Add Istio ambient mesh support

[docandrew]

Overview

I would like the ability as a UDS Core user to opt into Istio's ambient mode (no sidecar) when deploying UDS Core. Ambient mode is still being developed, but appears to be gaining traction and promises resource and security advantages over the existing sidecar mesh model:

https://istio.io/latest/blog/2022/introducing-ambient-mesh/
https://istio.io/latest/blog/2022/ambient-security/
https://istio.io/latest/docs/ambient/architecture/traffic-redirection/

Describe the solution you'd like

• A deployment variable to allow opting in to Istio's ambient mode, using --set.
• Alternatively, a UDS Core "flavor" which uses ambient mode by default.

Describe alternatives you've considered

• Istio is usable today w/ the existing sidecar mode, though in large-scale deployments like ours, we reserve signficant resources for the sidecar container, multiplied by hundreds (!) of pods.

Additional context

• The ztunnel agent might be necessary as a separate container image within. There's a container available in IronBank for ztunnel but I need to do more research to determine how the ztunnel agent is intended to be deployed.
• ztunnel has FIPS mode support: https://github.com/istio/ztunnel?tab=readme-ov-file#boring-fips

Tasks

Beta Give feedback

1. Add ztunnel/cni components to Istio #1033
   +0
2. Make least-privilege exemptions for ztunnel and install-cni pods #1027
   +0
3. Investigation/design for network traffic restrictions in ambient mode #1028
   +0
   
4. Identify path forward for Authservice/Authservice protected applications with Istio Ambient #1029
   +0
5. Update OSCAL/Validations to handle ambient mesh/workloads for Istio #1026
   +0
6. Identify path forward for Keycloak with Istio Ambient #1031
   +0