Use Layer 7 features

By adding a waypoint proxy to your traffic flow you can enable more of Istio’s features.

Ambient mode supports configuring waypoints using the Kubernetes Gateway API. Configurations that apply to a Gateway API are called policies.

The Istio classic traffic management APIs (virtual service, destination rules etc) remain at Alpha in the ambient data plane mode.

Mixing Istio classic API and Gateway API configuration is not supported, and will lead to undefined behavior.

Traffic routing

With a waypoint proxy deployed, you can use the following API types:

NameFeature StatusAttachment
HTTPRouteBetaparentRefs
TCPRouteAlphaparentRefs
TLSRouteAlphaparentRefs

Refer to the traffic management documentation to see the range of features that can be implemented using these routes.

Security

Without a waypoint installed, you can only use Layer 4 security policies. By adding a waypoint, you gain access to the following policies:

NameFeature StatusAttachment
AuthorizationPolicy (including L7 features)BetatargetRefs
RequestAuthenticationBetatargetRefs

Observability

The full set of Istio traffic metrics are exported by a waypoint proxy.

Extension

As the waypoint proxy is a deployment of Envoy, the extension mechanisms that are available for Envoy in sidecar mode are also available to waypoint proxies.

NameFeature StatusAttachment
WasmPluginAlphatargetRefs
EnvoyFilterAlphatargetRefs

Targeting policies or routing rules

Attach to the entire waypoint proxy

To attach a policy or routing rule to the entire waypoint — so that it applies to all traffic enrolled to use it — set Gateway as the parentRefs or targetRefs value, depending on the type.

For example, to apply an AuthorizationPolicy policy to the waypoint named waypoint for the default namespace:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: security.istio.io/v1beta1
  3. kind: AuthorizationPolicy
  4. metadata:
  5.   name: viewer
  6.   namespace: default
  7. spec:
  8.   targetRefs:
  9.   - kind: Gateway
  10.     group: gateway.networking.k8s.io
  11.     name: waypoint
  12.   action: ALLOW
  13.   rules:
  14.   - from:
  15.     - source:
  16.         namespaces: ["default", "istio-system"]
  17.     to:
  18.     - operation:
  19.         methods: ["GET"]
  20. EOF

Attach to a specific service

You can also attach a policy or routing rule to a specific service within the waypoint. Set Service as the parentRefs or targetRefs value, as appropriate.

The example below shows how to apply the reviews HTTPRoute to the reviews service in the default namespace:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: gateway.networking.k8s.io/v1beta1
  3. kind: HTTPRoute
  4. metadata:
  5.   name: reviews
  6. spec:
  7.   parentRefs:
  8.   - group: ""
  9.     kind: Service
  10.     name: reviews
  11.     port: 9080
  12.   rules:
  13.   - backendRefs:
  14.     - name: reviews-v1
  15.       port: 9080
  16.       weight: 90
  17.     - name: reviews-v2
  18.       port: 9080
  19.       weight: 10
  20. EOF