Install Istio with the Istio CNI plugin

    By default Istio injects an , istio-init, in pods deployed inthe mesh. The istio-init container sets up the pod network trafficredirection to/from the Istio sidecar proxy. This requires the user orservice-account deploying pods to the mesh to have sufficient Kubernetes RBACpermissions to deploy NET_ADMIN containers.Requiring Istio users to have elevated Kubernetes RBAC permissions isproblematic for some organizations’ security compliance. The Istio CNI pluginis a replacement for the istio-init container that performs the samenetworking functionality but without requiring Istio users to enable elevatedKubernetes RBAC permissions.

    The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod lifecycle’s networksetup phase, thereby removing the for users deploying pods into the Istio mesh. The Istio CNI pluginreplaces the functionality provided by the istio-init container.

    • Install Kubernetes with the ServiceAccount admission controller enabled.

      • The Kubernetes documentation highly recommends this for all Kubernetes installationswhere ServiceAccounts are utilized.

    • Determine the Kubernetes environment’s CNI plugin —cni-bin-dir and —cni-conf-dir settings.Refer to for any non-default settings required.

    • Install Istio CNI and Istio using istioctl.Refer to the Istio install instructions and pass —set cni.enabled=true option.Pass —set values.cni.cniBinDir=… and/or —set values.cni.cniConfDir=… options when installing istio-cni if non-default,as determined in the previous step.

    The following table shows all the options that the istio-cni configuration supports:

    These options are accessed through values.cni.<option-name> in istioctl manifest commands, either as a —set flag,or the corresponding path in a custom overlay file.

    Excluding specific Kubernetes namespaces

    This example uses Istioctl to perform the following tasks:

    • Install the Istio CNI plugin.
    • Configure its log level.
    • Ignore the pods in the following namespaces:
      • istio-system
      • foo_ns
      • bar_ns

    Refer to the Customizable Install with Istioctl for complete instructions.

    Use the following command to render and apply Istio CNI components and override the default configuration of thelogLevel and excludeNamespaces parameters for istio-cni:

    Hosted Kubernetes settings

    The Istio CNI solution is not ubiquitous. Some platforms, especially hosted Kubernetes environments, do not enable theCNI plugin in the kubelet configuration.The istio-cni plugin is expected to work with any hosted Kubernetes leveraging CNI plugins.The following table shows the required settings for many common Kubernetes environments.

    For existing clusters, this redeploys all nodes.

    The use of the Istio CNI plugin requires Kubernetes pods to be deployed with a sidecar injection methodthat uses the istio-sidecar-injector configmap created from the installation with the—set cni.enabled=true option. Refer to Istio sidecar injectionfor details about Istio sidecar injection methods.

    The following sidecar injection methods are supported for use with the Istio CNI plugin:

    • Manual sidecar injection with the istio-sidecar-injector configmap

      • using the configmap directly:
    • istioctl kube-inject using a file created from the configmap:

    The Istio CNI plugin handles Kubernetes pod create and delete events and does the following:

    • Identify Istio user application pods with Istio sidecars requiring traffic redirection
    • Perform pod network namespace configuration to redirect traffic to/from the Istio sidecar

    Identifying pods requiring traffic redirection

    The Istio CNI plugin identifies pods requiring traffic redirection to/from theaccompanying Istio proxy sidecar by checking that the pod meets all of the following conditions:

    • The pod is NOT in a Kubernetes namespace in the configured exclude_namespaces list.
    • The pod has a container named istio-proxy.
    • The pod has more than 1 container.
    • The pod has no annotation with key sidecar.istio.io/inject OR the value of the annotation is true.

    Traffic redirection parameters

    To redirect traffic in the application pod’s network namespace to/from the Istio proxy sidecar, the IstioCNI plugin configures the namespace’s iptables. The following table describes the parameters to theredirect functionality. To override the default values for the parameters, set the correspondingapplication pod annotation key.

    The Istio CNI plugin runs in the container runtime process space.Due to this, the kubelet process writes the plugin’s log entries into its log.

    Compatibility with application init containers

    The Istio CNI plugin may cause networking connectivity problems for any application initContainers. When using Istio CNI, kubeletstarts an injected pod with the following steps:

    • The Istio CNI plugin sets up traffic redirection to the Istio sidecar proxy within the pod.
    • All init containers execute and complete successfully.
    • The Istio sidecar proxy starts in the pod along with the pod’s other containers.Init containers execute before the sidecar proxy starts, which can result in traffic loss during their execution.Avoid this traffic loss with one or both of the following settings:
    • Set the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation to disable redirecting traffic to anyCIDRs the init containers communicate with.

    Compatibility with other CNI plugins

    The Istio CNI plugin maintains compatibility with the same set of CNI plugins as the current NET_ADMIN container.

    The Istio CNI plugin should not interfere with the operations of the base CNI plugin that configures the pod’snetworking setup, although not all CNI plugins have been validated.

    Install and configure Istio for in-depth evaluation or production use.

    Helm Changes

    Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.

    Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.

    Helm Changes

    Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.

    Describes the options available when installing Istio using Helm charts.

    Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.