Use Layer 7 features

By adding a waypoint proxy to your traffic flow you can enable more of Istio’s features.

Ambient mode supports configuring waypoints using the Kubernetes Gateway API. Configurations that apply to a Gateway API are called policies.

Traffic routing

With a waypoint proxy deployed, you can use the following API types:

NameFeature StatusAttachment
HTTPRouteBetaparentRefs
TCPRouteAlphaparentRefs
TLSRouteAlphaparentRefs

Refer to the traffic management documentation to see the range of features that can be implemented using these routes.

Security

Without a waypoint installed, you can only use Layer 4 security policies. By adding a waypoint, you gain access to the following policies:

NameFeature StatusAttachment
AuthorizationPolicy (including L7 features)BetatargetRefs
RequestAuthenticationBetatargetRefs

Observability

The full set of Istio traffic metrics are exported by a waypoint proxy.

Extension

As the waypoint proxy is a deployment of Envoy, the extension mechanisms that are available for Envoy in sidecar mode are also available to waypoint proxies.

NameFeature StatusAttachment
WasmPluginAlphatargetRefs
EnvoyFilterAlphatargetRefs

Read more on how to extend waypoints with Wasm plugins here.

Targeting policies or routing rules

Attach to the entire waypoint proxy

To attach a policy or routing rule to the entire waypoint — so that it applies to all traffic enrolled to use it — set Gateway as the parentRefs or targetRefs value, depending on the type.

For example, to apply an AuthorizationPolicy policy to the waypoint named waypoint for the default namespace:

$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: viewer
  namespace: default
spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: waypoint
  action: ALLOW
  rules:
  - from:
    - source:
        namespaces: ["default", "istio-system"]
    to:
    - operation:
        methods: ["GET"]
EOF

Attach to a specific service

You can also attach a policy or routing rule to a specific service within the waypoint. Set Service as the parentRefs or targetRefs value, as appropriate.

The example below shows how to apply the reviews HTTPRoute to the reviews service in the default namespace:

$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: reviews
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: reviews
    port: 9080
  rules:
  - backendRefs:
    - name: reviews-v1
      port: 9080
      weight: 90
    - name: reviews-v2
      port: 9080
      weight: 10
EOF
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!