istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.19/blog/2022/istioctl-proxy/index.html

102 lines
30 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Configuring istioctl for a remote cluster"><meta name=description content="Using a proxy server to support istioctl commands in a mesh with an external control plane."><meta name=author content="Frank Budinsky (IBM)"><meta name=keywords content="microservices,services,mesh,istioctl,cli,external,remote,multicluster"><meta property="og:title" content="Configuring istioctl for a remote cluster"><meta property="og:type" content="website"><meta property="og:description" content="Using a proxy server to support istioctl commands in a mesh with an external control plane."><meta property="og:url" content="/v1.19/blog/2022/istioctl-proxy/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.19 / Configuring istioctl for a remote cluster</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.19/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.19/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.19/feed.xml><link rel="shortcut icon" href=/v1.19/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.19/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.19/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.19/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.19/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.19/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.19/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.19/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.19/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.19/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.19/favicons/favicon.svg><link rel=icon type=image/png href=/v1.19/favicons/favicon.png><link rel=mask-icon href=/v1.19/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.19/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.19/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.19/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.19",docTitle="Configuring istioctl for a remote cluster",iconFile="/v1.19/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.19/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.19/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.19/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.19/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.19/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.19/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.19/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.19/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.19/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.19/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.19/news/releases/1.19.x/announcing-1.19.4/ class=banner data-title="Latest Release-2023-11-13 00:00:00 +0000 UTC" data-period-start=1699833600000 data-period-end=1700438400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.19.4 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Configuring istioctl for a remote cluster</h1><p>Using a proxy server to support istioctl commands in a mesh with an external control plane.</p></div><p class=post-author>Mar 25, 2022 <span>|</span> By Frank Budinsky - IBM</p><div><p>When using the <code>istioctl</code> CLI on a <span class=term data-title="Remote Cluster" data-body='<p>A remote cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> that
connects to a <a href="/docs/reference/glossary/#control-plane">control plane</a>
residing outside of the cluster. A remote cluster can connect to a control plane
running in a <a href="/docs/reference/glossary/#primary-cluster">primary cluster</a>
or to an <a href="/docs/reference/glossary/#external-control-plane">external control plane</a>.</p>
'>remote cluster</span> of an
<a href=/v1.19/docs/setup/install/external-controlplane/>external control plane</a> or a <a href=/v1.19/docs/setup/install/multicluster/>multicluster</a>
Istio deployment, some of the commands will not work by default. For example, <code>istioctl proxy-status</code> requires access to
the <code>istiod</code> service to retrieve the status and configuration of the proxies it&rsquo;s managing. If you try running it on a
remote cluster, you&rsquo;ll get an error message like this:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-status
Error: unable to find any Istiod instances
</code></pre><p>Notice that the error message doesn&rsquo;t just say that it&rsquo;s unable to access the <code>istiod</code> service, it specifically mentions
its inability to find <code>istiod</code> instances. This is because the <code>istioctl proxy-status</code> implementation needs to retrieve
the sync status of not just any single <code>istiod</code> instance, but rather all of them. When there is more than one <code>istiod</code>
instance (replica) running, each instance is only connected to a subset of the service proxies running in the mesh.
The <code>istioctl</code> command needs to return the status for the entire mesh, not just the subset managed by one of the instances.</p><p>In an ordinary Istio installation where the <code>istiod</code> service is running locally on the cluster
(i.e., a <span class=term data-title="Primary Cluster" data-body='<p>A primary cluster is a <a href="/docs/reference/glossary/#cluster">cluster</a> with a
<a href="/docs/reference/glossary/#control-plane">control plane</a>. A single
<a href="/docs/reference/glossary/#service-mesh">mesh</a> can have more than
one primary cluster for HA or to reduce latency. Primary clusters can act as the
control plane for <a href="/docs/reference/glossary/#remote-cluster">remote clusters</a>.</p>
'>primary cluster</span>), the command is implemented by simply finding all of the running
<code>istiod</code> pods, calling each one in turn, and then aggregating the result before returning it to the user.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:50.168828057550705%><a data-skipendnotes=true href=/v1.19/blog/2022/istioctl-proxy/istioctl-primary-cluster.svg title="CLI with local access to istiod pods"><img class=element-to-stretch src=/v1.19/blog/2022/istioctl-proxy/istioctl-primary-cluster.svg alt="CLI with local access to istiod pods"></a></div><figcaption>CLI with local access to istiod pods</figcaption></figure><p>When using a remote cluster, on the other hand, this is not possible since the <code>istiod</code> instances are running outside
of the mesh cluster and not accessible to the mesh user. The instances may not even be deployed using pods on a Kubernetes
cluster.</p><p>Fortunately, <code>istioctl</code> provides a configuration option to address this issue.
You can configure <code>istioctl</code> with the address of an external proxy service that will have access to the
<code>istiod</code> instances. Unlike an ordinary load-balancer service, which would delegate incoming requests to one of the
instances, this proxy service must instead delegate to all of the <code>istiod</code> instances, aggregate the responses,
and then return the combined result.</p><p>If the external proxy service is, in fact, running on another Kubernetes cluster, the proxy implementation code
can be very similar to the implementation code that <code>istioctl</code> runs in the primary cluster case, i.e., find all of the
running <code>istiod</code> pods, call each one in turn, and then aggregate the result.</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:68.64155561599131%><a data-skipendnotes=true href=/v1.19/blog/2022/istioctl-proxy/istioctl-remote-cluster.svg title="CLI without local access to istiod pods"><img class=element-to-stretch src=/v1.19/blog/2022/istioctl-proxy/istioctl-remote-cluster.svg alt="CLI without local access to istiod pods"></a></div><figcaption>CLI without local access to istiod pods</figcaption></figure><p>An Istio Ecosystem project that includes an implementation of such an <code>istioctl</code> proxy server can be found
<a href=https://github.com/istio-ecosystem/istioctl-proxy-sample>here</a>. To try it out, you&rsquo;ll need two clusters, one of which is
configured as a remote cluster using a control plane installed in the other cluster.</p><h2 id=install-istio-with-a-remote-cluster-topology>Install Istio with a remote cluster topology</h2><p>To demonstrate <code>istioctl</code> working on a remote cluster, we&rsquo;ll start by using the
<a href=/v1.19/docs/setup/install/external-controlplane/>external control plane install instructions</a>
to set up a single remote cluster mesh with an external control plane running in a separate external cluster.</p><p>After completing the installation, we should have two environment variables, <code>CTX_REMOTE_CLUSTER</code> and <code>CTX_EXTERNAL_CLUSTER</code>,
containing the context names of the remote (mesh) and external (control plane) clusters, respectively.</p><p>We should also have the <code>helloworld</code> and <code>sleep</code> samples running in the mesh, i.e., on the remote cluster:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -n sample --context=&#34;${CTX_REMOTE_CLUSTER}&#34;
NAME READY STATUS RESTARTS AGE
helloworld-v1-776f57d5f6-tmpkd 2/2 Running 0 10s
sleep-557747455f-v627d 2/2 Running 0 9s
</code></pre><p>Notice that if you try to run <code>istioctl proxy-status</code> in the remote cluster, you will see the error message
described earlier:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-status --context=&#34;${CTX_REMOTE_CLUSTER}&#34;
Error: unable to find any Istiod instances
</code></pre><h2 id=configure-istioctl-to-use-the-sample-proxy-service>Configure istioctl to use the sample proxy service</h2><p>To configure <code>istioctl</code>, we first need to deploy the proxy service next to the running <code>istiod</code> pods.
In our installation, we&rsquo;ve deployed the control plane in the <code>external-istiod</code> namespace, so we start the proxy
service on the external cluster using the following command:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -n external-istiod --context=&#34;${CTX_EXTERNAL_CLUSTER}&#34; \
-f https://raw.githubusercontent.com/istio-ecosystem/istioctl-proxy-sample/main/istioctl-proxy.yaml
service/istioctl-proxy created
serviceaccount/istioctl-proxy created
secret/jwt-cert-key-secret created
deployment.apps/istioctl-proxy created
role.rbac.authorization.k8s.io/istioctl-proxy-role created
rolebinding.rbac.authorization.k8s.io/istioctl-proxy-role created
</code></pre><p>You can run the following command to confirm that the <code>istioctl-proxy</code> service is running next to <code>istiod</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get po -n external-istiod --context=&#34;${CTX_EXTERNAL_CLUSTER}&#34;
NAME READY STATUS RESTARTS AGE
istioctl-proxy-664bcc596f-9q8px 1/1 Running 0 15s
istiod-666fb6694d-jklkt 1/1 Running 0 5m31s
</code></pre><p>The proxy service is a gRPC server that is serving on port 9090:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get svc istioctl-proxy -n external-istiod --context=&#34;${CTX_EXTERNAL_CLUSTER}&#34;
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istioctl-proxy ClusterIP 172.21.127.192 &lt;none&gt; 9090/TCP 11m
</code></pre><p>Before we can use it, however, we need to expose it outside of the external cluster.
There are many ways to do that, depending on the deployment environment. In our setup, we have an ingress gateway
running on the external cluster, so we could update it to also expose port 9090, update the associated virtual service
to direct port 9090 requests to the proxy service, and then configure <code>istioctl</code> to use the gateway address for the proxy
service. This would be a &ldquo;proper&rdquo; approach.</p><p>However, since this is just a simple demonstration where we have access to both clusters, we will simply <code>port-forward</code>
the proxy service to <code>localhost</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl port-forward -n external-istiod service/istioctl-proxy 9090:9090 --context=&#34;${CTX_EXTERNAL_CLUSTER}&#34;
</code></pre><p>We now configure <code>istioctl</code> to use <code>localhost:9090</code> to access the proxy by setting the <code>ISTIOCTL_XDS_ADDRESS</code> environment
variable:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export ISTIOCTL_XDS_ADDRESS=localhost:9090
$ export ISTIOCTL_ISTIONAMESPACE=external-istiod
$ export ISTIOCTL_PREFER_EXPERIMENTAL=true
</code></pre><p>Because our control plane is running in the <code>external-istiod</code> namespace, instead of the default <code>istio-system</code>, we also
need to set the <code>ISTIOCTL_ISTIONAMESPACE</code> environment variable.</p><p>Setting <code>ISTIOCTL_PREFER_EXPERIMENTAL</code> is optional. It instructs <code>istioctl</code> to redirect <code>istioctl command</code> calls to
an experimental equivalent, <code>istioctl x command</code>, for any <code>command</code> that has both a stable and experimental implementation.
In our case we need to use <code>istioctl x proxy-status</code>, the version that implements the proxy delegation feature.</p><h2 id=run-the-istioctl-proxy-status-command>Run the istioctl proxy-status command</h2><p>Now that we&rsquo;re finished configuring <code>istioctl</code> we can try it out by running the <code>proxy-status</code> command again:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl proxy-status --context=&#34;${CTX_REMOTE_CLUSTER}&#34;
NAME CDS LDS EDS RDS ISTIOD VERSION
helloworld-v1-776f57d5f6-tmpkd.sample SYNCED SYNCED SYNCED SYNCED &lt;external&gt; 1.12.1
istio-ingressgateway-75bfd5668f-lggn4.external-istiod SYNCED SYNCED SYNCED SYNCED &lt;external&gt; 1.12.1
sleep-557747455f-v627d.sample SYNCED SYNCED SYNCED SYNCED &lt;external&gt; 1.12.1
</code></pre><p>As you can see, this time it correctly displays the sync status of all the services running in the mesh. Notice that the
<code>ISTIOD</code> column returns the generic value <code>&lt;external></code>, instead of the instance name (e.g., <code>istiod-666fb6694d-jklkt</code>)
that would be displayed if the pod was running locally. In this case, this detail is not available, or needed, by the
mesh user. It&rsquo;s only available on the external cluster for the mesh operator to see.</p><h2 id=summary>Summary</h2><p>In this article, we used a <a href=https://github.com/istio-ecosystem/istioctl-proxy-sample>sample proxy server</a> to configure <code>istioctl</code> to
work with an <a href=/v1.19/docs/setup/install/external-controlplane/>external control plane installation</a>.
We&rsquo;ve seen how some of the <code>istioctl</code> CLI commands don&rsquo;t work out of the box on a remote cluster managed
by an external control plane. Commands such as <code>istioctl proxy-status</code>, among others, need access to the <code>istiod</code> service
instances managing the mesh, which are unavailable when the control plane is running outside of the mesh cluster.
To address this issue, <code>istioctl</code> was configured to delegate to a proxy server, running along side the external control
plane, which accesses the <code>istiod</code> instances on its behalf.</p></div><nav class=pagenav><div class=left><a title href=/v1.19/blog/2022/istio-has-applied-to-join-the-cncf/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.19/img/icons.svg#left-arrow"/></svg>Istio has applied to become a CNCF project</a></div><div class=right><a title="The conference will take place at the end of April, and the first 400 participants will receive a conference t-shirt." href=/v1.19/blog/2022/istiocon-register/ class=next-link>Register now for IstioCon 2022!<svg class="icon right-arrow"><use xlink:href="/v1.19/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.19/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.19/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.19/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.19/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.19/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.19/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.19/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.19/content/en/blog/2022/istioctl-proxy/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2023 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.19.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2022/istioctl-proxy/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2022/istioctl-proxy/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.19/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink