►
From YouTube: Istio Ambient Mesh with Gloo Mesh
Description
The first experimental release of the new sidecar-less ambient mode in Istio is out, and we at Solo are eager to support it with Gloo Mesh and explore the value it offers! Join us to watch Nina demo LIVE some of our future directions of Istio ambient mesh with Gloo mesh and bring your questions!
A
Hello,
everybody
Welcome
to
hoot
episode,
39.
istio
ambient
service
match
with
clumash
yeah
we're
back
with
another
Coach
episode
about
nbms.
If
you
remember
about
two
weeks
ago,
we've
done
good
episode,
36
37
38,
it's
all
about
ambient
service
mesh.
We
talk
about
common
questions.
People
ask
about
ambient
service
manager.
We
talk
about
what
ambient
service
match
means
to
your
wallet
today.
I'm
so
excited
to
have
Nina
join
me
to
discuss
some
of
the
integration
work.
She
has
been
doing
with
istio
ambient
service
mesh
with
glue
mesh
Nina.
B
Sure
so,
I'm
Mina
polishikova
I'm,
a
software
engineer
on
the
blue,
mesh
team
and
I've,
been
working
on
the
ambient
integration
with
glumesh.
So
I'm
going
to
talk
about
like
what
you
know,
the
difference
between
sidecar
versus
cyclists
and
ambient
mode.
What
are
some
ux
improvements
like
the
mesh
has
done
to
improve
the
way
you
manage
your
Waypoint
proxy
and
what
policies
like
work
today
and
how
they
like
work
differently
in
sidecar
like
mode
versus
like
psycholus,
so
first
I
guess
to
get
started.
B
B
So
if
you
apply
an
L7
policy
like
fault
injection
or
header,
manipulation,
you'll
see
that
the
you
have
a
virtual
service
that
gets
created
and
that
policy
gets
applied
on
the
client
side.
So
this
sidecar
on
the
product
page
would
be
the
thing
enforcing
like
fall
injection
in
ambient
mode.
However,
we
have
a
slightly
different
setup.
So,
first
of
all,
you
have
your
Z
tunnel,
which
is
The
L4
proxy.
B
Currently,
that
will
enforce
like
mtls
and
like
authorization
policies,
but
if
you
want
to
do
any
L7
routing
or
any
L7
policies,
you
need
to
create
a
waypoint
proxy
that
will
enforce
that
policy.
So
you
can
see
compared
to
like
the
sidecar
mode,
where
the
L7
policy
happens
on
the
product
page
sidecar.
Now
the
L7
policy
is
getting
applied
on
the
server
side
on
the
reviews.
B
Waypoint
proxy,
which
is,
is
a
pretty
big
difference
on
where
the
policy
gets
applied
and
the
way
you
create
this
Waypoint
proxy
in
ambient
istio
today
is
by
using
the
Gateway
resource.
So
I
have
it
pulled
up
here.
So
basically
you
using
the
kubernetes
Gateway
API,
you
define
this
Gateway,
you
specify
the
the
you
know,
namespace
that
you
wanted
in,
and
you
can
optionally
create
annotations
for
specifying
the
service
account.
B
You
want
to
create
the
Waypoint,
for,
if
you
don't
add
this
annotation
it'll
create
Waypoint
proxies
for
everything
in
your
namespace
yeah.
So
another
thing.
B
B
Really
quickly,
yeah
sorry
cool
yeah,
so,
like
I
mentioned,
first
I
think
it's
important
to
talk
about
the
sidecar
mode
versus
like
sorry,
Carlos
and
ambient.
So
here
I
have
an
example
of
the
product,
page
reviews
and
ratings
book
info
example.
B
If
you
had
everything
in
sidecar
mode,
so
the
sidecar
you
see
is
injected
into
the
Pod
and
you
have
mtlus
between
the
sidecars
and
all
the
L7
and
L4
policies
are
getting
applied
on
the
sidecar
and
another
interesting
thing
is
any
L7
policy
you
have
so
like,
be
it
like
full
injection
or,
like
header,
manipulation
you
that
virtual
service
is
applied
on
the
product,
page
sidecar,
so
on
the
client
side
site
card
versus.
B
B
This
like
is
that
the
node
level
and
your
Waypoint
proxy
is
at
the
service
account
level
and
any
L7
policy
you
apply
is
now
going
to
be
enforced
by
this
Waypoint
proxy.
So
before
like
when
we
had
like
fault
injection
being
enforced
on
the
sidecar,
now
it's
being
enforced
by
the
square
Point
proxy
here.
So
this
is
different
right
because,
like
instead
of
the
client-side
product
page
enforcing
it
now
you
have
to
create
this
Waypoint
proxy
to
enforce
your
L7
policies
and.
A
That's
a
great
point,
I
feel
like
this
is
something
when
we
first
launched
SEO
ambient
service
match
in
the
launch,
blog
that
we
didn't
highlight,
particularly,
but
it's
a
important
caveat
for
our
user-
that
the
Waypoint
proxy
has
to
be
there
has
to
be
deployed,
has
to
be
running
for
your
layer,
7
policy
to
work
right.
It's
just
not
going
to
work
magically
as
the
psycha
case.
Well,
all
you
need
to
do
is
just
inject
the
site
car,
which
you
always
have
it
in
reject
it.
B
Yeah
exactly
so,
if
you
install
istio
like
you'll,
see
the
Z
tunnels
come
up
per
node
automatically,
but
in
order
to
create
this
Waypoint
proxy
you
have
to
manually
like
before,
you
can
apply
any
L7
policies.
Like
Lin
said
you
have
to
create
this
Waypoint
proxy,
using
the
kubernetes
Gateway
API,
and
then
this
is
what
I
was
showing
before.
B
So
this
is
the
example
where
we're
creating
a
the
Waypoint
proxy
and
selecting
the
annotations
for
book
and
for
reviews,
if
you
don't
specify
this
annotation
here,
like
you'll,
create
Waypoint
proxies
for
everything
in
that
namespace
and,
as
you
can
see
like
it's
pretty
Limited
in
what
you
can
specify
so
other
than
the
annotations
and
like
which
namespace
this
Gateway
is
going
to
live
in,
there's
very
little
other
configuration.
B
You
can
do
so
it's
hard
to
like
scale
the
Waypoint
proxy
up,
so
you
can't
have
like
multiple
replicas
of
it.
You
can't
really
determine
where
it's
going
to
land
either.
So
if
I
had
like
another
reviews
in
in
like
node
one,
it's
a
you
can't
guarantee
that
the
Waypoint
proxy
for
reviews,
if
they
share
a
service
account,
is
going
to
be
in
Node,
1
or
node.
Two.
A
Yeah
I
do
feel
the
istio
Gateway
resource
to
deploy.
Waypoint
proxy
is
pretty
preliminary
like
you
highlight
here
and
in
that
way,
there's
very
animated
configuration
and
I
do
think
this
is
going
to
be
involving
in
Upstream,
but
you
still
have
to
kind
of
create
the
Gateway
ratios
and
deploy
it
when
the
options
become
available,
such
as
wrap
number
of
replicas
such
as,
like
placement
information
that
Nina
just
talked
about.
B
Yeah
another
I
think
interesting
point
is
so
before.
When
you
had
your
sidecar,
you
would
scale
because
the
sidecar
was
injected
to
the
pond
right
you'd
scale,
the
sidecar,
with
the
Pod
versus
now
the
Waypoint
proxies
associated
with
a
service
account.
So
it
scales
separately
from
the
Pod,
which
is,
is
also
like
a
big
difference
between
the
two
models.
A
Yeah,
which
brings
a
lot
of
benefits.
Actually
these
are
some
of
the
benefits
we
just
talk
about
in
our
previous
episode.
I
believe
is
38.
Well,
we
talk
about
what
ambient
means
to
your
wallet
right,
because
if
you
have
10
replicas,
you
don't
necessarily
need
10
replica
of
Waypoint
procs.
If
your
Waypoint
proxy
two
also
a
replica
handle
the
layer
7
proxy,
then
you
save
yourself
from
running
10
replica
of
of
your
of
your
past,
because
you
didn't
have
such
a
choice
in
the
sidecar
world.
B
Yeah
exactly
so
like,
as
you
see
like
it's,
also
very
like
invasive
kind
of
having
a
sidecar
per
Pawn.
So
like
every
time
like
after
you
inject
it,
you
have
to
restart
the
Pod
versus
here.
It's
it's
completely,
independent
of
the
the
review
spot
that
you
have
here.
A
Yeah,
that's
another
great
point.
So
that
means,
if
your
Waypoint
proxy
has
a
cve
which
we
know
there's
a
lot
of
cve
with
Envoy,
then
you
actually
could
potentially
update
your
Waypoint
proxy
without
touching
any
of
your
services
that
Waypoint
proxy
is
serving
right,
because
if
your
reviews
or
ratings
doesn't
have
any
coaching,
you
don't
need
to
restart
the
Pod.
All
you
need
to
do
is
update
the
rip
Waypoint
proxy
in
the
sun
card
world.
That
would
not
be
option
because
they
are
bundled
together
right.
B
Cool
well
I
guess
we
can
move
on
to
me.
Stop
share
briefly
to
actually
seeing
everything
in
action.
So
I
have
a.
A
A
The
Source
was
destination
side
for
policies
right,
so
you
also
talk
about
how
it
is
hard
to
manage
your
Waypoint
proxy,
along
with
the
deployment
of
the
service.
So
what
are
some
of
the
ux
improvements?
You
are
looking
at
to
improve
for
glue
match
yeah.
B
Definitely
so
one
of
the
big
ones
is
like
I
mentioned
the
Gateway
resource
that
you
have
to
create
manually
every
time,
so
the
way
that
istio
handles
it
is
you
have
a
waypoint
controller
that
will
look
for
Gateway
resources
that
get
created
and
create
a
waypoint
proxy
based
on
that,
but
in
the
blue
mesh
world.
