peterj/istio-ambient-mode
skills/istio-ambient-mode/SKILL.md
Guide for installing, deploying, debugging, and cleaning up Istio's ambient mode mesh. Use when working with Istio ambient mode, ztunnel proxies, ambient mesh traffic redirection, istio-cni, HBONE encryption, Bookinfo sample application deployment, or istioctl commands for ambient profile setup and teardown.
development
Updated Apr 25, 2026
$ install --global
skillsauthnpx skillsauth add peterj/skills istio-ambient-modeInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 8:05 PM183.6s4 files scanned
SKILL.md
- name:
- istio-ambient-mode
- description:
- Guide for installing, deploying, debugging, and cleaning up Istio's ambient mode mesh. Use when working with Istio ambient mode, ztunnel proxies, ambient mesh traffic redirection, istio-cni, HBONE encryption, Bookinfo sample application deployment, or istioctl commands for ambient profile setup and teardown.
Istio Ambient Mode
Istio's ambient mode provides transparent mTLS encryption and routing for application traffic using ztunnel node proxies — without sidecars. Traffic is intercepted inside pod network namespaces via cooperation between istio-cni and ztunnel.
Quick start
1. Install Istio with ambient profile
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
istioctl install --set profile=ambient --skip-confirmation
Expected output:
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ztunnel installed
✔ Installation complete
2. Install Kubernetes Gateway API CRDs
Install the Gateway API CRDs before configuring traffic routing (required for ingress gateway).
3. Deploy sample application
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl get pods # Verify all pods are Running
4. Deploy ingress gateway
kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
kubectl get gateway # Wait for PROGRAMMED=True
5. Access the application
kubectl port-forward svc/bookinfo-gateway-istio 8080:80
# Open http://localhost:8080/productpage
Key concepts
Traffic redirection model
istio-cninode agent: Responds to CNI events (pod creation/deletion) and watches the Kubernetes API for ambient label changes. Installs a chained CNI plugin and sets up iptables redirection rules inside pod network namespaces.- ztunnel proxy: Node-local proxy that creates listening sockets inside each enrolled pod's network namespace on ports 15008 (HBONE/mTLS), 15006 (plaintext ingress), and 15001 (egress).
- Communication:
istio-cniinforms ztunnel over a Unix domain socket, passing a file descriptor for the pod's network namespace. - mTLS by default: All traffic to/from mesh pods is encrypted. Applications have no awareness of the encryption.
Traffic flow
| Direction | Port | Purpose | |-----------|------|---------| | Inbound plaintext (dst != 15008) | 15006 | Redirected to ztunnel plaintext listener | | Inbound HBONE (dst == 15008) | 15008 | Redirected to ztunnel HBONE listener | | Outbound TCP | 15001 | Redirected to ztunnel for egress, sent via HBONE encapsulation |
Debugging traffic redirection
Run bash scripts/debug-ambient.sh to perform all three checks below, or run them manually:
Check ztunnel logs
kubectl logs ds/ztunnel -n istio-system | grep inpod
Look for:
inpod_enabled: truepod ... received netns, starting proxy
Confirm listening sockets in a pod
kubectl debug $(kubectl get pod -l app=<APP_LABEL> -n <NAMESPACE> -o jsonpath='{.items[0].metadata.name}') \
-it -n <NAMESPACE> --image nicolaka/netshoot -- ss -ntlp
Expect ports 15001, 15006, and 15008 in LISTEN state.
Check iptables rules in a pod
kubectl debug $(kubectl get pod -l app=<APP_LABEL> -n <NAMESPACE> -o jsonpath='{.items[0].metadata.name}') \
-it --image gcr.io/istio-release/base --profile=netadmin -n <NAMESPACE> -- iptables-save
Expect ISTIO_PRERT and ISTIO_OUTPUT chains in mangle and nat tables with TPROXY/REDIRECT rules.
Clean up
Order matters: remove workloads from ambient data plane before uninstalling Istio.
# 1. Remove waypoint proxies
kubectl label namespace default istio.io/use-waypoint-
istioctl waypoint delete --all
# 2. Remove namespace from ambient data plane
kubectl label namespace default istio.io/dataplane-mode-
# 3. Remove sample application
kubectl delete httproute reviews
kubectl delete authorizationpolicy productpage-viewer
kubectl delete -f samples/curl/curl.yaml
kubectl delete -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl delete -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl delete -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
# 4. Uninstall Istio
istioctl uninstall -y --purge
kubectl delete namespace istio-system
# 5. Remove Gateway API CRDs (if installed)
Additional resources
- For detailed traffic redirection architecture and iptables rules, see references/traffic-redirection.md
Utility scripts
- Run
bash scripts/debug-ambient.sh <APP_LABEL> <NAMESPACE>to check ztunnel logs, listening sockets, and iptables rules for a pod
Related Skills
peterj/spire
development
VerifiedTrustedCommunity
Guide for installing, configuring, and deploying SPIRE servers and agents. Use when working with SPIRE, SPIFFE, workload identity, trust domains, node attestation, workload attestation, service identity, or X.509/JWT SVIDs on Kubernetes or Linux.
SKILL.mdUpdated Apr 25, 2026
peterj/istio-troubleshooting
development
VerifiedTrustedCommunity
Diagnoses and resolves common Istio service mesh problems across traffic management, security, observability, and upgrades. Use when debugging Istio networking issues (503 errors, route rules not working, TLS mismatches, gateway 404s), security problems (authorization policies, mTLS, JWT authentication), observability gaps (missing traces, Grafana output issues), EnvoyFilter breakage, or when upgrading Istio and migrating from EnvoyFilter to first-class APIs.
SKILL.mdUpdated Apr 25, 2026
peterj/istio-traffic-management
tools
VerifiedTrustedCommunity
Configures Istio traffic management including multicluster traffic control, gateway network topology (XFF/XFCC headers, PROXY protocol), protocol selection, and TLS configuration. Use when working with Istio service mesh traffic routing, multicluster setups, gateway configuration, protocol detection, mTLS settings, or when troubleshooting TLS/proxy header issues.
SKILL.mdUpdated Apr 25, 2026
peterj/argocd-pagerduty-notifications
development
VerifiedTrustedCommunity
Configures PagerDuty v1 and v2 notification services for Argo CD. Use when setting up PagerDuty incident creation or event triggering from Argo CD notifications, including secrets, ConfigMaps, templates, and annotations for PagerDuty integrations.
SKILL.mdUpdated Apr 25, 2026