Traditional service mesh architectures rely on sidecar proxies — additional containers injected alongside each application pod to intercept and manage network traffic. While effective, this approach introduces resource overhead, operational complexity, and performance penalties from double network hops. In 2026, a new paradigm has emerged: sidecarless service mesh architecture, which eliminates per-pod sidecars by handling traffic management at the node or kernel level.

In this guide, we compare three leading implementations of sidecarless (or sidecar-reduced) service mesh architecture: Istio Ambient Mesh, the node-level mesh from the Istio project; Cilium Service Mesh, the eBPF-native mesh from the CNCF; and Linkerd’s optimized sidecar architecture, which while not fully sidecarless, offers the lightest-weight alternative that challenges the need for ambient architectures.

What Is Sidecarless Service Mesh?

A sidecarless service mesh removes the per-pod proxy container traditionally injected by tools like Envoy. Instead, traffic management is handled by:

  • Node-level proxies (Istio Ambient): A shared ztunnel daemon on each node handles mTLS and L4 routing
  • eBPF programs (Cilium): Kernel-level packet processing handles routing, load balancing, and policy enforcement
  • Lightweight sidecars (Linkerd): Rust-based micro-proxies with minimal resource footprint

The key advantage: reduced per-pod resource overhead — no more 100-200MB of Envoy memory per application pod. At scale, this translates to significant cost savings and simplified operations.

Comparison Overview

FeatureIstio Ambient MeshCilium Service MeshLinkerd
GitHub Stars38,200+24,395+11,395+
ArchitectureNode-level ztunnel + waypointeBPF kernel-levelLightweight Rust sidecar
Sidecar RequiredNoNoYes (micro-proxy)
Protocol SupportHTTP/1, HTTP/2, gRPC, TCPHTTP/1, HTTP/2, gRPC, TCPHTTP/1, HTTP/2, gRPC
mTLS Implementationztunnel (shared per node)eBPF TLS terminationPer-pod micro-proxy
Policy EnforcementWaypoint proxies (L7)eBPF + CiliumNetworkPolicyPer-pod proxy
Performance OverheadLow (shared proxy)Minimal (kernel-level)Low (Rust micro-proxy)
Memory Per Pod0 MB (shared)0 MB (kernel)~15 MB
Kubernetes NativeYes (CRDs, operators)Yes (Cilium operator)Yes (control plane)
Multi-ClusterYes (Istio multi-primary)Yes (ClusterMesh)Yes (multi-cluster)
Last UpdatedMay 2026May 2026May 2026

Istio Ambient Mesh

Istio Ambient Mesh is the newest service mesh architecture from the Istio project. It replaces the traditional sidecar model with a two-layer approach: a shared ztunnel daemon for L4 (mTLS, authorization) and optional waypoint proxies for L7 (HTTP routing, rate limiting).

Architecture

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

┌─────────────────────────────────────────────────┐
│  Kubernetes Node                                 │
│                                                   │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐      │
│  │  App Pod │  │  App Pod │  │  App Pod │      │
│  │ (no proxy)│ (no proxy)│ (no proxy)│      │
│  └────┬─────┘  └────┬─────┘  └────┬─────┘      │
│       │              │              │             │
│       └──────────────┼──────────────┘             │
│                      │                            │
│              ┌───────▼───────┐                    │
│              │    ztunnel    │  ← Shared L4 proxy │
│              │  (per node)   │     handles mTLS   │
│              └───────┬───────┘                    │
│                      │                            │
│              ┌───────▼───────┐                    │
│              │   waypoint    │  ← Optional L7     │
│              │   (per ns)    │     policy/routing  │
│              └───────────────┘                    │
└─────────────────────────────────────────────────┘

Deployment

Istio Ambient Mesh is deployed using the Istio operator with ambient mode enabled:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: ambient-mesh
spec:
  profile: ambient
  components:
    cni:
      enabled: true
    ztunnel:
      enabled: true
  values:
    global:
      proxy:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi

Install via istioctl:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Install Istio with ambient profile
istioctl install --set profile=ambient -y

# Enable ambient mode for a namespace
kubectl label namespace default istio.io/dataplane-mode=ambient

# Deploy waypoint proxy for L7 features
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
  namespace: default
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
EOF

Key Advantages

  • Zero per-pod overhead: Application pods don’t need sidecar containers
  • Gradual migration: Opt-in per namespace, mix ambient and sidecar modes
  • L7 policy on demand: Waypoint proxies only deployed where L7 features are needed
  • HBONE protocol: HTTP-Based Overlay Network Environment for secure overlay

Cilium Service Mesh

Cilium uses eBPF (extended Berkeley Packet Filter) to implement service mesh capabilities directly in the Linux kernel, eliminating the need for any proxy process in the data path.

Architecture

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

┌─────────────────────────────────────────────────┐
│  Kubernetes Node                                 │
│                                                   │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐      │
│  │  App Pod │  │  App Pod │  │  App Pod │      │
│  │ (no proxy)│ (no proxy)│ (no proxy)│      │
│  └────┬─────┘  └────┬─────┘  └────┬─────┘      │
│       │              │              │             │
│       └──────────────┼──────────────┘             │
│                      │                            │
│        ┌─────────────▼─────────────┐              │
│        │   eBPF Programs (kernel)  │              │
│        │  - XDP redirect           │              │
│        │  - Socket-level redirect  │              │
│        │  - mTLS via envoy-gw      │              │
│        └───────────────────────────┘              │
└─────────────────────────────────────────────────┘

Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Cilium Helm values for service mesh
cluster:
  name: cluster-1
cni:
  exclusive: true
kubeProxyReplacement: true
l7Proxy: true
authentication:
  enabled: true
  mutual:
    spire:
      enabled: false
  transparent: true
gatewayAPI:
  enabled: true

Install via Helm:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

helm install cilium cilium/cilium \
  --namespace kube-system \
  --set cluster.name=cluster-1 \
  --set kubeProxyReplacement=true \
  --set l7Proxy=true \
  --set authentication.mutual.spire.enabled=false

# Enable service mesh features
kubectl annotate ns default \
  cilium.io/service-mesh=true

# Deploy Gateway API for L7 routing
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: mesh-gateway
spec:
  gatewayClassName: cilium
  listeners:
  - name: http
    port: 80
    protocol: HTTP
EOF

Key Advantages

  • Kernel-level performance: No proxy process, traffic handled by eBPF
  • Unified networking: CNI + service mesh + network policy in one agent
  • ClusterMesh: Native multi-cluster connectivity
  • Hubble observability: Built-in traffic visualization and monitoring

Linkerd

While Linkerd still uses a sidecar model, its Rust-based micro-proxy (linkerd2-proxy) is dramatically lighter than Envoy, making the “sidecar tax” negligible for most workloads.

Architecture

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

┌─────────────────────────────────────────────────┐
│  Kubernetes Pod                                  │
│                                                   │
│  ┌──────────┐  ┌─────────────────┐              │
│  │  App     │  │ linkerd2-proxy  │  ← ~15 MB     │
│  │Container │  │ (Rust micro-proxy)│   memory    │
│  └──────────┘  └─────────────────┘              │
│                      │                            │
│              mTLS + traffic management            │
└─────────────────────────────────────────────────┘

Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Install Linkerd control plane
curl -sL https://run.linkerd.io/install | sh
linkerd install | kubectl apply -f -

# Install Linkerd Viz for dashboard
linkerd viz install | kubectl apply -f -

# Mesh a namespace
kubectl get deploy -n default -o yaml \
  | linkerd inject - | kubectl apply -f -

Linkerd also supports the Gateway API for ingress:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: linkerd-gateway
  annotations:
    linkerd.io/inject: enabled
spec:
  gatewayClassName: linkerd
  listeners:
  - name: http
    port: 80
    protocol: HTTP

Why Choose Sidecarless Architecture?

The traditional sidecar model served the industry well for years, but as Kubernetes deployments scale to thousands of pods, the cumulative overhead becomes significant. Here’s why organizations are transitioning:

Resource Efficiency: With 500 pods, an Envoy sidecar consuming 150MB each totals 75GB of memory dedicated solely to mesh infrastructure. Ambient architectures eliminate this entirely — the shared ztunnel or eBPF approach means memory scales with nodes, not pods.

Operational Simplicity: No more pod restarts when sidecar images update. No more init container failures blocking application startup. The decoupling of mesh infrastructure from application pods means deployments are cleaner and faster.

Performance: eBPF-based meshes like Cilium achieve near-native network performance since traffic never leaves the kernel. Istio Ambient’s shared proxy model reduces the double-hop penalty of sidecar architectures.

Security: Fewer moving parts means a smaller attack surface. Sidecarless architectures reduce the number of processes running with elevated privileges and simplify the trust model.

For teams running dense Kubernetes clusters, the transition to sidecarless or sidecar-reduced architectures can reduce infrastructure costs by 15-30% while improving deployment velocity.

If you’re exploring service mesh options for multi-cluster connectivity, see our Kubernetes multi-cluster service connectivity guide. For identity and mTLS fundamentals, our service identity and mTLS guide covers the building blocks.

Choosing the Right Sidecarless Architecture

Istio Ambient Mesh is the best choice when you need the full feature set of Istio (traffic splitting, fault injection, telemetry) but want to eliminate sidecar overhead. The two-layer model lets you deploy L4-only (ztunnel) for basic mTLS or add waypoint proxies where L7 features are needed.

Cilium Service Mesh excels when you want a unified networking stack — CNI, service mesh, and network policy managed by a single eBPF agent. The kernel-level approach delivers the best performance but requires kernel eBPF support (5.10+).

Linkerd remains the simplest option for teams that want a lightweight sidecar with minimal operational overhead. The Rust proxy’s small footprint makes the “sidecar tax” acceptable for many workloads while delivering full mesh capabilities.

FAQ

What is the main difference between Istio Ambient Mesh and traditional Istio?

Traditional Istio injects an Envoy sidecar proxy into every pod, adding ~150MB memory per pod. Istio Ambient Mesh uses a shared ztunnel daemon per node for L4 traffic (mTLS, authorization) and optional waypoint proxies per namespace for L7 features, eliminating per-pod overhead entirely.

Does Cilium Service Mesh require any proxy containers?

No. Cilium implements service mesh features using eBPF programs loaded into the Linux kernel. Traffic is redirected at the socket level without any user-space proxy process. For L7 protocol parsing, Cilium uses a shared proxy (Envoy Gateway) only when needed.

Can I mix sidecar and ambient mode in the same cluster?

Yes, Istio Ambient Mesh supports mixed-mode operation. You can run some namespaces in ambient mode and others with traditional sidecars, allowing gradual migration. Cilium and Linkerd also support mixed deployment models.

What Kubernetes version is required for sidecarless service mesh?

Istio Ambient Mesh requires Kubernetes 1.27+. Cilium Service Mesh requires kernel 5.10+ for full eBPF support and Kubernetes 1.26+. Linkerd supports Kubernetes 1.24+.

How does mTLS work without sidecars?

In Istio Ambient, the ztunnel handles mTLS for all traffic on the node using HBONE (HTTP-Based Overlay Network Environment). In Cilium, eBPF programs intercept socket calls and apply mTLS at the kernel level. Both approaches maintain the same security guarantees as sidecar-based mTLS.

Is sidecarless service mesh production-ready?

Istio Ambient Mesh reached GA status in Istio 1.22 (2024) and is production-ready. Cilium Service Mesh has been production-ready since Cilium 1.14. Linkerd has been production-ready for years with its lightweight sidecar model.

What is the performance difference between ambient and sidecar architectures?

In benchmark tests, Cilium’s eBPF approach adds ~0.1ms latency per hop, while Istio Ambient adds ~0.5ms through the shared ztunnel. Traditional Envoy sidecar adds ~1-2ms per hop due to the double network traversal. The exact numbers depend on workload characteristics and network topology.