B
We
kind
of
know
when
you
need
an
L7
policy
enforced,
because
a
lot
of
the
policies
can
be
reused
like
the
cold
injection
can
be
applied
to
multiple
different,
like
routes
and
because
we
know
like
which,
like
in
what
cases
you're
using
your
L7
policy,
we
kind
of
can
control
when
the
Waypoint
proxy
gets
deployed
and
like
provide
like
sane
configuration
like
defaults
for
that
deployment.
B
So
one
example
that
is
like
currently
Limited
in
ambient
for
deploying
your
Waypoint
proxies
like
where
it
actually
goes
so
there's
no
way
of
specifying
like
pod,
Affinity
or
like
which
node
your
Waypoint
proxy
will
end
up
on
and
like
this.
Can
you
know
result
in
like
configurations
where,
if
you
go
from,
you
know
product
page
to
reviews,
the
Waypoint
proxy
could
be
on
a
separate
node.
B
So
you'll
you
haven't,
you
go
from
product
page
to
the
Waypoint
proxy
to
like
reviews,
because
there's
no
guarantee
that
the
the
Waypoint
proxy
will
be
on
the
same
node
as
reviews,
so
that
that's
one
big,
you
know
UI
Improvement
that
so
ux
Improvement,
that
the
glue
mesh
provides
is
that
we
kind
of
handle
the
entire
life
cycle
for
you,
because
we
know
when,
like
what
else
learn,
policies
require
Waypoint
proxies
and
where
so,
there's
kind
of
two
actual
like
we
talk
mostly
about
L7
policies
on
the
virtual
service.
B
So,
like
fall
injection,
you
know
mirroring
stuff
like
that,
and
that
happens
on
the
server
side.
But
some
like
policies
also
have
to
happen
on
the
client
side.
So
anything
that
is
on
a
destination
rule
like
that
requires
a
traffic
policy.
So
failover,
like
outlier
detection,
would
still
happen
on
the
client
side.
So
you
need
to
create
a
waypoint
like
client-side
Waypoint
proxy
for
that
and
glumash
kind
of
knows
which
policy
you're
playing
and
what
kind
of
waypoints
you
have
to
create.
B
Based
on,
like
the
apis,
that
we
have
in
place
that
like
separate
the
the
policy
you're
creating
from
the
actual
like
virtual
Service
API,
so.
A
That's
very
cool,
hey
I,
want
to
say
hi
to
one
of
our
audience.
Thank
you.
So
much
for
joining
us,
Nina
I
want
to
ask
you
about.
What's
the
logic,
to
determine
whether
you
deploy
a
server-side
waypoint
proxy
automatically,
with
whether
you
deploy
a
client-side,
waypoint
proxy
I,
think
you
touch
some
of
the
policies.
What's
the
What's
a
clear
guideline
from
your
perspective,
yeah.
B
So
I
think
anything
that
requires
like
a
virtual
service
will
be
server-side.
So,
like
header
matching,
like
you
know,
mirror
like
fall
injection
heter
manipulation.
Those
all
would
happen
on
the
server-side
Waypoint
proxy.
B
Everything
that
happens
on
the
traffic
policy
destination
rule
would
require
a
client-side
proxy
So,
like
the
I.
Think.
A
good
example
is
failover.
Failover
would
happen
on
is
a
traffic
policy
that
you
define
on
your
destination
Rule
and
that
would
need
a
client-side
waypoint
proxy
to
be
able
to
like
correctly
enforce
it.
A
And
that's
assuming
that's
regardless,
whether
you're
a
destination
side,
they
have
a
waypoint
proxy
or
not.
Oh
that's
only
when
you
don't
have
a
that
Waypoint
proxy
for
your
destination.
B
You
already
have
like
a
a
header,
Administration
policy
in
place,
and
you
also
apply
failover.
You
won't
create
two
duplicate,
Waypoint
proxies.
We
also
deduct
logic
because
we
know
like
you
only
need
one
to
do
that.
Okay,.
A
Perfect
yeah
thanks
so
much
for
that
clarification.
I
appreciate
that
okay,
so
the
other
question
before
you
get
to
the
demo,
I
want
to
quickly
repeat
on
your
brain
is
what
about
the
existing
key
features
of
glow
mesh.
So
correct
me:
if
I'm
right,
I'm
thinking
about
glue
mesh,
the
key
features
of
glow
mesh
are
workspaces
right,
so
I
as
a
owner
of
my
particular
service
I
got
to
config.
You
know
what
are
my
workspaces:
what
are
the
isolation?
A
You
know,
instead
of
me,
worry
about
which
cluster
has
which
Services
I
can
just
deploy,
abstracted
resources
based
on
Google,
mesh,
API
and
then
Google
mesh
automatically
figure
out
for
me,
the
generated
industrial
resources
and
where
to
deploy
those
HCL
resources
based
on
how
we
have
my
services
are
running.
Yes,.
