clarify support for VirtualService in waypoints#16670
Open
craigbox wants to merge 8 commits intoistio:masterfrom
Open
clarify support for VirtualService in waypoints#16670craigbox wants to merge 8 commits intoistio:masterfrom
craigbox wants to merge 8 commits intoistio:masterfrom
Conversation
istio-testing
added
the
size/M
dhawton
reviewed
Jul 15, 2025
craigbox
added
the
cherrypick/release-1.26
Stevenjin8
reviewed
Jul 29, 2025
| | [`TLSRoute`](https://gateway-api.sigs.k8s.io/guides/tls) | Alpha | `parentRefs` | | ||
| | [`TCPRoute`](https://gateway-api.sigs.k8s.io/guides/tcp/) | Alpha | `parentRefs` | | ||
|
|
||
| (TLS and TCP routing are stable features in Istio, but support for these objects remains at Alpha because the Gateway API objects are still in the experimental channel.) |
Contributor
There was a problem hiding this comment.
That's tough, so there is no stable way of managing tcp traffic in ambient.
Contributor
There was a problem hiding this comment.
Yep - and it's really because Gateway API is (rightly) hesitant about pushing those APIs forward without implementations that are championing those use-case.
keithmattix
reviewed
Jul 29, 2025
|
|
||
| Gateway API has no ability to address [subsets](/docs/reference/config/networking/destination-rule/#Subset). Instead, you must define additional Services which have a more granular selector than the original. | ||
|
|
||
| The other features of DestinationRule are supported. |
Contributor
There was a problem hiding this comment.
exportTo is also not supported, but I think @Stevenjin8's PR covers that?
Contributor
Author
There was a problem hiding this comment.
Is workloadSelector supported?
If not we could basically say "only trafficPolicy is supported"
Contributor
Author
There was a problem hiding this comment.
istio/istio#51085 isn't clear, so I'm guessing it does work
Contributor
Author
|
https://docs.google.com/document/d/1JjsPzOMJfu_evzgiRp-aJf1KDpa9ImyYrew__y5CTao/edit?tab=t.0#heading=h.8vlgwrna7yow for the broader terminology discussion |
|
I write some feedback about our Istio Ambient migration with Virtual Service: |
istio-testing
added
the
needs-rebase
Contributor
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
dhawton
reviewed
Feb 18, 2026
|
|
||
| Some Istio APIs are deliberately not supported by waypoints in ambient mode. These APIs can still be used with [classic Istio Gateways](/docs/tasks/traffic-management/ingress/ingress-control/) in an ambient mesh. | ||
|
|
||
| ### VirtualService |
Member
There was a problem hiding this comment.
Suggested change
| ### VirtualService | |
| ### `VirtualService` |
|
|
||
| Istio's classic traffic routing API is not supported for configuring waypoint traffic routing, though it works in some circumstances. | ||
|
|
||
| Any use of VirtualService with waypoints is considered Alpha, and may be subject to change in future releases. |
Member
There was a problem hiding this comment.
Suggested change
| Any use of VirtualService with waypoints is considered Alpha, and may be subject to change in future releases. | |
| Any use of `VirtualService` with waypoints is considered Alpha, and may be subject to change in future releases. |
| Any use of VirtualService with waypoints is considered Alpha, and may be subject to change in future releases. | ||
| Istio's maintainers do not intend to remove this support, but will not be progressing it to [any further feature phase](/docs/releases/feature-stages). | ||
|
|
||
| #### Migrating from VirtualService to Gateway API routes |
Member
There was a problem hiding this comment.
Suggested change
| #### Migrating from VirtualService to Gateway API routes | |
| #### Migrating from `VirtualService` to Gateway API routes |
|
|
||
| #### Migrating from VirtualService to Gateway API routes | ||
|
|
||
| [Only a single VirtualService](/docs/reference/config/analysis/ist0109/) can be used for mesh traffic matching a certain hostname. However, multiple Gateway API routes can refer to the same host. |
Member
There was a problem hiding this comment.
Suggested change
| [Only a single VirtualService](/docs/reference/config/analysis/ist0109/) can be used for mesh traffic matching a certain hostname. However, multiple Gateway API routes can refer to the same host. | |
| [Only a single `VirtualService`](/docs/reference/config/analysis/ist0109/) can be used for mesh traffic matching a certain hostname. However, multiple Gateway API routes can refer to the same host. |
|
|
||
| [Only a single VirtualService](/docs/reference/config/analysis/ist0109/) can be used for mesh traffic matching a certain hostname. However, multiple Gateway API routes can refer to the same host. | ||
|
|
||
| This is especially relevant when you are migrating from VirtualService to Gateway API routes. If you create one or more HTTPRoutes which specify a Service that is also in use with a VirtualService, the HTTPRoute/s will apply and the VirtualService will not. |
Member
There was a problem hiding this comment.
Suggested change
| This is especially relevant when you are migrating from VirtualService to Gateway API routes. If you create one or more HTTPRoutes which specify a Service that is also in use with a VirtualService, the HTTPRoute/s will apply and the VirtualService will not. | |
| This is especially relevant when you are migrating from `VirtualService` to Gateway API routes. If you create one or more `HTTPRoute` resources which specify a `Service` that is also in use with a `VirtualService`, the `HTTPRoute` will apply and the `VirtualService` will not. |
|
|
||
| #### DestinationRule subsets | ||
|
|
||
| Gateway API has no ability to address [subsets](/docs/reference/config/networking/destination-rule/#Subset). Instead, you must define additional Services which have a more granular selector than the original. |
Member
There was a problem hiding this comment.
Suggested change
| Gateway API has no ability to address [subsets](/docs/reference/config/networking/destination-rule/#Subset). Instead, you must define additional Services which have a more granular selector than the original. | |
| Gateway API has no ability to address [subsets](/docs/reference/config/networking/destination-rule/#Subset). Instead, you must define additional `Service`s which have a more granular selector than the original. |
|
|
||
| Gateway API has no ability to address [subsets](/docs/reference/config/networking/destination-rule/#Subset). Instead, you must define additional Services which have a more granular selector than the original. | ||
|
|
||
| The other features of DestinationRule are supported. |
Member
There was a problem hiding this comment.
Suggested change
| The other features of DestinationRule are supported. | |
| The other features of `DestinationRule` are supported. |
|
|
||
| #### Classic Istio Gateways | ||
|
|
||
| [Classic Istio Gateways](/docs/reference/config/networking/gateway/) can be used to route traffic into an ambient mesh. These can still be configured with VirtualService (i.e. where the `gateways` field refers to a named ingress gateway), alongside waypoints which are configured with Gateway API routes. |
Member
There was a problem hiding this comment.
Suggested change
| [Classic Istio Gateways](/docs/reference/config/networking/gateway/) can be used to route traffic into an ambient mesh. These can still be configured with VirtualService (i.e. where the `gateways` field refers to a named ingress gateway), alongside waypoints which are configured with Gateway API routes. | |
| [Classic Istio Gateways](/docs/reference/config/networking/gateway/) can be used to route traffic into an ambient mesh. These can still be configured with `VirtualService` (i.e. where the `gateways` field refers to a named ingress gateway), alongside waypoints which are configured with Gateway API routes. |
Comment on lines
+164
to
+166
| ### EnvoyFilter | ||
|
|
||
| EnvoyFilter is Istio's break-glass API for advanced configuration of Envoy proxies. Please note that **EnvoyFilter is not currently supported for any existing Istio version with waypoint proxies**. While it may be possible to use EnvoyFilter with waypoints in limited scenarios, its use is not supported, and is actively discouraged by the maintainers. The alpha API may break in future releases as it evolves. We expect official support will be provided at a later date. |
Member
There was a problem hiding this comment.
Suggested change
| ### EnvoyFilter | |
| EnvoyFilter is Istio's break-glass API for advanced configuration of Envoy proxies. Please note that **EnvoyFilter is not currently supported for any existing Istio version with waypoint proxies**. While it may be possible to use EnvoyFilter with waypoints in limited scenarios, its use is not supported, and is actively discouraged by the maintainers. The alpha API may break in future releases as it evolves. We expect official support will be provided at a later date. | |
| ### `EnvoyFilter` | |
| `EnvoyFilter` is Istio's break-glass API for advanced configuration of Envoy proxies. Please note that EnvoyFilter is not currently supported for any existing Istio version with waypoint proxies. While it may be possible to use `EnvoyFilter` with waypoints in limited scenarios, its use is not supported, and is actively discouraged by the maintainers. The alpha API may break in future releases as it evolves. We expect official support will be provided at a later date. |
| httpbin.foo.svc.cluster.local | ||
| httpbin.org | ||
| HTTPRoute | ||
| HTTPRoutes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update the ambient docs to clarify that waypoint support for VirtualService is alpha, why that is, and what that means you have to think about during a migration.