[15:25:54] <elukey>	 I checked some kubecon 2023 videos about istio's future and this came up:
[15:25:57] <elukey>	 https://istio.io/latest/blog/2022/introducing-ambient-mesh/
[15:26:09] <elukey>	 "Ambient mesh uses a shared agent, running on each node in the Kubernetes cluster. This agent is a zero-trust tunnel (or ztunnel), and its primary responsibility is to securely connect and authenticate elements within the mesh. "
[15:26:30] <elukey>	 "After ambient mesh is enabled and a secure overlay is created, a namespace can be configured to utilize L7 features. This allows a namespace to implement the full set of Istio capabilities, including the Virtual Service API, L7 telemetry, and L7 authorization policies."
[15:27:11] <_joe_>	 so basically it's a proper network tunnel isntead of the pyle of iptables horror?
[15:27:17] <elukey>	 so IIUC the call this "sidecarless" istio, and basically they are splitting the functionality into two layers (stunnel up to l4, and some envoy proxies on l7)
[15:28:16] <elukey>	 _joe_ this is the part that I am not sure, since the ztunnel is on the k8s node and I guess there is some horror to configure to manage the pods' traffic
[15:30:46] <_joe_>	 elukey: uhh I really don't like it
[15:32:43] <elukey>	 more info about the ztunnel - https://istio.io/latest/blog/2023/rust-based-ztunnel/
[15:36:16] <elukey>	 in https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/ I see
[15:36:21] <elukey>	 "Today, the Istio-CNI uses IPtables Rules to direct traffic into a tunnel, The IPTables rules for traffic redirection for ztunnels has a similar effect that a sidecar does in a pod."
[15:36:51] <elukey>	 so yeah the pods need to have some config to use their local ztunnel 
[15:46:29] <_joe_>	 I hoped it would be a single rule
[15:46:32] <_joe_>	 but not, ofc