B
Yeah
I
think
the
first
we
can
start
with
workspaces,
so
workspaces
provide
like
multi-tenancy
so
like
your
application,
team
can
have
a
workspace
where
it
defines
its
own
policies
and
a
separate
application
team
can
have
its
own
policies
defined,
and
you
can
you
know
Import
and
Export
policies
based
on
like
overlap,
but
for
the
most
part
you
can
enable
like
service
isolation
within
your
workspace.
B
So
you
have
like
all
of
your
authorization
policies
and
and
peer
authentication
policies
automatically
created
for
you
for
your
workspace,
so
bluemash
kind
of
handles.
All
of
that
like
isolation
for
you,
which
is
a
really
key
feature
that
we
have
and
it
still
works
in
in
ambient
mode,
because
the
only
thing
you
have
to
do
is
you
know,
set
up
your
workspace
based
on
the
namespaces
and
clusters.
B
You
have
and
then
set
up
the
workspace
settings
to
enable
that
isolation
and
then
all
of
the
authorization
policies
will
be
created
for
you
still,
because
authorization
policies
now
are
either
enforced
on
L4
or
L7,
depending
on
like,
if
you
have
the
Waypoint
proxy
or
not
that
still
like
Works
seamlessly,
because
if
you
don't
have
any
Waypoint
proxies,
then
everything's
still
enforced
at
The
L4
level.
B
If
you
do
happen
to
have
a
waypoint
proxy
because,
like
you've
created
a
blue
mesh
policy,
then
it'll
be
enforced
at
the
L7
level
and
you
can
see
the
the
logs
there
as
well.
So
in
terms
of
multi
cluster
capabilities.
There's
some
limitations
that
ambient
currently
has
with
service
entries,
which
doesn't
like
fully
enable
all
of
the
multi-cluster
support.
B
That
glumash
has
so
one
key
feature
that
the
mesh
has
is
like
virtual
destinations,
where
you
can
define
a
virtual
destination
for,
like
you,
know,
reviews
Global
across
multiple
clusters
and
then
route
to
all
the
Clusters
seamlessly.
That
currently
is
a
limitation
of
ambient
that
it's
still
like
an
experimental
mode.
So
like
there's
still
like
some
development
to
be
done.
So
the
demo
I
have
is
to
be
in
a
single
cluster
environment,
but
all
the
policies
still
work
for
Coop
services,
and
you
know
on
a
single
cluster.
A
B
That
was
my,
so
the
Ingress
Gateway
features
still
work
as
well.
So
if
you
like
currently,
there's
also
limitations
on
like
Envoy
filters,
so
a
lot
of
like
xed
off
and,
like
rate
limiting
features,
don't
work
East-West,
because
there's
no
support
for
applying
like
an
Envoy
filter
to
a
waypoint
proxy,
but
everything
on
the
Ingress
Gateway
still
works.
B
So
you
can
still
have
an
ambient
mesh,
but
an
Ingress
Gateway
that
will
enforce
like
great,
limiting
XD
off,
like
other
policies
that
that
you
care
about
so
that
functionality
is
still
there.
A
That's
great
and
I
assume
all
you
said
about
that
function.
Is
there
that
function
is
not
there.
It's
just
a
Time
statement
right
because
Ambience
so
new
we're
constantly
work
with
Upstream
to
improve
ambient
array.
Along
with,
like
the
service
entry
issue,
you
just
mentioned
with
multi-cluster
support
yeah
all
right
I
want
to
hi
to
a
second
attendee
hi
princeu.
Thank
you
so
much
for
joining
us.
By
the
way
we
love
Nina
and
I
love
to
hear
from
you
guys.
A
A
B
Right,
let's
do
that
yep
cool,
awesome!
Okay.
So,
let's
also,
if
you're
interested
in
trying
out
ambient
I'm
gonna
pitch
Lynn
wrote
a
great
blog
about
how
to
get
started.
Oh
thank.
B
Using
the
the
regular
Upstream
so
you'll
notice
that
this
you
have
to
manage
your
your
gateway
resource.
So
if
you
go
click
to
L4
authorization
policy,
you'll
see
that
when
you
do
the
layer
7,
you
actually
have
to
create
a
Gateway
resource
manually
and
you'll
notice
that,
in
in
my
demo,
like
I,
don't
create
any
Gateway
resources
just
because
glue
mesh
is
doing
that
for
me.
B
But
this
is
still
like
a
great
guide
to
try
out
ambient,
so
cool,
okay.
Well,
so
I
have
the
glue.
Mesh
I
have
two
clusters:
one
management
cluster,
where
I
have
the
glue
mesh
management
server
installed
and
one
cluster
cluster,
one
which
is
my
remote
cluster,
which
has
istio
ambient
installed,
along
with
the
glue
mesh
agent
and
book
info.
So
in
this
example,
I'm
gonna
have
two
workspaces.
B
One
book
info
workspace,
which
will
have
it
currently
doesn't
have
any
policies
so
you'll
see
that
there's
no
Waypoint
proxies
there
and
in
my
Gateway
I
just
have
the
the
virtual
Gateway
and
all
the
Ingress
gateways
defined
in
a
separate
workspace
just
to
clean
it
up
there
and
then
I
also
have
my
on
my
remote
cluster.
