1.
For years, the "Sidecar" model (injecting an Envoy proxy into every single pod) was the only way to get Mesh features. But it came with some complexity:
Resource Bloat: Hundreds of sidecars eating up GBs of RAM.
Operational Friction: Having to restart your entire application just to update the mesh version.
Complexity: Troubleshooting network hops that felt like a "black box."
Enter Istio Ambient Mode. Launched into GA recently, it splits the mesh into two layers: The ztunnel (L4): A lightweight, shared agent that runs on each node. It handles the "Zero Trust" basics (mTLS, identity, and encryption) with almost zero latency. The Waypoint Proxy (L7): An optional, per-namespace proxy that you only spin up if you need "heavy lifting" like header-based routing or rate limiting. The Result: A 70% reduction in memory usage and a massive boost in pod density.
Enter Istio Ambient Mode. Launched into GA recently, it splits the mesh into two layers: The ztunnel (L4): A lightweight, shared agent that runs on each node. It handles the "Zero Trust" basics (mTLS, identity, and encryption) with almost zero latency. The Waypoint Proxy (L7): An optional, per-namespace proxy that you only spin up if you need "heavy lifting" like header-based routing or rate limiting. The Result: A 70% reduction in memory usage and a massive boost in pod density.
2. Istio for the AI Era (Agentgateway)
The biggest news from KubeCon 2026 is Istio’s pivot toward AI-native infrastructure.
Standard service meshes struggle with AI workloads because LLM traffic is unpredictable—long-running inference calls, massive context windows, and complex "Chain-of-Thought" patterns between agents.
Istio has introduced Agentgateway (experimental), a dedicated data plane component designed specifically for:
Inference Routing: Intelligently routing requests based on model availability or "token cost."
Observability for Agents: Seeing exactly how AI agents are talking to each other and your internal databases.
Resiliency: Preventing a single "hallucinating" or looping agent from DDOSing your internal microservices.
3. Multi-Cluster is No Longer a Nightmare
Previously, connecting Istio clusters across different regions or clouds required a PhD in networking. With the Ambient Multicluster Beta (released early 2026), Istio now supports "Zero-Trust" connectivity across clusters without requiring a sidecar on either end.
This allows for Global Failover by default. If your US-East cluster goes down, Istio can automatically route your traffic to US-West, maintaining mTLS and identity headers the entire way.
The Need,Istio's Solution
Zero Trust,Do you need mTLS between every service without writing code? (Use ztunnel)
Compliance,Do you need a cryptographically proven audit log of every request?
AI Scaling,Are you worried about how AI agents will interact with your legacy APIs? (Use Agentgateway)
Note: Going forward, the Kubernetes Gateway API should be the preferred method for configuring ingress and egress in Istio. Istio's Gateway resource continues to be supported, while the Ingress resource should be considered a legacy artifact.
The Bottom Line
In 2026, Istio has finally become what it always promised to be: Transparent. By adopting a "Sidecarless" architecture, it has removed the performance barriers that made developers hate it, while adding the AI-ready features that make architects love it. If you tried Istio three years ago and found it too heavy, it’s time to look again.
Pro-Tip: If you’re starting a new project, don't even look at Sidecars. Go straight to Ambient Mode. Your cloud bill (and your SRE team) will thank you.
colima start brew install kind kind create cluster --name istio-cluster curl -L https://istio.io/downloadIstio | sh - mkdir -p cluster-certs cd cluster-certs make ROOTCA_ORG="Acme LLC." ROOTCA_CN="Acme LLC Root CA" -f ../istio-1.29.2/tools/certs/Makefile.selfsigned.mk root-ca make INTERMEDIATE_ORG="Acme LLC." INTERMEDIATE_CN="Acme LLC Intermediate CA" -f ../istio-1.29.2/tools/certs/Makefile.selfsigned.mk istiocluster-cacerts k create secret generic cacerts -n istio-system --from-file=istiocluster/ca-cert.pem --from-file=istiocluster/ca-key.pem --from-file=istiocluster/root-cert.pem --from-file=istiocluster/cert-chain.pemI had to increase my CPU to 4 and RAM to 8 since I am using colima and defaults are not sufficient. This is what you want to see when you are done with the installation:
colima start --cpu 4 --memory 8
istio-operator.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
namespace: istio-system
spec:
profile: minimal
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
trustDomain: acmellc.local
kubectl get pods -n istio-systemshould show your istiod pod as running. Also run:
istioctl versioncommand to see some of the installed controller details. Final step: namespace labeling. Since we used a revisioned installation, we’ll skip the generic istio-injection=enabled label. Instead, apply istio.io/rev=prod to ensure your workloads are injected and managed by the correct control plane revision.
k label namespace default istio.io/rev=prod
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##################################################################################################
# httpbin service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
service: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 8080
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/mccutchen/go-httpbin:v2.15.0
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 8080
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
istioctl proxy-config secret deployment/httpbin -o json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem openssl x509 -noout -text -in chain.pemThe issuer field reflects our custom intermediate CA names. Furthermore, the SPIFFE ID successfully implements the acmellc.local trust domain from our IstioOperator setup, overriding the default cluster.local value.
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
2C:98:60:35:D6:03:DD:EE:60:4F:DD:46:58:DE:DB:3B:B9:DB:E1:1A
X509v3 Subject Alternative Name: critical
URI:spiffe://acmellc.local/ns/default/sa/httpbin
While our installation currently uses the minimal profile to deploy the control plane, a standard setup requires at least one ingress gateway to manage incoming traffic. To add this, we will deploy a separate IstioOperator using the empty profile. This profile acts as a clean slate, ensuring only the specific gateway components we define are installed, without re-deploying any additional control plane overhead.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: global-ingress
namespace: istio-system
spec:
profile: empty
revision: prod # Important: Must match your control plane revision
components:
ingressGateways:
- name: global-ingress
enabled: true
namespace: istio-system
label:
istio: ingressgateway # Standard practice
ingress: global # Your custom label
istioctl install -y -f global-ingress.yaml --revision prod
k get pods -n istio-system
global-ingress-b474c4545-2mbqv 1/1 Running 0 7m49s istiod-prod-7b5bd87ccc-gnf5z 1/1 Running 1 (137m ago) 14h
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "example.com"
The Istio Gateway serves as the entry point configuration for the mesh. It instructs the underlying Envoy proxy on which ports, protocols, and hosts to monitor, enabling the secure exposure of HTTP and HTTPS services via standard or mutual TLS.
This configuration instructs the ingress controller—identified by its labels in the selector—to listen for HTTP requests on port 80 directed toward example.com
As long as the host names in Gateway and VirtualService match, and the VirtualService refers to the Gateway, the traffic will flow to the destination based on the rules in the VirtualService.
k apply -f istio-gateway.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: traffic-rules
namespace: istio-system
spec:
hosts:
- "example.com"
gateways:
- my-gateway
http:
- route:
- destination: # You MUST have this level
host: my-service
subset: v1 # Optional
port:
number: 80 # Note that port is an object with 'number'
k apply -f virtual-service.yaml
k get vs -n istio-systemTo get available CRDs for virtual services:
kubectl get crd virtualservices.networking.istio.io -o jsonpath='{.spec.versions[*].name}'
To check validation issues on the namespace:
istioctl anaylze -n istio-systemTo uninstall everything we have built:
istioctl uninstall