl create namespace istio-system\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: v1\nkind: ResourceQuota\nmetadata:\n  name: gcp-critical-pods\n  namespace: istio-system\nspec:\n  hard:\n    pods: 1000\n  scopeSelector:\n    matchExpressions:\n    - operator: In\n      scopeName: PriorityClass\n      values:\n      - system-node-critical\nEOF\n```\n\nInstall the Kubernetes Gateway API CRDs:\n\n```sh\nmake ambient\n```\n\n## Deploy app\n\nDeploy bank of anthos app in 2 different namespaces, one for ambient mode and the other one for sidecar mode:\n\n```sh\ngit clone https://github.com/GoogleCloudPlatform/bank-of-anthos.git\n# Namespace bank-of-ambient\nmake app-ambient\n# Namespace bank-of-sidecar\nmake app-sidecar\n```\n\n## Viewing your mesh dashboard\n\n(Optional) Google Monitoring app metrics dashboard:\n\n```sh\ngcloud monitoring dashboards create --config-from-file=dashboard.json\n```\n\nDeploy Kiali, prometheus, grafana:\n\n```sh\nkubectl apply -f addons\n```\n\nAccess dashboards:\n\n```sh\nistioctl dashboard kiali\n```\n\n```sh\nistioctl dashboard grafana\n```\n\nAdd the [grafana dashboard](./ambient-performance-analysis.json)\n\n## Adding application to the mesh\n\nAdd the same application to the mesh using sidcecars in a different namespace:\n\n```sh\nkubectl label namespace bank-of-sidecar istio-injection=enabled\n```\n\nRestart pods:\n\n```sh\nkubectl -n bank-of-sidecar rollout restart deploy\n```\n\nAdd your application to ambient\n_Note that you can apply this label to a namespace or to a single spsecific pod_\n\n```sh\nkubectl label namespace bank-of-ambient istio.io/dataplane-mode=ambient\n```\n\nDeploy Gateway and VirtualService to access the frontend through the IngressGateway:\n\n```sh\nkubectl apply -f frontend-ingress.yaml -n bank-of-ambient\n```\n\nCheck logs of Ztunnel\n\nFirst install [stern](https://github.com/stern/stern) in your workstation.\n\n```sh\nstern ztunnel -n istio-system\n```\n\nDebbug Ztunnel:\n\n```sh\nistioctl x ztunnel-config workloads\n```\n\n## Mesh in action\n\nsend traffic:\n\n```sh\nexport GATEWAY_HOST_EXT=$(kubectl get service/istio-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}' -n istio-ingress)\ncurl http://$GATEWAY_HOST_EXT\n```\n\nAccess kiali and see the graph\n\n```sh\nistioctl dashboard kiali\n```\n\nDeploy the simple sleep service. This will be used to curl our frontend\n\n```sh\nkubectl apply -f istio-1.22.3/samples/sleep/sleep.yaml -n bank-of-ambient\n```\n\nCreate an authorization policy to only allow calls from istio-ingress and sleep service:\n\n```sh\nkubectl apply -f authorization-policy.yaml\n```\n\nCompare resources consumption. Access grafana dashboard\n\n```sh\nistioctl dashboard grafana\n```\n\n## Waypoint proxies\n\nInstall Kubernetes Gateway API CRDs. Waypoint proxies uses Gateway APIs and acts as Gateways.\n\n```sh\nkubectl get crd gateways.gateway.networking.k8s.io \u0026\u003e /dev/null || \\\n  { kubectl kustomize \"github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0\" | kubectl apply -f -; }\n```\n\nEnable waypoint proxy\n\n```sh\nistioctl x waypoint apply --enroll-namespace -n bank-of-ambient --wait\n```\n\nValidate a Pod and a Gateway is created for waypoint proxy\n\n```sh\nkubectl get pods -n bank-of-ambient\nkubectl get gtw -n bank-of-ambient\n```\n\nAutorization policy\n\n```sh\nkubectl apply -f L7-policy.yaml\n```\n\nVerify the new waypoint proxy is enforcing the authorization policy:\n\n```sh\nexport SLEEP_POD=$(kubectl get pods -n bank-of-ambient -l app=sleep -o 'jsonpath={.items[0].metadata.name}')\nkubectl exec -it $SLEEP_POD -n bank-of-ambient -- curl frontend -X DELETE\n```\n\n## Performance testing\n\nWe will use [Fortio](https://fortio.org/), which is a load testing tool developed by Istio.\n\n```sh\nkubectl apply -f fortio.yaml\n```\n\nLaunch Fortio web interface to configure and perform latency tests:\n\n```sh\nkubectl port-forward svc/fortio 8080:8080\n```\n\nISTIO_INGRESS=34.147.178.37\nbank of sidecar IP: 34.105.185.155","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Ffleetops-gke-ambient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Ffleetops-gke-ambient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Ffleetops-gke-ambient/lists"}