I
have
the
product
page
example
here
and
I
have
a
pod.
B
That's
like
constantly
curling
this
every
couple
of
seconds,
so
I
can
generate
some
data
to
view
in
the
graph.
So
here's
our
little
graph
of
the
book
info
example.
So
this
is
the
you
can
see
that
we
actually
have
the
TCP
metrics
of
for
a
number
of
byte
sent
and
everything's
enforced
by
mtls,
which
is
what
the
little
icon
means
here.
B
So
in
this
example,
we're
going
to
have
reviews,
V1
reviews,
V2
and
reviews
V3,
which
all
share
a
service
account
and
they're
going
to
be
on
separate
nodes.
So
we,
but
product
page,
is
going
to
hit
or
reuse
you,
one
which
doesn't
hit
ratings
and
reviews
V2
which
do
hit
ratings,
but
then
have
different
star
colors
so
like.
If
you
look
at
the
the
result
here
like
based
on
the
the
star,
colors
are
what
you're
seeing
from
readings
getting
hit
cool?
B
Okay,
let's
actually
take
a
look
at
the
cluster,
so
here
I
have
all
my
pods
up.
So
one
thing
you
might
notice
is
that
there's
no
sidecars
because
we're
in
ambient
mode.
So
if
I
I
look
at
a
product
page
this
one's
kind
of
weird,
because
I
have
a
curl
container
here,
just
to
be
able
to
test
some
some
stuff.
B
But
everything
else
is
is
just
the
there's
no
side
car
injected
here.
So
another
thing
you
might
notice
is
I.
Have
the
Z
camel
up
so
I
have
three
Z
tunnels,
because
I
have
three
nodes.
So
if
I
look
at
the
nodes
in
in
canine
and
see
what's
on
each
node,
I
can
see
that
reviews
the
three
and
details
on
this
node
and
they
have
a
z
tunnel.
B
But
okay
and
here's
like
the
x-off
service
that
we
have
and
then
here's
reviews
V1
and
reviews
V2,
and
they
also
have
a
z
panel
there
as
well
cool
okay.
So
the
first
thing
I'm
going
to
do
is
apply
a
a
wrap
table,
so
all
of
glue
mesh's
apis
still
work
in
ambient
mode.
B
So
there's
no
API
changes
really
for
the
the
routing
and
traffic
policies,
and
you
know
L7
policies
that
you
might
want
to
apply
so
in
this
example,
I'm
going
to
apply
a
route
table
that
has
a
simple
East
West
route
table
for
East-West
traffic.
So
it's
not
selecting
a
virtual
Gateway.
It's
just
like
doing
routing
between
two
pods
in
the
mesh.
B
So
the
two
routes
I
have
route.
One
doesn't
have
any
header
match,
but
Route
2
has
this
header
match
where,
if
I
specify
user
and
istio
custom
user,
then
I'm
going
to
route
to
V2,
which
is
the
the
destination
that
has
the
the
stars
because
it
hits
ratings
and
this
one
we'll
see
that
it
doesn't
have
any
ratings
associated
with
it.
So
the
first
thing
I'm
going
to
do
is
apply
the
route
table
and,
let's.
B
Yeah
so
I'm
applying
it
to
book
info
and
the
way
I
have
my
workspace
settings
setup
is
I
have
like
I
mentioned
two
different
workspaces.
The
book
info
workspace,
Imports
Gateway.
So
then
this
is
why
we're
able
to
see.
A
B
Like
here,
oh
I
think
it
went
down,
but
the
the
Gateway
settings
here
just
also
important
export
book
info,
so
they're,
both
important
exported
and
service
isolation
is
disabled.
So,
like
you
can
actually
access
all
the
services
there.
So
let's
go
back
and
look
at
the
pods
we
have
so
you
can
see
before
where
we
didn't
have
any
waypoints.
Now
we
have
a
new
book
info
reviews
Waypoint.
B
So
if
I
curl
from
product
page
to
like
reviews
without
any
header,
then
you
can
see
that
I
keep
getting
a
response.
That's
that's
good,
but
it
doesn't
have
any
stars
associated
with
it.
So
now,
if
I
add
the
so
I
think
I
have
it
copied
here.
So.
B
I,
don't
save
it
so
if
I
add
the
header,
I
should
be
hitting
now
the
one
with
the
Stars,
so
you
can
see
that
I
get
the
the
black
stars
back
from
that
response
and
that's
consistently
happening.
So
if
we
go
back
and
look
at
what's
happening
on
the
Waypoint,
you
can
see
that
we
actually
got
some
traffic
here.
So
it's
hitting
like
the
the
thing
that
does
the
routing
goes
through
the
Waypoint
to
determine
where
which
reviews
the
service
is
going
to
hit
cool.
Okay.
B
So
another
thing
we
can
do
in
addition,
so
that
was
just
a
simple
route
table
again
like
this
is
the
same
API
as
any
sidecar
mode
that
we
mesh
supports.
The
only
difference
is
like
what
happens
with
this
Waypoint
proxy
like
it
gets
brought
up
and
it
does
applies
the
the
L7
like
routing
on
on
the
server
side,
instead
of
it
happening
on
the
Sidecar
cool.
B
So
the
next
thing
I'm
going
to
do
is
apply
a
let's
I,
a
L7
policy,
so
I
have
a
simple
fault:
injection
policy
that
I'm
going
to
test.
So
again,
this
is
the
same
API
for
resilience.
Policies
in
in
glumesh
there's
no,
no
difference
we're
just
going
to
apply
it
to
Route
One.
So
like
you're,
going
to
see
that
when
we
curl
the
route,
one
was
like
the
the
basic
reviews
example
that
we
had.
B
So
when
we
curl
reviews,
we
should
see
now
the
418
response
instead
of
the
200
response
with
the
the
reviews.
So,
if
I
apply
this.
B
And
then
go
back
to
the
product
page
and
then
go
back
to
the
curl
container
and
then
curl
it
I
I
can
see
I
get
the
418
response.
A
B
B
Yeah
so
I
think
the
next
thing
is
the
custom
deployment.
So
this
is
one
Improvement
that
Gloom
rash
has
over
the
regular
kubernetes
Gateway
is.
We
can
actually
have
a
deployment
override
that
we
specify
so
I
have
two
examples
for
that.
One
is
just
incrementing
the
replica
Set,
a
number
of
replicas,
so
I'm,
going
to
currently
I
only
have
one
Waypoint
proxy,
but
if
I
apply
this
ambient
life
cycle
manager,
I
can
increase.
B
B
Namespace
yeah,
so
it's
per
everything
is
regard
relating
to
the
Waypoint
proxy.
Is
per
service
account,
so
this
would
have
to
select
the
service
account
in
the
workspace.
B
B
Unless
you
have
this
like
imported,
but
currently
like
it's,
it's
not
like
per
namespace,
because
it's
like
it's
specifically
like
selecting
a
service
account
that
is,
is
tied
to
the
Waypoint
proxy.
It's
not
selecting
everything
in
a
namespace.
A
B
Yeah,
so
let's
we'll
play
that.
B
Cool
and
then,
if
we
go
back
to
our
pods,
we
can
see
we
created
another
one
here.
So
now
we
have
two
boyfriend
proxies.
B
This
is
also
like
I
mentioned
useful
for
the
the
pot
affinity,
for
example.
So,
right
now,
if
I
look
at
the
the
nodes,
I
have
you'll
notice
that
the
both
Waypoint
properties
are
both
being
deployed
in
one
node
and
that's
because
the
default
we're
using
is
we're
using
because
we
know
that
it
needs
the
Waypoint
proxy
is
for
reviews
we're
using
the
oldest
deployment
to
determine,
which
node
to
add
the
waypoints
by
default.
B
B
So
if
I
go
back
so
we're
saying
it's,
it's
terminating.
B
So,
and
in
this
example,
I
also
only
have
one
of
them,
so
there's
I
instead
of
having
two
replicas
just
to
show
the
difference,
and
then,
if
I
go
back
to
the
nodes,
you
can
see
that
now
it's
it's
on
on
this
node,
where
we
use
VQ,
is
so.
A
Very
cool
so
basically,
I
have
ambient
Waypoint
proxy
life
cycle
management,
where
I
can
provide
further
customization,
and
why
not
just
talk
about
the
replica
number
there
I
guess
it
could
be
mostly
everything
that
you
would
override
the
kubernetes
yamos
yeah.
B
A
Yeah,
very
nice,
yeah
I
guess
the
other
thing
is
I
guess
it
will
be
a
good
practice
to
kind
of.
If
you
have
a
particular
ambient
life
cycle
configuration
you
want
to
use
it's
good
to
have
that
deploy
before
you
deploy
like
a
seven
policy
right.
So
when
you
level
seven
policy
is
there,
you
would
have
the
right
Waypoint
proxy,
automatically
provisioned
by
glumash.
Yes,.
B
Exactly
yeah
the
order
doesn't
matter
so
this,
like
you,
can
have
this
in
place
before
you
create
the
L7
policy
or
after,
but
when
when
so
like.
If
we
delete
the
route
table
for
example,
then
the
weapon
Proctor
should
get
cleaned
up.
So
if
we
go
back,
you'll
see
that
it's
getting
cleaned
up
because
there's
nothing
the
default
injection
that
we
have
is
tied
to
a
route.
So
there's
no
route
table
anymore.
So
there's
no
L7
policy
to
enforce.
A
Okay,
so
the
only
saving,
if
you
do
deploy
the
life
cycle
management.
First,
it's
to
save
your
Waypoint
proxy
form,
I,
guess,
redeployed
right
when
you
later
attach
lifecycle
management-
maybe
it's
different.
