Istio Operator Install
Instead of manually installing, upgrading, and uninstalling Istio in a production environment,
you can instead let the Istio operator
manage the installation for you.
This relieves you of the burden of managing different istioctl versions.
Simply update the operator custom resource (CR) and the
operator controller will apply the corresponding configuration changes for you.
The same IstioOperator API is used
to install Istio with the operator as when using the istioctl install instructions.
In both cases, configuration is validated against a schema and the same correctness
checks are performed.
Prerequisites
Perform any necessary platform-specific setup.
Check the Requirements for Pods and Services.
Install the istioctl command.
Deploy the Istio operator:
$ istioctl operator initThis command runs the operator by creating the following resources in the
istio-operatornamespace:- The operator custom resource definition
- The operator controller deployment
- A service to access operator metrics
- Necessary Istio operator RBAC rules
You can configure which namespace the operator controller is installed in, the namespace(s) the operator watches, the installed Istio image sources and versions, and more. For example, you can pass one or more namespaces to watch using the
--watchedNamespacesflag:$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2See the
istioctl operator initcommand reference for details.
Install
To install the Istio demo configuration profile
using the operator, run the following command:
$ kubectl create ns istio-system
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: demo
EOF
The controller will detect the IstioOperator resource and then install the Istio
components corresponding to the specified (demo) configuration.
You can confirm the Istio control plane services have been deployed with the following commands:
$ kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 10.103.243.113 <none> 80/TCP,443/TCP,15443/TCP 17s
istio-ingressgateway LoadBalancer 10.101.204.227 <pending> 15020:31077/TCP,80:30689/TCP,443:32419/TCP,31400:31411/TCP,15443:30176/TCP 17s
istiod ClusterIP 10.96.237.249 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP 30s 13s
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-5444c68db8-9h6dz 1/1 Running 0 87s
istio-ingressgateway-5c68cb968-x7qv9 1/1 Running 0 87s
istiod-598984548d-wjq9j 1/1 Running 0 99s
Update
Now, with the controller running, you can change the Istio configuration by editing or replacing
the IstioOperator resource. The controller will detect the change and respond by updating
the Istio installation correspondingly.
For example, you can switch the installation to the default
profile with the following command:
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
EOF
You can also enable or disable components and modify resource settings.
For example, to enable the istio-egressgateway component and increase pilot memory requests:
$ kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
memory: 3072Mi
egressGateways:
- name: istio-egressgateway
enabled: true
EOF
You can observe the changes that the controller makes in the cluster in response to IstioOperator CR updates by
checking the operator controller logs:
$ kubectl logs -f -n istio-operator $(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')
Refer to the IstioOperator API
for the complete set of configuration settings.
Canary Upgrade
You can use the operator to do a canary upgrade of an Istio control plane, the process is similar to the canary upgrade with istioctl.
For example, to upgrade the revision of Istio installed in the previous section, first verify that the IstioOperator CR named example-istiocontrolplane exists in your cluster:
$ kubectl get iop --all-namespaces
NAMESPACE NAME REVISION STATUS AGE
istio-system example-istiocontrolplane HEALTHY 11m
Then run the following command to install the new revision of the Istio control plane based on the in-cluster IstioOperator CR:
$ istioctl operator init --revision 1-7-0
After running the command, you will have two control plane deployments and services running side-by-side:
$ kubectl get pods -n istio-system -l app=istiod
NAME READY STATUS RESTARTS AGE
istiod-5f4f9dd5fc-4xc8p 1/1 Running 0 10m
istiod-1-7-0-55887f699c-t8bh8 1/1 Running 0 8m13s
$ kubectl -n istio-system get svc -l app=istiod
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istiod ClusterIP 10.87.7.69 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 10m
istiod-1-7-0 ClusterIP 10.87.4.92 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 7m55s
Uninstall
If you used the operator to perform a canary upgrade of the control plane, you can uninstall the old control plane and keep the new one by running the following command:
$ istioctl operator remove --revision <revision>
Otherwise, delete the in-cluster IstioOperator CR, which will uninstall all revisions of Istio that may be running:
$ kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
Wait until Istio is uninstalled - this may take some time. Delete the Istio operator:
$ istioctl operator remove
Or:
$ kubectl delete ns istio-operator --grace-period=0 --force
Note that deleting the operator before Istio is fully removed may result in leftover Istio resources. To clean up anything not removed by the operator:
$ istioctl manifest generate | kubectl delete -f -
$ kubectl delete ns istio-system --grace-period=0 --force