feat: using components approach to enable ambient-mode and gke specific ambient-gke

madmecodes · madmecodes · commit 56c6835ee504 · 2025-09-30T17:55:39.000+05:30
Signed-off-by: madmecodes &lt;ayushguptadev1@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -746,5 +746,5 @@ pre-commit run
 - **Q:** Why does Kubeflow use Istio CNI instead of standard Istio?
   **A:** Istio CNI provides better security by eliminating the need for privileged init containers, making it more compatible with Pod Security Standards (PSS). It also enables native sidecars support introduced in Kubernetes 1.28, which helps address issues with init containers and application lifecycle management.
 - **Q:** Why does Istio CNI fail on Google Kubernetes Engine (GKE) with "read-only file system" errors?
-  **A:** GKE mounts `/opt/cni/bin` as read-only for security reasons, preventing the Istio CNI installer from writing the CNI binary. Use the GKE-specific overlay: `kubectl apply -k common/istio/istio-install/overlays/gke`. This overlay uses GKE's writable CNI directory at `/home/kubernetes/bin`. For more details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites) and [Platform Prerequisites](https://istio.io/latest/docs/ambient/install/platform-prerequisites/).-`
+  **A:** GKE mounts `/opt/cni/bin` as read-only for security reasons. Use the GKE-specific overlay: `kubectl apply -k common/istio/istio-install/overlays/gke` (or `overlays/ambient-gke` for ambient mode). These overlays use GKE's writable CNI directory at `/home/kubernetes/bin`. For details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites).
 
diff --git a/common/istio/README.md b/common/istio/README.md
@@ -19,6 +19,22 @@ GKE mounts `/opt/cni/bin` as read-only for security reasons, preventing the Isti
 kubectl apply -k istio-install/overlays/gke
 ```
 
+### Ambient Mode (Sidecar-free Service Mesh)
+Istio Ambient Mode eliminates sidecars, reducing resource overhead while maintaining full L4/L7 traffic processing capabilities.
+
+```bash
+# Standard Kubernetes
+kubectl apply -k istio-install/overlays/ambient
+
+# Google Kubernetes Engine (GKE)
+kubectl apply -k istio-install/overlays/ambient-gke
+
+# With OAuth2-Proxy
+kubectl apply -k istio-install/overlays/ambient-oauth2-proxy
+```
+
+**Note:** Ambient mode uses Kustomize components (`components/ambient-mode/`, `components/gke-ambient/`) for composable configuration without duplication.
+
 ### Insecure Istio (CNI-disabled)
 For environments that don't support CNI:
 ```bash
diff --git a/common/istio/istio-install/components/ambient-mode/istiod-ambient-patch.yaml b/common/istio/istio-install/components/ambient-mode/istiod-ambient-patch.yaml
diff --git a/common/istio/istio-install/components/ambient-mode/kustomization.yaml b/common/istio/istio-install/components/ambient-mode/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ztunnel.yaml
+
+patches:
+- path: istiod-ambient-patch.yaml
+  target:
+    kind: Deployment
+    name: istiod
+    namespace: istio-system
+- target:
+    kind: Namespace
+    name: kubeflow
+  patch: |-
+    - op: add
+      path: /metadata/labels/istio.io~1dataplane-mode
+      value: ambient
diff --git a/common/istio/istio-install/components/ambient-mode/ztunnel.yaml b/common/istio/istio-install/components/ambient-mode/ztunnel.yaml
@@ -12,7 +12,6 @@ metadata:
     app.kubernetes.io/part-of: "istio"
     app.kubernetes.io/version: "1.27.1"
     helm.sh/chart: ztunnel-1.27.1
-
   annotations:
     {}
 ---
@@ -29,7 +28,6 @@ metadata:
     app.kubernetes.io/part-of: "istio"
     app.kubernetes.io/version: "1.27.1"
     helm.sh/chart: ztunnel-1.27.1
-
   annotations:
     {}
 spec:
@@ -53,7 +51,6 @@ spec:
         app.kubernetes.io/part-of: "istio"
         app.kubernetes.io/version: "1.27.1"
         helm.sh/chart: ztunnel-1.27.1
-
       annotations:
         sidecar.istio.io/inject: "false"
         prometheus.io/port: "15020"
diff --git a/common/istio/istio-install/components/gke-ambient/gke-cni-patch.yaml b/common/istio/istio-install/components/gke-ambient/gke-cni-patch.yaml
diff --git a/common/istio/istio-install/components/gke-ambient/gke-ztunnel-patch.yaml b/common/istio/istio-install/components/gke-ambient/gke-ztunnel-patch.yaml
diff --git a/common/istio/istio-install/components/gke-ambient/kustomization.yaml b/common/istio/istio-install/components/gke-ambient/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: gke-cni-patch.yaml
+  target:
+    kind: DaemonSet
+    name: istio-cni-node
+    namespace: kube-system
+- path: gke-ztunnel-patch.yaml
+  target:
+    kind: DaemonSet
+    name: ztunnel
+    namespace: istio-system
diff --git a/common/istio/istio-install/overlays/ambient-gke/kustomization.yaml b/common/istio/istio-install/overlays/ambient-gke/kustomization.yaml
@@ -2,16 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../ambient
+- ../../base
 
