system
d1c10ca6d7
|
4 months ago | |
|---|---|---|
| .. | ||
| cluster-local-gateway/base | 4 months ago | |
| istio-crds/base | 4 months ago | |
| istio-install | 4 months ago | |
| istio-namespace/base | 4 months ago | |
| kubeflow-istio-resources/base | 4 months ago | |
| README.md | 4 months ago | |
| profile-overlay.yaml | 4 months ago | |
| profile.yaml | 4 months ago | |
| split-istio-packages | 4 months ago | |
README.md
Istio
Upgrade Istio Manifests
Istio ships with an installer called istioctl, which is a deployment /
debugging / configuration management tool for Istio all in one package.
In this section, we explain how to upgrade our istio kustomize packages
by leveraging istioctl. Assuming the new version is X.Y.Z and the
old version is X1.Y1.Z1:
-
Make a copy of the old istio manifests tree, which will become the kustomization for the new Istio version:
export MANIFESTS_SRC=<path/to/manifests/repo> export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1 export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y cp -a $ISTIO_OLD $ISTIO_NEW -
Download
istioctlfor versionX.Y.Z:$ ISTIO_VERSION="X.Y.Z" $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl -
Generate manifests and add them to their respective packages. We will generate manifests using
istioctl, theprofile.yamlfile from upstream and theprofile-overlay.yamlfile that contains our desired changes:export PATH="$MANIFESTS_SRC/scripts:$PATH" cd $ISTIO_NEW istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml ./split-istio-packages -f dump.yaml mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base rm dump.yaml
NOTE
split-istio-packagesis a python script in the same folder as this file. Theruamel.yamlversion used is 0.16.12.--cluster-specificis a flag that determines if a current K8s cluster context will be used to dynamically detect default settings. Ensure you have a target cluster ready before running the above commands. We target Kubernetes 1.32+ for compatibility. The--cluster-specificflag helps ensure generated resources are compatible with your cluster version and configuration.
Changes to Istio's upstream manifests
Changes to the upstream IstioOperator profile
Changes to Istio's upstream profile default are the following:
- Add a
cluster-local-gatewaycomponent for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59. - Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
These changes are captured in the profile-overlay.yaml file.
Changes to the upstream manifests using kustomize
The Istio kustomizations make the following changes:
- Remove PodDisruptionBudget from
istio-installandcluster-local-gatewaykustomizations. See: - Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as
istioctlstopped generating them in later versions. - Add the istio-system namespace object to
istio-namespace, asistioctlstopped generating it in later versions. - Configure TCP KeepAlives.
- Disable tracing as it causes DNS breakdown. See: https://github.com/istio/istio/issues/29898
- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane