istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.4/blog/2019/introducing-istio-operator/index.html

101 lines
35 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Introducing the Istio Operator"><meta name=description content="Introduction to Istio's new operator-based installation and control plane management feature."><meta name=author content="Martin Ostrowski (Google), Frank Budinsky (IBM)"><meta name=keywords content=microservices,services,mesh,install,configuration,istioctl,operator><meta property=og:title content="Introducing the Istio Operator"><meta property=og:type content=website><meta property=og:description content="Introduction to Istio's new operator-based installation and control plane management feature."><meta property=og:url content=/v1.4/blog/2019/introducing-istio-operator/><meta property=og:image content=/v1.4/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.4 / Introducing the Istio Operator</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.4/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.4/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.4/feed.xml><link rel="shortcut icon" href=/v1.4/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.4/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.4/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.4/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.4/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.4/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.4/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.4/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.4/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.4/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.4/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.4/css/all.css><script src=/v1.4/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.4";const docTitle="Introducing the Istio Operator";const iconFile="\/v1.4/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.4/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.4/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.4</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.4/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.4/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.4/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.4/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.4/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/introducing-istio-operator\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/introducing-istio-operator\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.4/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2020." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.4/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.4/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2019." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#blog"/></svg>2019 Posts</button><div class="body default" aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.4/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.4/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.4/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><span role=treeitem class=current title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)">Introducing the Istio Operator</span></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.4/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.4/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.4/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.4/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.4/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.4/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.4/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.4/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.4/blog/2019/evolving-istios-apis/>The Evolution of Istio&#39;s APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.4/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.4/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.4/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.4/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.4/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.4/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.4/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.4/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.4/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.4/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.4/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.4/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.4/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2018." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.4/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.4/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.4/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.4/blog/2018/hp/>Istio a Game Changer for HP&#39;s FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.4/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.4/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.4/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.4/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.4/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.4/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.4/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.4/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.4/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.4/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2017." aria-controls=card3-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.4/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.4/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.4/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.4/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.4/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.4/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.4/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.4/blog/2019/ title="Blog posts for 2019.">2019 Posts</a></li><li>Introducing the Istio Operator</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Introducing the Istio Operator</h1><p class=byline><span>By</span>
<span class=attribution>Martin Ostrowski (Google), Frank Budinsky (IBM)</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#calendar"/></svg><span>&nbsp;</span>November 14, 2019</span><span> | </span><span title="963 words"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#clock"/></svg><span>&nbsp;</span>5 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="The Operator API"><a href=#the-operator-api>The Operator API</a><li role=none aria-label="Installing with istioctl"><a href=#installing-with-hahahugoshortcode-s5-hbhb>Installing with istioctl</a><li role=none aria-label="Istio Controller (alpha)"><a href=#istio-controller-alpha>Istio Controller (alpha)</a><li role=none aria-label="Migration from Helm"><a href=#migration-from-helm>Migration from Helm</a><li role=none aria-label=Implementation><a href=#implementation>Implementation</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Kubernetes <a href=https://kubernetes.io/docs/concepts/extend-kubernetes/operator/>operators</a> provide
a pattern for encoding human operational knowledge in software and are a popular way to simplify
the administration of software infrastructure components. Istio is a natural candidate for an automated
operator as it is challenging to administer.</p><p>Up until now, <a href=https://github.com/helm/helm>Helm</a> has been the primary tool to install and upgrade Istio.
Istio 1.4 introduces a new method of <a href=/v1.4/docs/setup/install/istioctl/>installation using istioctl</a>.
This new installation method builds on the strengths of Helm with the addition of the
following:</p><ul><li>Users only need to install one tool: <code>istioctl</code></li><li>All API fields are validated</li><li>Small customizations not in the API don&rsquo;t require chart or API changes</li><li>Version specific upgrade hooks can be easily and robustly implemented</li></ul><p>The <a href=/v1.4/docs/setup/install/helm/>Helm installation</a> method is in the process of deprecation. Upgrading from Istio
1.4 with a version not initially installed with Helm will also be replaced by a new
<a href=/v1.4/docs/setup/upgrade/istioctl-upgrade/>istioctl upgrade feature</a>.</p><p>The new <code>istioctl</code> installation commands use a
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/>custom resource</a>
to configure the installation. The custom resource is part of a new Istio operator
implementation intended to simplify the common administrative tasks of installation, upgrade,
and complex configuration changes for Istio. Validation and checking for installation and upgrade
is tightly integrated with the tools to prevent common errors and simplify troubleshooting.</p><h2 id=the-operator-api>The Operator API</h2><p>Every operator implementation requires a
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions>custom resource definition (CRD)</a>
to define its custom resource, that is, its API. Istio&rsquo;s operator API is defined by the
<a href=/v1.4/docs/reference/config/istio.operator.v1alpha12.pb/><code>IstioControlPlane</code> CRD</a>,
which is generated from an
<a href=https://github.com/istio/operator/blob/release-1.4/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto><code>IstioControlPlane</code> proto</a>.
The API supports all of Istio&rsquo;s current <a href=/v1.4/docs/setup/additional-setup/config-profiles/>configuration profiles</a>
using a single field to select the profile. For example, the following <code>IstioControlPlane</code> resource
configures Istio using the <code>demo</code> profile:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo
</code></pre><p>You can then customize the configuration with additional settings. For example, to disable telemetry:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo
telemetry:
enabled: false
</code></pre><h2 id=installing-with-hahahugoshortcode-s5-hbhb>Installing with istioctl</h2><p>The recommended way to use the Istio operator API is through a new set of <code>istioctl</code> commands.
For example, to install Istio into a cluster:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl manifest apply -f &lt;your-istiocontrolplane-customresource&gt;
</code></pre><p>Make changes to the installation configuration by editing the configuration file and executing
<code>istioctl manifest apply</code> again.</p><p>To upgrade to a new version of Istio:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl x upgrade -f &lt;your-istiocontrolplane-config-changes&gt;
</code></pre><p>In addition to specifying the complete configuration in an <code>IstioControlPlane</code> resource,
the <code>istioctl</code> commands can also be passed individual settings using a <code>--set</code> flag:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl manifest apply --set telemetry.enabled=false
</code></pre><p>There are also a number of other <code>istioctl</code> commands that, for example, help you list, display,
and compare configuration profiles and manifests.</p><p>Refer to the Istio <a href=/v1.4/docs/setup/install/istioctl>install instructions</a> for more details.</p><h2 id=istio-controller-alpha>Istio Controller (alpha)</h2><p>Operator implementations use a Kubernetes controller to continuously monitor their custom resource
and apply the corresponding configuration changes. The Istio controller monitors an <code>IstioControlPlane</code>
resource and reacts to changes by updating the Istio installation configuration in the corresponding cluster.</p><p>In the 1.4 release, the Istio controller is in the alpha phase of development and not fully
integrated with <code>istioctl</code>. It is, however,
<a href=/v1.4/docs/setup/install/standalone-operator/>available for experimentation</a> using <code>kubectl</code> commands.
For example, to install the controller and a default version of Istio into your cluster,
run the following command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f https://&lt;repo URL&gt;/operator.yaml
$ kubectl apply -f https://&lt;repo URL&gt;/default-cr.yaml
</code></pre><p>You can then make changes to the Istio installation configuration:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl edit istiocontrolplane example-istiocontrolplane -n istio-system
</code></pre><p>As soon as the resource is updated, the controller will detect the changes and respond by updating
the Istio installation correspondingly.</p><p>Both the operator controller and <code>istioctl</code> commands share the same implementation. The significant
difference is the execution context. In the <code>istioctl</code> case, the operation runs in the admin users
command execution and security context. In the controller case, a pod in the cluster runs the code
in its security context. In both cases, configuration is validated against a schema and the same correctness
checks are performed.</p><h2 id=migration-from-helm>Migration from Helm</h2><p>To help ease the transition from previous configurations using Helm,
<code>istioctl</code> and the controller support pass-through access for the full Helm installation API.</p><p>You can pass Helm configuration options using <code>istioctl --set</code> by prepending the string <code>values.</code> to the option name.