So
it's
going
to
be
like
it's
probably
just
do
a
restart
or
actually
scale
out
more
yeah,
exactly
yeah,
okay,
cool,
very
nice
yeah!
That's
a
great
simplification,
because
I
do
know.
A
Some
of
the
feedback
we
heard
from
the
Israel
Community
was
about
the
life
cycle
management.
You
know
how
user
would
be.
It
seems
pretty
primitive
just
to
manage
it
through
the
Gateway
resources.
Yeah.
B
Yeah-
and
this
provides
like
you,
know,
flexibility
of
like
how
many
you
want
like
where
you
want
to
deployed
what
image
you
want
to
use.
So
all
of
that
is
is
pretty
nice
and
also
like
one
thing.
I've
noticed
is
that
in
the
so
the
Waypoint
controller
is,
if
you
are
looking
at
the
the
studio
code,
that
to
see
like
what
actually
controls
how
the
the
Waypoint
proxy
gets
created.
B
It's
this
file
here
called
the
Waypoint
controller
and
in
the
like,
the
last
couple
updates
to
it
have
been
all
like
just
improvements
on
like
making
the
image
policy
configurable.
So
I
can
imagine,
there's
going
to
be
a
lot
more
improvements
there
on
like
what
we
like
how
to
actually
control
like
where
the
Waypoint
gets
deployed
and
and
stuff
like
that.
A
Yeah,
it's
definitely
make
ambient
adoption
a
lot
easier,
particularly
when
user
needs
layer,
7,
processing,
yeah.
A
And
I
think
you,
you
didn't
demo
this,
but
I
think
you
talk
about
this
earlier,
that
you
also
have
logic
to
determine
whether
I
guess
whether
the
source
and
the
target
is
part
of
the
ambient,
so
that
you
can
leverage
that
information
to
determine
where
you
would
place
the
Waypoint
proxy,
either
on
a
source
or
destination
side.
B
Yeah,
there's
also
that
reminds
me
one
thing,
I
didn't
point
out
is
that
the
namespace
I
have
has
so
book
info.
Has
the
istio
data
plane
mode.
A
B
Here
and
that's
what
we're
using
to
determine
that,
like,
yes,
reviews
needs
a
waypoint.
If
it
didn't
have
this
label,
then
glue
mesh
would
assume
you're
like
inside
car
mode
for
that
like
because
you
can
have
hybrid
modes
where
not
everything
in
your
mesh
is
in
ambient
mode.
So
in
that
case,
like
you
would
have
a
sidecar
that
would
be
enforcing
the
the
policy.
B
A
That
that's
very
cool,
so
basically
you
check.
If
the
parts
are
in
ambient
and
then
you
check,
source
and
destination
and
the
label
are
the
namespace
level
tells
glue
mash,
and
then
you
use
that
information
to
determine
whether
you
place
Waypoint
proxy
on
the
destination
or
on
the
suicide
yeah.
B
And
that's
based
on
the
type
of
policy
you're
applying
so
I
think
I've
pulled
up
somewhere
supported
policies,
so
a
glue
match
supports
a
bunch
of
different
policies
and
all
of
these
have
different.
So
some
of
them
are
tied
to
like
the
virtual
Service
that
istio
has
and
some
are
tied
to
like
the
traffic
policies.
So
like
failover
and
LR
detection
are
applied
to
the
destination,
so
they
would
be
applied
on
the
client
side,
but
everything
that's
applied
on
the
route.
B
That
is,
you
know,
supported
and
ambient
is
applied
on
the
server-side
proxy.
So
like
fall
injection
retry
timeouts
they're
all
route
selectors,
so
they
would
be
that
you'd
need
like
a
waypoint
proxy
that
is
on
the
server
side
to
enforce
it.
B
A
I
know
just
making
sure
we're
on
the
same
page,
I
think
the
apply
to
that
concept,
whether
it's
on
the
route
and
destination
matches
to
the
labels.
You
were
showing
earlier
right,
because
I
think
earlier
you
showed
a
40
injection
policy
where
you
should
on
a
particular
route
or
which
you
had
a
label
for
that
router.
So
that's
what
that
applied
to
Maps
too
yeah.
B
Exactly
so,
if
I,
it's
a
fault,
injection
I
also
have
a
header
manipulation.
Example.
Both
of
these
are
applied
to
routes,
and
this
is
just
in
the
glimmesh
API
for
like
specifying
that
you
need
a
route
table
to
apply
this
policy
to
and
in
ambient
mode.
B
This
also
means
that
it's
going
to
be
applied
on
the
server
side,
because,
like
you,
need
the
server-side
Routt
table
to
be
able
to
enforce
it
versus
like
outlier
detection
or
failover
they're,
both
eventually
translated
into
destination
rules
and
the
traffic
policy
is
on
the
destination
rule,
so
those
are
both
applied
to
destination,
and
that's
what
we
mean
by
like
outlier
detection
being
applied
to
destination
is
like
when
you
Define,
the
outlier
detection,
CR
like
you're
gonna,
be
applying
it
to
a
specific
destination.
A
Okay,
God
yeah,
I
guess
the
robbed
configuration
tends
to
be
a
little
bit
more
flexible
because
you
could
have
multiple
routes
to
a
given
destination:
yeah,
yeah,
yeah,
okay,
very
cool
I,
actually
really
like
the
fact
that
you
can
just
you
know,
apply
a
label
and
then
be
able
to
apply
a
particular
policy
on
this
particular
destination
or
route.
Yeah
yeah.
A
B
A
You
showed
us
four
or
eight
yeah
yeah.
B
I
think,
let's
see
if
I
it
might
be
so
Ingress
policies
still
work.
I
think
I
have
to
restart
the
Ingress
Gateway,
because
there's
an
h-bone
issue
on
the
so
I
can
try
applying
an
Ingress
policy.
But
let
me
restart
the
Gateway
first.
B
Yes
yeah,
so
this
is
Gateway
I!
Think
because
we're
sending
traffic
consistently
there's
a
bug
where,
after
a
certain
while,
like
the
there's,
an
issue
with
the
Ingress
Gateway
being
able
to
connect
to
pods
in
the
mesh,
but.
B
After
restarting
it,
it
should
be
fine.
Oh,
let's
see.
B
B
If
I
go
if
so
I,
if
I
think
I
also
have
to
bring
the
the
right
table
back,
but
basically
the
limit
policy.
We
have
a
rate
limit
server
in
the
Pod
in
the
the
and
on
the
remote
cluster.
So
where
is
it
on?
So,
if
I
apply
like
an
Ingress
rate
limit
policy,
everything
still
works
because
the
policy
is
getting
enforced
at
the
Ingrid
ingress
level.
B
If
it's
like
north
south,
but
currently
like
Waypoint
proxy,
like
Envoy
filters,
don't
work
so
you
won't
be
able
to
get
East-West
rate
limiting,
but
like
policies
applied
to
thing,
risk
Gateway,
like
rate
limiting
and
xtof,
should
work
I'm,
seeing
that
it's
still,
let's
see
if
we
can
restart
it
again,
but
it
might
be
a
little
tricky
to
show
just
because
I've
been
sending
so
much
traffic,
yeah
yeah,
it
no
I
think
it's.
B
B
Yeah
I
might
be
able
to
kill.
Let's
see,
wait,
there's
it
yeah.
A
Yeah
folks,
if
you
guys
have
any
questions,
we
would
love
to
hear
from
you
or
anything,
particularly
that
will
be
interesting.
A
See
you
anything
else
that
you
want
to
discuss
I
think
we
hit
all
the
major
points.
A
A
All
right,
I,
don't
see
any
further
questions.
Mina
I
think
we've
kind
of
talked
quite
a
lot
today.
So
we
talk
about.
Let's
do
a
quick
recap
on
what
we
talk
about.
We
talk
about
in
ambient
when
comparing
with
psycha
to
ambient
a
lot
of
policies
enforced
on
the
destination
side
with
ambient
right
and
then
we
talk
about
the
key
features
of
glue
mesh
and
we
discuss
these
features.
A
We
expect
to
continue
to
work
in
glue
match
with
ambience
such
as
multi-class
multi-clustered
down
the
road,
such
as
workspace
with
multi-tenancy,
which
is
already
in
place,
and
on
top
of
the
existing
feature.
We
talk
about
how
glutamus
is
automatically
manage,
Waypoint
proxy
for
you
and
how
you
can
potentially
customize
your
Waypoint
proxy
deployments
through,
like
yaml
override
with
the
life
cycle
manager.
A
We
talk
about
the
UI,
the
layer
for
Telemetry
right
with
symmetric,
Diaz
icon.
That's
all
provided
with
just
see
tunnel
without
Waypoint
proxy,
and
then
we
talk
about
apply
some
of
the
layer,
7
policy,
and
then
you
showed
how
these
layers
have
been
policy
in
action
was
just
the
destinations.
I
would
have
Waypoint
proxy.
A
Okay,
great
well
I
guess
I
want
to
thank
you
Nina.
Thank
you.
So
much
for
joining
me
on
the
hood.
I
feel
like
I
got,
educate
you
quite
a
lot
blue
mesh
and
mdn
integration
too.
So
thank
you
for
preparing
the
wonderful
demo
live
to
everybody
and
folks.
If
you
guys
find
this
interesting,
what
other
topics
you
would
like
to
see
we're
trying
to
roll
out
quite
a
lot
of
topic
about
Ambience,
because
their
solo
we're
very
excited
about
ambient.
A
We're
also
excited
about
some
of
the
evpf
work,
we're
going
to
do
as
solo,
so
we
we
plan
to
have
more
education
session
around
it's
still
around
ambient
around
evpf,
so
definitely
reach
out
to
us
either
on
the
hood.
Github.
Oh
just
comment
in
this
in
this
YouTube
video
and
we'll
get
back
to
you.
Thank
you
so
much
for
joining
us
today.
Thank
you.
Nina
bye,
everybody.