-patches:
-- path: gke-cni-patch.yaml
-  target:
-    kind: DaemonSet
-    name: istio-cni-node
-    namespace: kube-system
-- path: gke-ztunnel-patch.yaml
-  target:
-    kind: DaemonSet
-    name: ztunnel
-    namespace: istio-system
+components:
+- ../../components/ambient-mode
+- ../../components/gke-ambient
diff --git a/common/istio/istio-install/overlays/ambient/kubeflow-namespace-ambient.yaml b/common/istio/istio-install/overlays/ambient/kubeflow-namespace-ambient.yaml
diff --git a/common/istio/istio-install/overlays/ambient/kustomization.yaml b/common/istio/istio-install/overlays/ambient/kustomization.yaml
@@ -3,18 +3,6 @@ kind: Kustomization
 
 resources:
 - ../../base
-- ztunnel.yaml
 
-patches:
-- path: istiod-ambient-patch.yaml
-  target:
-    kind: Deployment
-    name: istiod
-    namespace: istio-system
-- target:
-    kind: Namespace
-    name: kubeflow
-  patch: |-
-    - op: add
-      path: /metadata/labels/istio.io~1dataplane-mode
-      value: ambient
+components:
+- ../../components/ambient-mode
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
@@ -42,14 +42,12 @@ resources:
 - ../common/istio/istio-install/overlays/oauth2-proxy
 # NOTE: For Google Kubernetes Engine (GKE), use:
 # - ../common/istio/istio-install/overlays/gke
-# NOTE: For Istio Ambient Mode, use one of:
-# - ../common/istio/istio-install/overlays/ambient                    # Basic ambient mode
-# - ../common/istio/istio-install/overlays/ambient-gke               # Ambient mode for GKE
-# - ../common/istio/istio-install/overlays/ambient-oauth2-proxy       # Ambient mode with oauth2-proxy
-# GKE mounts `/opt/cni/bin` as read-only for security reasons, preventing the Istio CNI installer from writing the CNI binary.
-# Use the GKE-specific overlay: `kubectl apply -k common/istio/istio-install/overlays/gke`.
-# This overlay uses GKE's writable CNI directory at `/home/kubernetes/bin`.
-# For more details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites) and [Platform Prerequisites](https://istio.io/latest/docs/ambient/install/platform-prerequisites/)
+# NOTE: For Istio Ambient Mode (sidecar-free), use one of:
+# - ../common/istio/istio-install/overlays/ambient                    # Standard Kubernetes
+# - ../common/istio/istio-install/overlays/ambient-gke               # GKE (uses components: ambient-mode + gke-ambient)
+# - ../common/istio/istio-install/overlays/ambient-oauth2-proxy       # With OAuth2-Proxy
+# GKE mounts `/opt/cni/bin` as read-only. The GKE overlays use `/home/kubernetes/bin`.
+# For details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites)
 # oauth2-proxy
 # NOTE: only uncomment ONE of the following overlays, depending on your cluster type
 - ../common/oauth2-proxy/overlays/m2m-dex-only       # for all clusters