For example, instead of this Helm command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ helm template ... --set global.mtls.enabled=true
</code></pre><p>You can use this <code>istioctl</code> command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl manifest generate ... --set values.global.mtls.enabled=true
</code></pre><p>You can also set Helm configuration values in an <code>IstioControlPlane</code> custom resource.
See <a href=/v1.4/docs/setup/install/istioctl/#customize-istio-settings-using-the-helm-api>Customize Istio settings using Helm</a>
for details.</p><p>Another feature to help with the transition from Helm is the alpha
<a href=/v1.4/docs/reference/commands/istioctl/#istioctl-manifest-migrate>istioctl manifest migrate</a> command.
This command can be used to automatically convert a Helm <code>values.yaml</code> file to a corresponding
<code>IstioControlPlane</code> configuration.</p><h2 id=implementation>Implementation</h2><p>Several frameworks have been created to help implement operators by generating stubs for some or all of
the components. The Istio operator was created with the help of a combination of
<a href=https://github.com/kubernetes-sigs/kubebuilder>kubebuilder</a> and
<a href=https://github.com/operator-framework>operator framework</a>. Istio&rsquo;s installation now uses a proto to
describe the API such that runtime validation can be executed against a schema.</p><p>More information about the implementation can be found in the README and ARCHITECTURE documents
in the <a href=https://github.com/istio/operator>Istio operator repository</a>.</p><h2 id=summary>Summary</h2><p>Starting in Istio 1.4, Helm installation is being replaced by new <code>istioctl</code> commands using
a new operator custom resource definition, <code>IstioControlPlane</code>, for the configuration API.
An alpha controller is also available for early experimentation with the operator.</p><p>The new <code>istioctl</code> commands and operator controller both validate configuration schemas and perform a range of
checks for installation change or upgrade. These checks are tightly integrated with the tools to prevent
common errors and simplify troubleshooting.</p><p>The Istio maintainers expect that this new approach will improve the user experience during Istio
installation and upgrade, better stabilize the installation API, and help users better manage and
monitor their Istio installations.</p><p>We welcome your feedback about the new installation approach at <a href=https://discuss.istio.io/>discuss.istio.io</a>.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></p><p class=desc>Analyze your Istio configuration to detect potential issues and get general insights.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></p><p class=desc>A vision statement and roadmap for Istio in 2020.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></p><p class=desc>Automating Istio configuration for Istio deployments (clusters) that work as a single mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/setup/install/istioctl/>Customizable Install with Istioctl</a></p><p class=desc>Install and customize any Istio configuration profile for in-depth evaluation or production use.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></p><p class=desc>Shows you how to use istioctl analyze to identify potential issues with your configuration.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/setup/getting-started/>Getting Started</a></p><p class=desc>Download, install, and learn how to evaluate and try Istios basic features quickly.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Analyze your Istio configuration to detect potential issues and get general insights." href=/v1.4/blog/2019/introducing-istioctl-analyze/><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#left-arrow"/></svg>Introducing istioctl analyze</a></div><div class=right><a title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy." href=/v1.4/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy<svg class="icon"><use xlink:href="/v1.4/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="The Operator API"><a href=#the-operator-api>The Operator API</a><li role=none aria-label="Installing with istioctl"><a href=#installing-with-hahahugoshortcode-s5-hbhb>Installing with istioctl</a><li role=none aria-label="Istio Controller (alpha)"><a href=#istio-controller-alpha>Istio Controller (alpha)</a><li role=none aria-label="Migration from Helm"><a href=#migration-from-helm>Migration from Helm</a><li role=none aria-label=Implementation><a href=#implementation>Implementation</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.4.6 now" href=/v1.4/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.4.6<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 5, 2020</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink