5.2 KiB
| title | description | weight | aliases | owner | test | ||
|---|---|---|---|---|---|---|---|
| Platform-Specific Prerequisites | Platform-specific prerequisites for installing Istio in ambient mode. | 4 |
|
istio/wg-environments-maintainers | no |
This document covers any platform or environment specific prerequisites for installing Istio in ambient mode.
Platform
Google Kubernetes Engine (GKE)
-
On GKE, Istio components with the system-node-critical
priorityClassNamecan only be installed in namespaces that have a ResourceQuota defined. By default in GKE, onlykube-systemhas a defined ResourceQuota for thenode-criticalclass.istio-cniandztunnelboth require thenode-criticalclass, and so in GKE, both components must either:-
Be installed into
kube-system(notistio-system) -
Be installed into another namespace (such as
istio-system) in which a ResourceQuota has been manually created, for example:{{< text syntax=yaml snip_id=none >}} apiVersion: v1 kind: ResourceQuota metadata: name: gcp-critical-pods namespace: istio-system spec: hard: pods: 1000 scopeSelector: matchExpressions: - operator: In scopeName: PriorityClass values: - system-node-critical {{< /text >}}
-
Minikube
- If you are using Minikube with the Docker driver,
you must append
--set cni.cniNetnsDir="/var/run/docker/netns"to thehelm installcommand so that theistio-cninode agent can correctly manage and capture pods on the node.
MicroK8s
- If you are using MicroK8s, you must append
--set values.cni.cniConfDir=/var/snap/microk8s/current/args/cni-network --set values.cni.cniBinDir=/var/snap/microk8s/current/opt/cni/binto thehelm installcommand, as MicroK8s uses nonstandard locations for CNI configuration and binaries.
K3D
-
If you are using k3d with the default flannel CNI, you must append
--set values.cni.cniConfDir=/var/lib/rancher/k3s/agent/etc/cni/net.d --set values.cni.cniBinDir=/bin/to youristioctl installorhelm installcommand to install Istio with theambientprofile. -
Create a cluster and disable
Traefikso it doesn't conflict with Istio's ingress gateways:{{< text bash >}} $ k3d cluster create --api-port 6550 -p '9080:80@loadbalancer' -p '9443:443@loadbalancer' --agents 2 --k3s-arg '--disable=traefik@server:*' {{< /text >}}
-
Install Istio with the
ambientprofile usingistioctl:{{< text bash >}} $ istioctl install --set profile=ambient --skip-confirmation --set values.cni.cniConfDir=/var/lib/rancher/k3s/agent/etc/cni/net.d --set values.cni.cniBinDir=/bin {{< /text >}}
K3S
- If you are using K3S and one of its bundled CNIs, you must append
--set values.cni.cniConfDir=/var/lib/rancher/k3s/agent/etc/cni/net.d --set values.cni.cniBinDir=/var/lib/rancher/k3s/data/current/bin/to youristioctl installorhelm installcommand to install Istio ambient, as K3S uses nonstandard locations for CNI configuration and binaries. These nonstandard locations may be overridden as well according to K3S documentation. If you are using K3S with a custom, non-bundled CNI, you must use the correct paths for those CNIs, e.g./etc/cni/net.d- see K3S docs for details.
CNI
Cilium
-
Cilium currently defaults to proactively deleting other CNI plugins and their config, and must be configured with
cni.exclusive = falseto properly support chaining. See the Cilium documentation for more details. -
Due to how Cilium manages node identity and internally allow-lists node-level health probes to pods, applying default-DENY
NetworkPolicyin a Cilium CNI install underlying Istio in ambient mode, will causekubelethealth probes (which are by-default exempted from NetworkPolicy enforcement by Cilium) to be blocked.This can be resolved by applying the following
CiliumClusterWideNetworkPolicy:{{< text syntax=yaml snip_id=none >}} apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "allow-ambient-hostprobes" spec: description: "Allows SNAT-ed kubelet health check probes into ambient pods" endpointSelector: {} ingress:
- fromCIDR:
- "169.254.7.127/32" {{< /text >}}
Please see issue #49277 and CiliumClusterWideNetworkPolicy for more details.
- fromCIDR: