Install Istio in ambient mode
Use the Solo distribution of Istio to deploy Istio in ambient mode.
Considerations
Before you install Istio in ambient mode, review the following considerations and requirements.
Feature maturity
Ambient is a beta feature. For more information, see Gloo feature maturity.
Single-cluster limitation
Currently, Istio in ambient mode is supported only for single clusters. Ambient mode in a multicluster environment where apps in different clusters can communicate through east-west routing as part of a single service mesh is not supported. However, you can still deploy separate ambient service meshes to multiple, individual workload clusters.
Revision and canary upgrade limitations
Currently, revisions are supported only for the istiod
control plane and Istio gateways in ambient installations. Due to an upstream ambient limitation, the ztunnel and Istio CNI pods do not support revisions, and can only be upgraded in-place. For example, if you specify a named revision in the spec.installations.revision
field, you can then perform a canary upgrade to switch from the old revision of the Istio control plane and gateways to the new revision. However, ztunnel and Istio CNI pods must be upgraded in-place.
Sidecar and ambient installations
Gloo Mesh Core does not currently support multiple installations of Istio in both sidecar and ambient modes. If you already installed Istio in sidecar mode, uninstall your Istio installation before you install Istio in ambient mode.
Before you begin
Install Gloo Mesh Core by following the single cluster getting started guide or the Helm single cluster setup guide. Do not install Istio as part of your setup.
If you already installed Istio in sidecar mode, uninstall your Istio installation. Gloo Mesh Core does not currently support multiple installations of Istio in both sidecar and ambient modes.
Install Istio in ambient mode
Install the CLI for the Solo distribution of Istio. You can find the CLI version and the repository from which to download that version in the Istio images built by Solo.io support article.
Set environment variables for the Solo distribution of Istio repository and image version that you want to install. You can find these values in the Istio images built by Solo.io support article.
export REPO=<repo-key> export ISTIO_IMAGE=<image-tag>-solo
Istio 1.20 is supported only as patch version1.20.1-patch1
and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Core features that rely on Istio ServiceEntries.Install the Istio operator.
istioctl operator init \ --hub $REPO \ --tag $ISTIO_IMAGE
Create the
istio-system
namespace.kubectl create ns istio-system
Create an Istio operator CRD to set up Istio with the ambient profile.
kubectl apply -f- <<EOF apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: example-istiocontrolplane spec: hub: $REPO tag: $ISTIO_IMAGE components: cni: enabled: true namespace: kube-system profile: ambient values: ztunnel: meshConfig: defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" meshConfig: defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" accessLogFile: /dev/stdout EOF
Verify that the components of the Istio ambient mesh are successfully installed. Because the ztunnel is deployed as a daemon set, the number of ztunnel pods equals the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-system
Example output:
istiod-d765ff7cf-46dbm 1/1 Running 0 2m4s ztunnel-648wc 1/1 Running 0 2m8s ztunnel-6rhp5 1/1 Running 0 2m8s ztunnel-hllxg 1/1 Running 0 2m8s ztunnel-mg4w7 1/1 Running 0 2m8s ztunnel-s8j5t 1/1 Running 0 2m8s ztunnel-xgvnc 1/1 Running 0 2m8s
Verify that the Istio CNI pods are up and running. Because the Istio CNI is deployed as a daemon set, the number of Istio CNI pods equals the number of nodes in your cluster.
kubectl get pods -n kube-system | grep istio-cni
Example output:
istio-cni-node-55kj6 2/2 Running 0 62s istio-cni-node-5cz2q 2/2 Running 0 62s istio-cni-node-cp469 2/2 Running 0 62s istio-cni-node-h2ckw 2/2 Running 0 62s istio-cni-node-mdsnt 2/2 Running 0 62s istio-cni-node-s7wb2 2/2 Running 0 62s