我的书签
添加书签
移除书签Istio Operator Install
The same is used to install Istio with the operator as when using the istioctl install instructions. In both cases, configuration is validated against a schema and the same correctness checks are performed.
Using an operator does have a security implication. With the istioctl install command, the operation will run in the admin user’s security context, whereas with an operator, an in-cluster pod will run the operation in its security context. To avoid a vulnerability, ensure that the operator deployment is sufficiently secured.
Perform any necessary .
Check the Requirements for Pods and Services.
Install the .
Deploy the Istio operator:
This command runs the operator by creating the following resources in the
istio-operatornamespace:- The operator custom resource definition
- The operator controller deployment
- A service to access operator metrics
- Necessary Istio operator RBAC rules
You can configure which namespace the operator controller is installed in, the namespace(s) the operator watches, the installed Istio image sources and versions, and more. For example, you can pass one or more namespaces to watch using the
--watchedNamespacesflag:$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
See the
istioctl operator initcommand reference for details.You can alternatively deploy the operator using Helm:
$ helm install istio-operator manifests/charts/istio-operator \--set operatorNamespace=istio-operator \--set watchedNamespaces="istio-namespace1\,istio-namespace2"
Prior to Istio 1.9.0, installations using the Helm charts required hub and tag arguments:
--set global.hub="docker.io/istio"and--set global.tag="1.8.2". As of Istio 1.9.0 these are no longer required.Note that you need to to run the above command.
Install
$ kubectl apply -f - <<EOFapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemname: example-istiocontrolplanespec:profile: demoEOF
The controller will detect the IstioOperator resource and then install the Istio components corresponding to the specified (demo) configuration.
If you used --watchedNamespaces when you initialized the Istio operator, apply the IstioOperator resource in one of the watched namespaces, instead of in istio-system.
The Istio control plane (istiod) will be installed in the istio-system namespace by default. To install it in a different location, specify the namespace using the values.global.istioNamespace field as follows:
apiVersion: install.istio.io/v1alpha1kind: IstioOperator...spec:values:global:istioNamespace: istio-namespace1
The Istio operator controller begins the process of installing Istio within 90 seconds of the creation of the IstioOperator resource. The Istio installation completes within 120 seconds.
You can confirm the Istio control plane services have been deployed with the following commands:
$ kubectl get svc -n istio-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEistio-ingressgateway LoadBalancer 10.101.204.227 <pending> 15020:31077/TCP,80:30689/TCP,443:32419/TCP,31400:31411/TCP,15443:30176/TCP 17sistiod ClusterIP 10.96.237.249 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP 30s 13s
$ kubectl get pods -n istio-systemNAME READY STATUS RESTARTS AGEistio-egressgateway-5444c68db8-9h6dz 1/1 Running 0 87sistio-ingressgateway-5c68cb968-x7qv9 1/1 Running 0 87sistiod-598984548d-wjq9j 1/1 Running 0 99s
Now, with the controller running, you can change the Istio configuration by editing or replacing the IstioOperator resource. The controller will detect the change and respond by updating the Istio installation correspondingly.
For example, you can switch the installation to the default profile with the following command:
You can also enable or disable components and modify resource settings. For example, to enable the istio-egressgateway component and increase pilot memory requests:
$ kubectl apply -f - <<EOFapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemname: example-istiocontrolplanespec:profile: defaultcomponents:pilot:k8s:resources:requests:memory: 3072MiegressGateways:- name: istio-egressgatewayenabled: trueEOF
You can observe the changes that the controller makes in the cluster in response to IstioOperator CR updates by checking the operator controller logs:
Refer to the IstioOperator API for the complete set of configuration settings.
In-place Upgrade
Download and extract the istioctl corresponding to the version of Istio you wish to upgrade to. Reinstall the operator at the target Istio version:
$ <extracted-dir>/bin/istioctl operator init
You should see that the istio-operator pod has restarted and its version has changed to the target version:
$ kubectl get pods --namespace istio-operator \-o=jsonpath='{range .items[*]}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
$ kubectl get pods --namespace istio-system \-o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
The process for canary upgrade is similar to the .
For example, to upgrade the revision of Istio installed in the previous section, first verify that the CR named example-istiocontrolplane exists in your cluster:
$ kubectl get iop --all-namespacesNAMESPACE NAME REVISION STATUS AGEistio-system example-istiocontrolplane HEALTHY 11m
Download and extract the istioctl corresponding to the version of Istio you wish to upgrade to. Then, run the following command to install the new target revision of the Istio control plane based on the in-cluster IstioOperator CR (here, we assume the target revision is 1.8.1):
You can alternatively use Helm to deploy another operator with a different revision setting:
$ helm install istio-operator manifests/charts/istio-operator \--set operatorNamespace=istio-operator \--set watchedNamespaces=istio-system \--set revision=1-9-0
Prior to Istio 1.9.0, installations using the Helm charts required hub and tag arguments: --set global.hub="docker.io/istio" and --set global.tag="1.8.2". As of Istio 1.9.0 these are no longer required.
Note that you need to download the Istio release to run the above command.
Make a copy of the example-istiocontrolplane CR and save it in a file named example-istiocontrolplane-1-8-1.yaml. Change the name to example-istiocontrolplane-1-8-1 and add revision: 1-8-1 to the CR. Your updated IstioOperator CR should look something like this:
$ cat example-istiocontrolplane-1-8-1.yamlapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemname: example-istiocontrolplane-1-8-1spec:revision: 1-8-1profile: demo
Apply the updated IstioOperator CR to the cluster. After that, you will have two control plane deployments and services running side-by-side:
$ kubectl get pod -n istio-system -l app=istiodNAME READY STATUS RESTARTS AGEistiod-1-8-1-597475f4f6-bgtcz 1/1 Running 0 64sistiod-6ffcc65b96-bxzv5 1/1 Running 0 2m11s
$ kubectl get svc -n istio-system -l app=istiodNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEistiod ClusterIP 10.104.129.150 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 2m35sistiod-1-8-1 ClusterIP 10.111.17.49 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 88s
To complete the upgrade, label the workload namespaces with istio.io/rev=1-8-1 and restart the workloads, as explained in the documentation.
Uninstall
If you used the operator to perform a canary upgrade of the control plane, you can uninstall the old control plane and keep the new one by deleting the old in-cluster IstioOperator CR, which will uninstall the old revision of Istio:
$ kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
Wait until Istio is uninstalled - this may take some time.
Then you can remove the Istio operator for the old revision by running the following command:
$ istioctl operator remove --revision <revision>
Note that deleting the operator before the IstioOperator CR and corresponding Istio revision are fully removed may result in leftover Istio resources. To clean up anything not removed by the operator:
