►
From YouTube: Common Questions for Istio Ambient Mesh
Description
We have been speaking to many users about Istio ambient mesh, come to hear common questions users ask and also hear from answers from Christian, Denis and Lin. Bring your questions!!!
A
Hello,
hello,
welcome
to
another
hood
live
stream.
We
are
so
happy.
This
is
a
really
special
week
for
the
istio
community
and
also
for
solo.
So
we're
doing
food
live
stream
every
single
day
this
week.
So
yesterday
we
had
we
had
a
live
stream
with
the
google
team
and
some
of
our
solo
members.
So
today
we
are
actually
have
well.
A
I
feel
that
lead
christian
and
denis
who
spoke
us
with
some
of
the
common
questions
they
heard
from
users
and
customers
about
ambience,
because
we've
been
talking
ambient
to
our
customers
for
a
while.
A
While
we
work
on
ambient
on
the
issue
of
ambient
with
the
google
team,
so
I'm
really
excited
to
have
this
conversation
with
christian
and
denise,
so
just
to
get
their
perspective
of
what
are
the
top
questions
they
they've
heard
and
what
are
the
answers
they've
been
given,
and
obviously
we
welcome
questions
from
you,
the
audience
as
well,
so
christian
and
denis.
Why
don't?
One
of
you
start
the
introduction
of
yourself?
First.
B
Sure
so,
I'm
christian
poster
global
field
cto
at
solo,
I've
been
working
on
istio
for
since
the
very
beginning
and
super
excited
to
work
with
customers
and
people
in
the
community
actually
adopting
istio
and
some
of
the
challenges
that
they
face
and
unblocking
them
and
then
seeing
istio
actually
being
deployed
at
really
large
scale
for
highly
critical
environments,
and
you
know
all
the
benefits
that
a
service
mesh
brings
and
the
value
that
it
brings
to
to
these
environments.
So
yeah
happy
to
talk
about
about
this.
B
You
know
like,
like
you
mentioned,
we've
been
working
closely
with
some
of
some
of
some
of
the
the
folks
that
we
would
reach
out
to
for
that.
We
thought
would
bring
good
questions
and
good
design,
suggestions
and
feedback
and
comments,
and
so
on
so
definitely
have
a
few
of
those
that
we
can
share
today,
but
I'll
pass
it
off
to
danny
for
intro.
C
C
Again,
you
know
sharing
some
thoughts
with
yulin
and
christian.
A
Okay,
great,
I
guess
I
have
some
questions
in
mind,
but
I'd
like
to
kind
of
a
peek
on
your
brain.
What
are
the
most
common
questions?
You
heard
me
give
me
one
at
a
time
so
denise
I'll
start
with
you.
C
Yeah,
I
mean
like
a
lot
of
questions
I
had
when
we
started
to
discuss
about.
Ambien
was
like
okay.
How
is
going
to
be
working
like
do?
I
need
to
move
from
what
I
do
today
to
this
new
thing
like?
Can
they
work
together
like?
Is
it
like?
Everything
should
be
now
ambient
when
it
will
be
available?
You
know
I
got
this
question
quite
often,
and
I
think
it's
a
very
interesting
one.
B
Yeah,
I
can
second
that
I
think
that's
the
first,
the
the
first
impression
people
hear
is
well.
What
is
our
side
cars
going
away?
You
know
what
what
do
I?
What
what
do
I
do
with
my
existing
deployment
that
that's
after
I
I
was
that's
actually
the
first
impression
people
have
is.
B
Actually
this
looks
really
cool
and
we
can
see
the
value
that
it
brings,
but
then
it's
then
it's
the
well.
How
do
I
am
I
forced
to
roll
this
out
where
side
cars
going
and
then
what
does
it
look
like
to
to
upgrade
and
to
to
get
into
this
into
this
mode?
I
think
that's
that's
kind
of
the
initial
frame
of
of
impressions
and
then
from
there
there's
various
other
questions
that
they
asked
but
yeah.
What
denny
said
was
what
pretty
pretty
a
common
response.
I
think.
C
And-
and
I
think
even
like
most
of
the
time
after
we
were
discussing
about
it,
people
were
saying:
okay,
so
that's
a
new
product.
No,
it's
not!
Okay,
like
wait
a
minute.
Let's
explain
that
right.
This
is
really
important
right.
Basically,
it's
just
like
a
new
option
right,
a
new
option
in
this
year
right,
you,
you
have
a
ceo
today,
you
have
only
one
option:
insiders
tomorrow,
you
have
two
options
right.
You
can
have
some
application.
C
You
can
have
like
already
something
in
production
and
you
use
cycles
for
everything
and
you
can
decide
that
you'll
now
have
some
of
the
namespaces
not
using
sidecars.
Perhaps
you
will
decide
that
you
want
to
move
everything
out
of
sidecar,
but
perhaps
not-
and
perhaps
you
will
be
greenfield
and
even
with
greenfield-
you
will
see
value
of
sidecars
for
some
reasons
and
you
will
continue
to
use
them.
C
A
Yeah,
I
think
the
istio
ambient
is
the
only
service
mesh
on
the
market
today
that
can
actually
do
cycle
to
cycle
this
interrupt
at
the
moment.
Do
you
guys
agree,
or
am
I.
B
A
C
I
think
it's
it's
true,
but
it's
also
important
that
the
way
that
cycalis
is
very
different
than
other
solutions
do
cycles
right,
because
this
really
introduced.
This
is
really
a
new
concept
that
is
introduced
in
this
ambient
mesh,
which
is
there
is
like
this
node
proxy
for
l4
and
this
you
know
layer,
7
proxy
per
service
account
right.
So
it's
kind
of
the
best
of
both
worlds
right
and
it's
really
unique
right.
C
It's
because,
in
the
mind
of
people
also,
when
we
were
speaking
like
psychologists,
it
was
okay
cycles,
equal
one
proxy
per
node
that
do
everything.
It's
not
true
right
and
it's
not
what
ambient
does
right,
and
I
think
it's
also-
you
know
breaking
change
in
the
mind
of
people
and
it's
really
interesting
when
you
start
to
dive
into
this.
B
Yeah,
which
is
yeah
like
when
we,
when
we
blogged
about
this
back
in
december,
you
know
we
we
laid
out
the
various
architectures
that
people
could
adopt
with
with
this
type
of
proxy
technology,
and
you
know
we
looked
at
the
sidecar
model,
discussed
the
pros
and
cons.
We
looked
at
the
shared
node.
Do
everything
proxy
model,
which
you
know
there
are
some
significant
drawbacks
to
that,
and
so
we
came.
B
We
believe
with
the
best
you
know
balance
or
you
know
the
best
trade-offs
that
we
could
make
to
get
to
the
goals
we
had,
which
was
simplify
operations,
simplify
upgrades,
cbe
patching.
You
know
that
those
were
the
main
things
that
we
were
looking
out
for.
C
Yeah
and
I
think
we
we
we
could
discuss
about
these
two
topics.
I
think
it's
really
interesting,
like
the
the
simplification
of
the
operations
right
and-
and
we
were
chatting
with
lin
just
before
in
another
context,
right
about
this
and
and
and
I
think
it's
one
of
the
sentence
that
you
you,
you
read
in
the
seo
announcement
blog
that
people
read
very
quickly
this
sentence
and
don't
really
see
the
value,
that's
what
it
means
behind
it
right.
C
C
The
pattern
we
call
h-bond
and
basically
what
it
says
after
is
that
it's
basically
helping
you
to
be
more
compatible
even
with
non-you,
know
tcp
protocols
and
things
like
that
right
and-
and
I
think
it's
a
really
big
value
that
you
don't
really
necessarily
see
when
you
just
look
at
the
getting
started
guide
or
whatever
right.
It's
really.
This
ability
to
like
my
sequel
is
a
good
example,
and
I
was
just
playing
with
with
that
this
morning.
C
A
A
Yeah,
that's
a
really
good
point.
In
fact,
yesterday
on
the
ambient
channel,
I
believe
one
of
the
user
was
asking
about
now
with
ambient.
If
I
use
permissus
to
monitor
my
traffic
now
that
the
connection
for
my
application
part
to
promises
right,
you
used
to
be.
If
I
need
to
run
a
mutual
trs,
I
have
to
run
the
cycle
on
purposes
and
it
doesn't
work
that
well.
B
A
People
go
back
to
a
one-way
trs,
but
now,
with
ambience
been
way
more
transparent,
so
I
could
potentially
run
mutual
trs,
upgraded
connection
by
z
tunnel
from
my
application
part
two
permissions
and
kind
of
solve
their
mutual
tls
challenging.
Today
we
actually
have
some
questions
from
the
audience.
I
want
to
quickly
say
hi
to
our
audience.
That's
awesome!
We
are
so
excited.
You
are
here,
hey,
thank
you
so
much
bonjour
for
joining
us
and
we
have
a
question
from
krishna.
A
Was
there
an
approximate
timeline
whenever
this
will
be
available
in
a
normal
istio
1.16
release?
So
that's
a
great
question.
I
would
say
you
know
definitely
this.
It
is
the
goal
of
the
community
to
make
this
part
of
istio
1.16
release.
So
now
we
have
the
experimental
branch
out
there.
We
would
like
to
have
the
experimental
branch
merged
back
into
master.
You
know
it's.
Your
1.15
just
went
out
so
we're
in
active
development
of
116.
A
So
this
is
a
good
time
to
job
changes
into
istio
release
1.16
and
we
it's
our
goal
to
have
it
as
part
of
the
issue
1.16.
If
that
answers
your
question-
and
the
one
thing
I
want
to
say
is
we're
not
looking
at
this
part
of
the
default
profile.
So
if
you're
using
default
profile
in
1.16
with
this
lens,
it's
not
going
to
impact
you
in
any
way,
but
you
can
start
to
explore
nbn.
A
C
Not
please,
I
would
just
add
something.
I
think
it's
pretty
important
that
obviously
you
have
tons
of
tons
of
features
in
this
year
right
and
what
what
can
take
time
is
to
have
like
everything
on
power
right.
So
basically
we
have
everything
working
in
this
ambient
mesh
side
right,
but
the
good
news
is
because
we
said
before
you
can
mix
and
match
sidecars
and
not
sidecars
right.
So
imagine
you
have
at
the
time
it
becomes
available.
Let's
say
in
116
right,
let's
say
you,
you
read
the
release.
C
A
A
We're
so
excited
to
be
part
of
it,
and
thank
you
also
for
using
solo
academy.
So
that's
credit
to
be
me
actually
putting
out
the
workshop
of
ambient
out
on
solo
academy,
along
with
oslo
academy
team,
so
now
that
you
can
try
it
just
so.
Let
us
know,
I'm
sure
you
will
pass
the
test
because
you'll
be
getting
a
lot
of
badges
from
us.
So
good
luck,
listen.
B
That's
an
important
thing
to
call
out.
I
think
that
you
know
we
do
have
a
self-paced
workshop
for
ambient
mesh
right
now
that
you
can
go,
try
out
right.
It's
on
on
solo
academy,.
C
C
I
don't
need
to
restart
my
application.
I
don't
need
to
restart
my
pod
because
I
don't
have
side
cars
right.
So
that's
a
really
important
point
and
people
really
got
the
benefits
of
of
that
right
because
otherwise,
okay,
normally
you
could
say
it's
like
stateless
services
on
kubernetes,
I
should
be
able
to
restart
whatever
I
want
whenever
I
want
without
talking
to
applications
right,
but
it
doesn't
work
like
that
right.
It's
like
the
platform
team,
always
asked
to
talk
with
the
application
team
to
schedule.
C
A
Yeah
definitely
a
game
changer
christian,
I
don't
know.
If
you
remember
we,
I
think
it
was
july.
During
solo,
we
were
working
with
one
of
our
customers
on
the
the
sequence
between
the
sidecar
and
the
application
container
at
the
shutdown
time,
and
then
precisely
there
are
challenges
regarding
to
disk
service
containers,
and
then
you
have
to
kind
of
look
and
config
that
grace
timeout
make
sure
it's
sequenced
correctly.
So
getting
rid
of
that
cycle
essentially
emulates
all
the
startup
and
shutdown
problems.
B
All
of
the
things
that
you
know
there
were
unintended
side
effects
of
running
the
the
sidecar,
and
you
know
that
that
causes
that
causes
problems,
sometimes
a
lot
of
because
some
some
people
use
you
know
java
libraries
that
don't
implement
http,
I
guess
correctly
or
whatever,
like
denis
mentioned,
the
server
send
first
type
protocols.
B
I
don't
know
how
many
people
know
this,
but
in
istio
today
with
the
sidecar.
If
you
try
to
make
a
connection
from
the
client
to
the
cube
service
or
the
cube
service
ip,
you
know
the
cluster
ip.
Then
it
works
and
it'll
go
through
the
sidecar
mutual
tls
all
this
stuff.
If
you
try
to
make
a
connection
from
the
client
to
the
server's
pod
ip
directly,
that
does
not
work,
and
you
know
the
the
the
com,
the
complexity
of
trying
to
get
that
to
work.
B
To
get
things
like
you
know,
sometimes
people
bring
their
own
applications
with
their
own
tls
already
trying
to
get.
You
know
istio
to
detect
whether
it's
your
tls
or
its
tlm
on
the
same
port.
You
know
all
that
stuff
gets
really
complex
and
introduces
other
side
effects
so
yeah.
We
that
that's
another
part
of
this
model
is
that
not
only
do
we
not
have
the
sidecar,
but
we've
you
know,
simplified
the
the
how
how
the
traffic
gets
transported
over
this
secure,
secure
transport.
B
That
denny
was
mentioning
that
allows
us
to
support
a
lot
more
of
these
use
cases.
C
A
Yeah,
so
christian,
why
don't
you
highlight
for
our
audience
when
you
say
that
doesn't
work?
I
think
what
you
meant
is
when
you
go
to
the
pod
ip
directory,
you
don't
get
mutual
grass
traffic.
It
will.
A
Okay,
that's
great
yeah,
so
christian!
Why
don't
we
go
to
you
and
ask
you
what's
the
most
common
question
you
heard
when
you
talking
to
your
customers.
B
So
the
I
would
say
the
the
initial
impressions
were
what
we
talked
about,
but
another
very
common
question
that
we
heard
was
around
security,
that
you
know
the
side,
cars
there's,
there's
a
feel
goodness.
I
guess
about
the
sidecar
running
in
the
same
pod
as
the
application
and
now
with
with
ambient.
You
know
we
move.
B
First
of
all,
there's
no
side
car
and,
second
of
all,
there's
the
you
know
the
secure
tunnel,
secure
transport
happening
with
the
z
tunnel
and
that
changes
the
security
boundaries.
So
what
is
the
impact
of
that?
What
does
that
look
like,
and-
and
that's
why
it
was
super
important
to
to
me
for
sure
and
and
the
rest
of
the
team
here,
that
we
launch
with
a
security
block
that
we
address
head-on.
B
Some
of
those
concerns
some
of
those
questions,
and
you
know
kind
of
dispel
some
of
the
myths
around
what
what
people
were
seeing
or
saying
about
what
what
an
approach
like
this
could
look
like.
A
B
You
know
the
the
the
pod
the
side
car,
the
x,
509
certificates,
security
tokens
all
the
stuff
in
in
there,
and
then
you
know
that
that
that
can
lead
to
you
know
further
further
movement
on
the
network,
potentially
so
removing
the
data
plane
completely,
so
that
if
the
application
is
compromised,
the
application
is
compromised.
It
sucks,
but
at
least
you
don't
give
it
access
to
the
rest
of
the
service.
Mesh
data
plane
is
a
really
important.
You
know
first
step
in
and
what
that
security
boundary
looks
like
we've
tightened
it
around
the
application.
B
Now,
on
the
other
hand,
you
know
the
the
boundary
around
the
z
tunnel
and
the
shared
components
have
changed
and,
and
so
the
questions
along,
that
line
are
around
well.
So
how
does
the
z
tunnel
work?
How
does
it
you
know,
request
certificates
on
behalf
of
the
workloads,
what
happens
if
that
gets
compromised
and
and
so
on,
and
so
we
address
a
lot
of
that
stuff
in
in
the
blog.
It's
not
as
scary
as,
as
one
might
think,
really
the
z
tunnel
it.
B
It
really
plays
the
role
of
the
cni
right,
we're
we're
now
talking
at
the
level
of
the
cni
and
and
it
would
follow
the
same
security
boundary
that
we
see
with
any
shared
cni
agent
or
cni
plug-ins
and
but
but
but
specifically,
we've
tried
to
reduce
significantly
reduce
the
the
attack
surface
of
of
any
of
these
shared
plug-ins
and
we
think
that's
a
good
trade-off.
A
Yeah
christian,
do
you
want
to
also
mention,
like
the
z
tunnel,
is
only
available?
Okay,
so
zetano,
it's
kind
of
like
the
sidecar
today
right
to
be
able
to
do
request
a
certificate's
assigned
certificate,
defining
request
to
the
istio
control
plan
to
kind
of
get
the
certificate
for
workload,
but
you
as
a
z
tunnel.
You
can't
get
any
random
workloads
in
the
kubernetes
cluster
right.
You
can
only
get
the
workload
you
can
only
send
csr
requests
on
behalf
of
the
workload
that
you
actually
manage
on
that
particular
node.
B
Yeah
yeah
and
that's
that's
similar
to
how
other
shared
agents
like
the
cubelet
work
and
and
and
so
on
so
yeah.
It
is
that
blast
radius
is
constrained
to
the
node,
and
so,
but
just
like
some
of
those
other
components
cube
proxy
cube,
lit
cni
agents
now
z
tunnel
like
these
are
these
are
things
that
you
have
to
be
have
to
be
guarded
significantly.
Yeah.
A
Yeah,
okay,
we
got
some
comments
from
our
audience.
Bhajan
really
excited
look
forward
to
testing
locally,
so
let
us
know
how
it
goes.
We
we
certainly
are
as
excited
as
you
as
well.
We
also
got
a
question
from
from
you:
will
this
new
implementation
help
move
towards
http
3
support
as
well?
A
B
Making
the
the
transport
layer
more
transparent,
I
guess
and
envoy,
is
supporting
http
3..
Actually,
we
have
an
amazing
write-up
by
one
of
our
our
european
field,
engineers,
yeah.
B
Share
the
link
about
about
http,
3
and
its
impact,
but
yeah
this
this,
the
more
we're
trying
to
kind
of
fade
away.
The
fact
that
there's
this
machinery
and
you
know,
simplify
the
protocols
and
or
open
up
the
the
ability
to
support
more
and
more
protocols.
This
should
significantly
help
in
in
apps
apps
that
want
to
take
advantage
of
http
3.
A
A
Yeah
great,
I
hope
that
answers
your
question
yeah.
Thank
you
for
that
great
question
all
right,
so
we
talk
about
security.
We
talk
about
psycho,
to
talk
to
pods
in
mbm
without
saika.
We
also
talk
about
be
able
to
bring
additional
application.
That
may
not
be
very
friendly
with
cycle.
Today
we
talked
about
mexico
promises.
C
I
think
it's
really
the
ability
to
to
get
the
benefits
of
the
mesh
quickly.
I
think
this
is
really
one
of
the
things.
People
have
told
us
a
lot
right
like
today
they
install
the
mesh
and
then
they
start
to
roll
out
application
and
they
start
to
roll
out
one
and
then
two
and
then
three
and
then
they
accelerate,
and
then
they
have
everything
in
dimension
and
they
finally
get
all
the
benefits
and
they're
very
happy
generally
right,
but
now
they
see
that
especially
people
who
are
not
yet
in
the
mesh
right.
C
They
see
that
they
are
going
to
be
able
to
get
a
lot
of
the
benefits
directly
right.
You
know
this
encryption
and
basic
metrics
and
some
you
know
authorizations
and
then
be
able
to
and
board
the
services
probably
faster
because
of
the
compatibility
thing
we
discussed
before,
but
also
they
are
not
even
they
don't
even
need
to
wait
for
onboarding
these
services
really
before
they
get.
You
know
all
the
older.
C
B
Yeah,
absolutely
because
one
thing
that
you
can
you
can
turn
the
mesh
on
and
off
for
a
particular
workload.
I
turn
it
on
and
you
say,
oh
I
don't
know,
maybe
there's
some
something
I
wanted
to
and
then
turn
it
off
and
the
app
is
undisturbed
unknowing
to
this
and
that
is
like
today.
I
know
people
when
they're
running
on
board
and
met
workloads
into
the
mess.
There's
some
significant
coordination.
B
You
know,
and
and
rightfully
so-
but
you
know
this
to
be
able
to
label
things
and
have
it
automatically
become
part
of
the
mesh
without
restarting
and
doing
all
this
stuff
is
is
is
really
a
benefit
that
people
are.
I
know
a
few
people
have
pointed
this
out.
They're
excited
about.
C
C
We
want
this
project
to
be
used
by
anyone
right,
and
this
is
the
big
thing
with
this
new
data
plane
right
is.
Is
it
should
not
be
just
for?
Ten
percent
of
the
kubernetes
users
should
have
a
mesh
right.
It
should
be
everyone
right
and
that's
kind
of.
Basically,
the
the
main
goal
of
this
is
just
to
make
it
easier
for
adopting
it,
so
that
it's
not
only
by
because
right
now
people
use
it.
They
are
the
most
advanced.
C
You
know
users
or
I
don't
know,
people
also
sometimes
realize
that
it
will
accelerate
their.
You
know
digital
transformation
because
they
will
have
this
foundational
platform
that
will
help
the
developer
to
move
faster.
You
know
so
you
get
some
people
who
get
it
and
really
invest
time
and
energy
in
it.
But
now,
if
it
becomes
a
lot
much
simpler,
then
a
lot
more
users
will
use
it
and
more
users
use
it
and
more
feedback,
and
then
it
becomes
even
better
right.
So
I
think
it's
really
the
the
idea
of
this
ambient
mesh
release.
A
Yeah
yeah
that
sounds
good
yeah.
I'm
also
excited
about
that.
We
got
another
question
from
our
audience:
hi,
don't
you!
I
haven't,
checked
the
new
architecture
in
detail.
Yet
what
happens
if
one
z
tunnel
agent
goes
down
on
some
note?
That's
a
wonderful
question.
That's
actually
one
of
the
most
common
questions
being
asked.
C
Like
some,
some
of
the
other
critical
components
you
have
in
your
cluster
right,
like
q,
proxy
or
people
yeah
that
replaces
time
or
whatever
right,
like
all
these
things,
like
you,
have
a
few
of
these
things
like
that.
That
needs
to
run
in
your
notes
to
have
this
not
running
correctly
right
and
if
it
doesn't,
it
doesn't
impact
your
full
cluster,
but
definitely
impact
the
workloads
in
this
node
right.
If
you
have
application
that
needs
availability
generally,
you
have
two
parts
right
as
these
two
instances
of
a
port.
B
C
Following
the
logic
of
cubans
itself,
like
like
christian
explained
about
the
surface
of
attack,
rate,
is
kind
of
the
same
response
for
what
is
the
consequence
of
losing
one
of
these
components?.
B
B
What
you'll
see
is
that
you
know
with
our
you
know:
product
stack
integration
with
psyllium,
with
our
deep
expertise
in
evpf
you're,
going
to
continue
to
see
the
the
march
toward
this
direction,
where
this
secure
transport
layer
that
that
we
call
z
tunnel
is
just
going
to
slowly
fade
away
into
into
the
cni
even
more
to
the
kernel.
So
it's
think
of
it.
As
you
know,
this
is
part
of
the
cni.
What?
If
what
if
the
cni
agent
goes
down?
A
Yeah
definitely,
I
agree
with
both
of
you
yeah
think
about
it
as
part
of
your
infrastructure,
right
yeah,
whatever
your
kernel
goes
down.
What,
if
your
vm
goes
down
right,
it's
just
part
of
why
you
need
to
design
high
availability
in
the
first
place,
that's
beyond
one
node
and
also
potentially
beyond
different
regions
and
zones.
A
We
also
have
another
question.
Thank
you.
So
much
for
all
these
questions
will
the
also
will
the
telemetry
api
behave
the
same
as
now,
especially
for
targeting
specific
workloads.
I
can
try
to
take
up
first
pass
of
that
question
and
you
guys
feel
free
to
add
on
so
telometry
is
something
we
are
still
working
on.
So
we
as
part
of
the
ambient
initial
launch.
We
have
telemetry
support
for
layer
seven.
A
So,
as
you
see
in
our
get
started
guys,
you
will
get
telomere
metrics
as
part
of
as
part
of
for
deploying
the
waypoint
proxy.
So
you
do
have
to
make
sure
you
have
the
waypoint
proxy
there
to
be
able
to
report
the
metrics
on
layer.
A
Seven
one
thing
different
with
with
mb
and
though
is
you:
don't
necessarily
need
on
the
on
the
source
to
report
the
telometry
information,
so
you
can
just
have
the
server
side
on
your
destination,
have
the
point
proxy
and
that
would
you
need
the
same
metrics
as
today,
at
least
it's
our
goal
to
emit
the
same
metrics
as
today,
so
it
would
have
like
the
principal
information
it
would
have
source
and
target
workload.
It
would
have
the
dimension.
A
So,
regarding
your
question
about
the
tonometry
api-
yes,
absolutely
it's
our
intent
to
be
exactly
same
as
today,
so
this
is
one
of
the
design
principles
of
ambient.
If
you
look
at
all
the
issue,
resources
in
with
ambience
we're
not
changing
any
for
that
right,
so
the
kubernetes,
I'm
sorry,
the
virtual
service
resource
the
destination
ratios.
A
The
feminine
is
your
network
resource
and
authorization
resources,
telometry
issues.
We
expect
you
to
continue
use
them,
so
we
don't
want
to
have
impact
on
you
on
the
existing
issue,
api
resources.
You
are
using.
C
Buddhist
student
is
not
yet
there
right
so
like
it's
an
alpha
right,
so
it
will
progressively
come
right,
like
the
selector
you
have
today
in
the
dynamic
api,
for
example,
you
target
like
a
specific
site
now
and
it
configures
this
android
there
right.
Obviously
now
the
the
envoy
is,
but
if
it's
l4,
let's
say
then
it's
like
the
z
tunnel
right
and
you
will
have
to
configure
the
zener
so
that
it
can,
you
know,
be
fine
grain
and
just
apply
this
policy
to
this
specific.
C
You
know
workload
right,
but
this
is
like
you
said
you
know
it
is
like.
Is
the
goal
is
to
make
it
transparent?
Obviously
there
is
some
work
to
be
done.
It
is
still
an
alpha
release.
A
Yeah
and
I
think
the
telemetry
api
is
actually
relatively
straightforward-
you're
absolutely
right,
we're
not
there
yet
we're
still
working
on
layer,
4
telemetry.
I
don't
think
we
have
done
a
lot
of
testing
with
such
an
armature
api,
because
we've
just
got
the
telemetry
working
and
we
were
super
excited
since
you're
asking
about
targeting
specific
workload.
A
I
do
want
to
add,
as
we
were
looking
at
the
virtual
service
resources,
which
sometimes
you
can
select
the
source
workload
and
we
haven't
quite
sorted
out
how
the
target
of
source
workload
is
going
to
work
in
ambient
because
in
ambient
the
actual
work
of
doing
resiliency
and
traffic
shifting
is
actually
the
target
waypoint
proxy
right.
So
you
don't
necessarily
even
have
a
source
cycle
or
source
workload
waypoint
proxy,
so
that
a
particular
portion
of
the
virtual
service
api
will
have
to
look
into
if
it
does
make
sense.
A
Okay,
great,
that's
awesome,
so
anything
else
that
you
guys
heard
comedy.
B
Yeah
I
mean
there's,
like
I
said
generally,
the
feedback
has
been
very
positive.
They,
especially
the
people
who
have
been
using
istio
in
production.
You
know
they.
They
immediately
recognize
the
the
pain
points
that
we're
looking
to
alleviate
here
and,
and
so
like.
The
the
questions
like
we
covered
were
around
well.
How
does
this?
How
does
this
interrupt
with
side
cars?
B
How
does
this
change
the
security
boundaries?
We
we've
seen
the
question
about.
Well
what
if
the
z
tunnel
component
goes
down
and
then
the
the
next
question
that
we,
the
next
common
question
that
I
would
say
we
see,
is
where
do
the
waypoint
proxies
get
deployed,
because,
right
now
we
kind
of
show
it
as
logically,
it's
a
a
bump
on
the
network.
Somewhere,
live
somewhere
doesn't
matter,
but
where,
where
do
they
actually
get
deployed?
B
And
do
these
extra
hops
cause
performance
degradation
and
so
those
that
that
certainly
comes
up?
B
So,
let's
say
the
waypoint
proxy
is
being
deployed
for,
as
you
know,
as
we've
pointed
out,
it's
either
deployed
it's
deployed
per
service
account,
so
each
service
account
has
its
own
waypoint
proxy.
We
don't
try
to
share
layer,
7
proxies
across
multiple
identities.
B
That's
that's
asking
for
trouble,
and
so
we
separate
them
out.
We
keep
the
same
sort
of
tendency
model
that
we
have
with
side
cars
now
as
traffic
or
as
as
you
scale
up
replicas.
Let's
call
it.
The
hello
world
service,
we've
deployed
a
waypoint
proxy
for
hello
world
and,
let's
say
the
actual
number
of
replicas
of
hello
world
is
scaling
from,
let's
say
a
10
to
100.
B
Now,
in
the
sidecar
world
that
would
be
10
side
cars
to
100
side
cars
in
in
this
model.
That
means
we
can
right
size,
the
proxy
number
of
replicas
and
and
and
deployment
to
whatever
the
actual
traffic
is
going
to.
You
know
that
hello
world
service,
now
that's
probably
going
to
increase
if
we're
scaling
up
the
replicas,
but
the
proxies
might
be
able
to
handle
way
more
traffic
per
proxy
than
what
we
were
seeing
in
in
the
sidecar
diploma.
So
maybe
it's
only
five
replicas
of
the
way
of
those
waypoint
proxies.
B
Certainly,
on
you
know,
on
the
solo
side,
with
with
glue
mesh
which
we
are
going
to
be
announcing,
you
know
pro
pro
support
for
for
ambient
here
in
the
next
couple
weeks
in
glue
mesh,
and
that
will
be
one
of
those
capabilities
where
and
how
we
manage
the
life
cycle
of
the
waypoint
proxies
where
they're
deployed,
because
some
people
might
say
all
right-
let's
tune
the
scheduling
so
that
the
scheduling
so
that
waypoint
proxies
try
to
get
closer
to
the
and
workloads
or
the
workloads
that
they
represent.
B
Some
people
might
say,
and
we
we
know
we
see
this
already
with
ingress
gateway,
might
say
that
hey
this,
this
waypoint
proxy
is
a
pretty
critical
gateway
for
our
applications
and
we're
going
to
want
to
pin
these
to
specific
nodes
and
give
them
certain
allocated
resources.
B
So
we
can
more
deterministically
understand
what
their
tail
latencies
are
and
so
on.
So
there's
going
to
be
various
different
modes
and
maybe
mixed
modes
of
how
and
where
the
waypoint
proxies
get
deployed,
but
ultimately
they're
pods,
and
you
know
how
you
schedule
them.
You
know,
and
what
influence
we
can
bring
to
scheduling
will
be
a
continued
thing
that
we
we
we
implement
and
evolve.
C
Yeah-
and
I
would
add
it's
not
only
where
it's
also
when
right
so
basically
like
you
need
to
you,
want
to
do
l7,
then
you
deploy
this
waypoint
proxy
right
with
blue
mesh.
You
could
you
know,
delegate
this
task
right
so
that
it's
there
when
it
needs
to
be
there,
it's
where
it
needs
to
be,
and
if
I
don't
need
it
anymore,
it's
just
not
there
anymore
right.
So
this
is
kind
of
the
user
experience
we
want
to
give
yeah.
A
So
what
we're
doing
in
google
maps
is
to
kind
of
automate
that
for
you
so
the
moment
you
have
your
policy
layer,
7
policy
deployed.
We
know
to
stand
up
that
waypoint
proxy
automatically
to
kind
of
take
care
of
that
when,
for
you
like
they
need
was
mentioning,
and
the
other
thing
I
guess
I
would
add,
is
tomorrow.
A
I
know
I
haven't
got
this
scheduled
yet,
but
we're
planning
to
run
a
hoot
live
stream,
particularly
dive
into
how
ambient
service
match
means
for
your
wallet
right.
So
you
for
those
of
you
running
still
in
production,
you're,
probably
paying
for
cpu
and
memories
for
the
node,
for
your
kubernetes
cluster,
for
your
vms,
so
we're
going
to
dive
into
how
ambient
is
really
going
to
help
you
cut
the
cost,
and
our
initial
results
actually
show
significant
savings.
So
we're
going
to
share
more
detail
on
that
tomorrow.
A
C
I
mean
it's,
we
have
not
implemented
it
yet
or
tested
yet
in
this
alpha
release,
but
that
will
not
change
anything.
Basically.
This
will
be
just
like,
like
it
is
today
right.
You
have
this,
and
this
is
the
what
people
love
with
this
to
you
right.
You
have
this
gateway,
this
you
can
have
a
dedicated,
even
east-west
gateway,
and
that's
the
only
component
you
need
to
reach
out
to
the
you
know
remote
clusters
that
give
you
a
lot
of
flexibility.
C
B
One
thing
I'll
point
out
where
ambient
actually
brings
an
area
of
improvement
over
the
current
multi-cluster
implementation
is
around
when,
when
traffic
makes
it
from,
let's
just
say,
cluster
one
to
cluster
two
right:
that
in
istio,
if
it's
a
mutual
tls
connection,
that
it's
going
through
the
east-west
gateway
when
it
gets
to
cluster
two
and
when
it
gets
to
the
east-west
gateway,
we're
basically
matching
on
sni
and
doing
some
routing
based
on
sni
to
the
workloads
that
live
in
cluster
two,
and
that's
only
at
layer.
Four
that
we're
because
we
don't.
B
We
don't
terminate
the
tls
connection
at
the
east
west
gateway.
So
once
that
connection
makes
it
all
the
way
to
layer
to
the
to
the
second
cluster
and
eventually
to
one
of
the
workloads,
then
that
connection
persists
as
long
as
it's
you
know
it's
around
and
the
application
sending
requests
in
cluster
one.
B
Let's
say
it's
sending
five
requests
per
second
and
then
it
increases
it
to
let's
say:
100
requests
per.
Second,
those
requests
going
over
that
one
connection
don't
get
load
balanced
across
all
of
the
available
workloads
in
cluster
two,
because
it's
just
going
over
that
one
that
one
connect
now
it
can
open
up
more
connections,
it
can
sever
the
connection
reconnect
and
then
maybe
and
you'll
get
some
load
balancing.
B
But
with
with
the
waypoint
proxies
now
at
our
disposal,
we
can
terminate
the
connection
on
the
second
cluster
on
behalf
of
the
workloads
that
we
might
be
targeting
or
talking
to
in
the
second
cluster
and
now
the
waypoint
proxy,
which
is
a
layer.
Seven
component
can
then
distribute
the
load
evenly
in
that
second
cluster,
and
so,
like
danny
said,
this
is
not
fully.
This
is
not
implemented
yet,
but
there
you
know
we're
continuing
to
build
this
out.
B
We
have
the
components
there
and
I
certainly
see
an
area
where
we
can
see
quite
a
bit
of
improvement
in
in
the
multi-cluster
story,
or
particularly
around
load
balancing.
C
Yeah,
you
could
even
potentially
having
non-mesh
services
being
able
to
talk
to
a
mesh
service
in
cluster
2,
based
on
some
implementation,
details
that
are
in
myanmar.
So
you
could
get
some
more
flexibility
based
on
the
fact
that
a
lot
of
things
are
now
happening
in
the
server
side
and
not
the
client
side.
A
A
A
We
have
another
question,
hey
from
another
question:
what
about
the
integrations
with
external
components,
opa
for
external
oz?
Does
it
mean
that
opa
we're
also
wrong
per
node
wow?
That's
a
great
question.
C
No,
I
I
think
it
it
perhaps
give
us
the
opportunity
to
clarify
something
as
well,
which
is
the
gateway,
because,
generally
this
question
comes
for
the
gateway,
not
one
hundred
percent
of
the
time,
but
most
of
the
time
it's
like
export
is
a
gateway
thing
right.
It's
quite
rare
that
people
have
service-to-service
communication
with
an
additional
up
to
extra.
It
exists,
but
it's
definitely
not
like
a
common
thing
right.
C
So
one
thing
to
clarify
is
that
the
gateway
is
exactly
working
the
same
way
with
ambient,
so
100
percent
of
the
features
that
work
today
in
the
gateway
are
working
with
ambient
mesh
right.
So
you
can
do
red,
limiting
and
extort,
and
you
know
everything
you
do
today
with
the
gateway
is
unchanged
right.
The
gateway.
C
Reach
out
to
these
either
you
know
zetanar
or
waypoint
boxes
right,
but
you
don't
lose
any
capabilities
of
the
gateway
when
you
deploy
eastern
ambient
mode.
I
think
it's
a
really
key
thing
to.
C
A
B
And
for
east
west
traffic,
like
you
were
saying,
although
not
super
common,
but
but
potentially
I
mean
people
do
run
it
for
extra
in
the
east
west
direction
as
well.
That
doesn't
really
change
as
much
because
we
just
run
that
on
the
waypoints
now
and
that
doesn't
mean
one
opa
per
node.
You
can
have
it
doesn't
matter,
you
can
have
opa
run
wherever
wherever
it
runs,
but
then
some
waypoint
proxies
that
will
be
enforcing
layer.
Seven,
external
external
auth
type,
type
things.
B
C
This
l7
per
service
account
when
you
will
start
to
do
some
custom.
Things
like
we
discussed
here,
but
even
it
could
be
like
on,
like
some
android
filters,
that
you
load
that
process
that
process
request
or
whatever
right,
if
you
make
a
mistake
or
if
you
do
something
that
has
an
impact
right
on
the
performance
or
reliability
or
whatever
it's
going
to
just
impact
yourself
right,
your
your
own
proxy
right
he's
not
going
to
impact
the
other
people
right.
You
don't
have
this
noisy
neighborhood
problem
right
and
I
think
it's.
C
It's
also
one
of
the
reason
why
we
have
this
l7
per
service
account.
There
are
other
security
reasons
that
are
more
complex
to
explain
in
a
few
minutes,
but
the
this
one
is
very
easy
to
explain
and
understand
right.
It's
like
when
I
start
to
apply
these
policies
that
can
have
a
negative
impact.
If
we
would
share
this
proxy
because
they
are,
they
are
done
in
the
waypoint.
That
is
my
waypoint,
like
the
waypoint
of
my
account
right,
I'm
not
going
to
impact
the
other
ones.
A
Yeah,
okay,
great
christian,
I
think
we
answer
to
your
question.
So
basically,
it's
going
to
work
similar
way
as
today,
except
that
maybe,
instead
of
a
psychiatric
waypoint
proxy
for
east
west
traffic,
the
good
thing
is,
if
you
are
already
using
opa
today,
you
know
that
code
has
been
well
tested
and
you
know
it's
just
going
to
work
very
similarly
ambient
awesome.
I
think
that's
all
the
questions
from
the
audience.
I
really
appreciate
how
interactive
you
guys
are
so
we'll
have
another
whole
tomorrow,
so
keep
the
questions
coming
now.
A
I
want
to
take
a
minute
to
thank
our
speakers
and
also
asking
both
of
you.
Is
there
any
parking
thoughts
you
want
to
share
with
the
audience?
Maybe
just
in
one
minute,
if
you
can
before
we
wrap
up
so
yeah
christian,
you
go
next
yeah.
B
Let
me
go
real
quick,
so
I
I
think
you
know
we're
excited
about
this.
This
approach
brings
a
lot
of
benefits.
It
is
experimental
or
alpha
in
in
the
community.
Right
now,
however,
you
know
at
solo
we
are
working
with
with
design
partners
with
early
adopters
customers
and
so
on
to
very
quickly
harden
this.
You
know
this
is
in,
like
we've
said
istio's
been
out,
for
this
has
been
six
years
six
years
or
something
yeah.
B
So
there's
a
lot
of
experience
that
we
already
can
bring
to
the
table.
Solo
work
works
very
very
close
with
with
our
customers
and
the
feedback.
Loop
is
extremely
tight
and-
and
we
can
turn
things
around
very
quickly,
so
we
we
look
forward
to
hardening
this.
B
If
you're
looking
for
guidance
and
you
you
want
to
be
part
of
that-
that
that
design
group
then
please
reach
out
to
us
but
yeah,
otherwise,
we're
very,
very
excited,
please
in
in
the
open
source
community,
please,
you
know
start
using
it
and
giving
a
give
give
us
feedback.
It's
extremely
valuable.
We
want
to.
We
want
to
move
this
along
quickly.
C
Yeah,
I
would
say
that
you
know
like
with
any
technology.
I've
been
lucky
with
like
kubernetes
to
start
when
it
was
at
the
beginning
and
with
you
know,
istio
quite
some
time
ago,
I
I
feel
it's
always
easy
to
learn
things
that
are
new
because
they
are
not.
You
know
having
all
these
different
options
yet
right.
Okay,
in
that
case,
you
have
the
same
control
plane.
So
you
already
have
a
lot
of
options,
but
at
least
the
data
plane
is
still
quite
simple
right.
C
So
I
really
encourage
people
to
learn
it
now,
because
that's
a
lot
easier
to
learn
now
and
then
to
incrementally.
You
know,
learn
the
new
things
right
and
and
then
yeah
there's
this
solo
academy
workshop.
It's
free
just
go
there
and
you
will
have
a
first-hand
experience
on
it
and
it
will
become
very
clear.
I
mean
whatever
we
discussed
now
should
be
very
clear
after
you,
you
go
through
them.
B
Is
there
a
way
to
leave
links
for
for
that.
A
C
Yeah
I
mean
when
you
go
to
the
solo
academy.
Basically,
you'll
see
these
ends
on.
You
know,
you
have
two
sections,
one
is
hands-on
workshop
and
one
is
on-demand
course,
so
you
just
need
to
click
on
the
on-demand
course
and
you'll
see
you
have
already
six
of
them.
I
think
we
have
the
ambient
mesh,
but
also
I
mean
you'll,
see
take
the
opportunity
to
see
what
else
we
have
right.
We
have
like
the
istio
getting
started
course
we
have
like
the
you
know.
C
The
the
the
one
where
we
provide
is
about
how
to
go
to
production.
We
have
like
an
ebpf
workshop
cdm
workshop
envoy
workshop
right.
So
a
lot
of
other
things
right.
A
Yeah,
I'm
in
here
right
now,
cool
thanks
for
the
instruction
yeah,
it's
pretty
straightforward,
so
it's
entirely
free!
You
know
it's
something.
We
offer
an
environment
for
you,
so
you
can
follow
the
step-by-step
guide
to
run
ambient
yourself
with
the
environment
we
provide
and
we
also
have
a
batch
program.
So
we
would
love
to
hear
from
you.
I'm
sure
you
will
pass
the
test
if
you've
gone
through
the
lab.
We
would
love
to
hear
from
you
on
social
media
whether
this
workshop
is
helpful
for
you.
C
And
feel
free
to
contribute
right
like
it's
now,
it's
you
know
in
the
istio
community.
It's
really
like.
We
started
this
project
with
google,
but
it's
really
now
we
want
everyone
to
participate
to
give
feedback
to
contribute.
You
know
so
don't
be
shy
and
and
really
contribute
as
much
as
you
can.
It
can
be
just
like
getting
you
know,
creating
issues
about
what
you
would
like
to
see
there.
It
could
be,
you
know,
doing
a.
A
A
Yeah
definitely
love
everybody's
contribution
feedback.
You
know,
any
type
of
contribution
definitely
comes
with
that
I'd
like
to
wrap
up
this
live
stream.
Thank
you.
Everyone
for
joining
us
really
appreciate
all
the
great
questions
you
guys
asked
and
thank
you,
dini
and
christians
to
share
your
thoughts
on
ambient
and
what
you
heard
from
our
customers.
So
next.