The EKS add-on reduces the amount of work for you to install, configure, and update Istio. AWS validates that the add-on works on EKS, so you can be confident in using a secure, stable release. Each Istio version has two modes: Sidecar or Ambient. If you select the Ambient mode, Istio is configured in Ambient mode out of the box, requiring no additional adjustments or changes. Your organization might encourage you to use the add-on to meet internal compliance requirements or account spending obligations. For more information, see the AWS docs.
Due to a lack of support for the Istio CNI and iptables for the Istio proxy, you cannot run Istio (and therefore Gloo Mesh Core) on AWS Fargate. For more information, see the Amazon EKS issue.
Create or use existing EKS clusters. Keep in mind the following points:
The cluster must be able to run Istio, such as meeting the performance, and application requirements.
The cluster must run on a supported Kubernetes version. You can enable each version of the addon on an EKS cluster that supports the corresponding version of Istio.
The cluster name must be alphanumeric with no special characters except a hyphen (-), lowercase, and begin with a letter (not a number).
If you plan to use Gloo Mesh, you typically install Istio in data plane clusters that run your workloads. You don’t need to install Istio in the cluster that you plan to use for the Gloo Mesh management plane.
Install any CLI tools that you might need to work with your cluster, such as the following:
aws cli, the Amazon Web Services command line tool.
Scroll down to the AWS Marketplace add-ons section. In the search box, enter Istio and select Solo.io as the vendor to filter the results for the Solo.io Istio Distribution add-on.
Click the checkbox for the add-on, and then click Next.
If the Status field shows Requires subscription, click the View subscribtion options button and follow the AWS Marketplace prompts to subscribe to the add-on.
When the Status displays Ready to install, select the desired Istio version to install. Note that versions with an extra 0 at the end (for example, 1.23.00 instead of 1.23.0) show that this plugin configures Istio for Ambient mode.
In the Optional configuration settings section, you can customize the add-on by providing a YAML snippet in the bottom window. The JSON schema displayed in the top window lists the settings available for customization. The following example demonstrates how to enable Istio request logging, disable HPA, and manually specify the number of Istiod deployment replicas:
After keeping the default values or adjusting them in the Optional configuration settings section, you can proceed to the next step by clicking Next
Review the add-on details, and then click Create.
From the cluster details page, click the Add-ons tab and verify that the status is Active. If the installation takes more than a few minutes, review the add-on status. Common issues include a lack of compute resources to run Istio, such as no nodes.
Install the EKS add-on by using the eksctl command line tool. For complete EKS add-on instructions, see the AWS docs.
Get the name and region of the cluster that you want to install the add-on in.
eksctl get clusters -A
Set the name and region of the cluster that you want to install the add-on in. Replace <your-cluster-region> and <name-of-your-EKS-cluster> with the values that you got in the previous step.
# Set your cluster region (for example, us-west-2)
export REGION=<your-cluster-region>
# Set the name of your EKS cluster
export CLUSTER=<name-of-your-EKS-cluster>
Install the add-on, replacing the cluster and region with the values that you got in the previous step. For more options, such as specific version of the add-on, run eksctl create addon --help. Note: If you include an extra 0 in the version number (such as v1.22.30-eksbuild.1 instead of v1.22.3-eksbuild.1), Istio is deployed in Ambient mode. Without the extra 0, Istio is deployed in Sidecar mode.
To pass more parameters, you can create a temporary configuration manifest and apply it using eksctl. For example, to enable Istio request logging in Sidecar mode, disable HPA and specify the number of istiod deployment replicas manually:
Check that the status of the addon is ACTIVE with null issues. If the installation takes more than a few minutes, review the add-on status. Common issues include a lack of compute resources to run Istio, such as no nodes.
eksctl get addon --cluster $CLUSTER --region $REGION -oyaml
Install the EKS add-on by using the aws command line tool. For complete AWS command line tool add-on instructions, see the AWS docs.
Get the name and region of the cluster that you want to install the add-on in.
aws eks list-clusters --region $REGION
Set the name and region of the cluster that you want to install the add-on in. Replace <your-cluster-region> and <name-of-your-EKS-cluster> with the values that you got in the previous step.
# Set your cluster region (for example, us-west-2)
export REGION=<your-cluster-region>
# Set the name of your EKS cluster
export CLUSTER=<name-of-your-EKS-cluster>
Install the add-on. Note: If you include an extra 0 in the version number (such as v1.22.30-eksbuild.1 instead of v1.22.3-eksbuild.1), Istio is deployed in Ambient mode. Without the extra 0, Istio is deployed in Sidecar mode.
To pass custom parameters to an AWS EKS add-on, convert your YAML configuration to JSON. Then, pass the JSON in the aws command, such as in the following example to enable Istio request logging in Sidecar mode, disable HPA and specify the number of istiod deployment replicas manually. Note: If the add-on is already installed, use update-addon instead of create-addon in the aws command.)
Check that the status of the addon is ACTIVE with empty [] in Issues section. If the installation takes more than a few minutes, review the add-on status. Common issues include a lack of compute resources to run Istio, such as no nodes.
Install the EKS add-on by using Terraform, such as for a GitOps pipeline.
Get the cluster name, cluster region, and EKS add-on version that you want to install.
Use the following example inside of your Terraform project, or directly by saving the example as main.tf. Replace the region, cluster_name and addon_version with the values that you previously got. The configuration_values subsection is provided as an example. Decide on the values that you want to customize, or remove the section entirely if the default values are sufficient.
provider "aws" {
region = local.region
}
terraform {
required_version = ">= 1.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.47"
}
}
}
locals {
region = "<your-cluster-region>" # Replace with your cluster region (for example, us-west-2)
cluster_name = "<name-of-your-EKS-cluster>" # Replace with the name of your EKS cluster
# Replace with your desired add-on version.
# For Sidecar mode, use the standard version format (e.g., v1.22.3-eksbuild.1).
# For Ambient mode, add an extra '0' in the version number (e.g., v1.22.30-eksbuild.1).
addon_version = "v1.22.3-eksbuild.1"
}
resource "aws_eks_addon" "solo-io_istio-distro" {
cluster_name = local.cluster_name
addon_name = "solo-io_istio-distro"
resolve_conflicts_on_update = "OVERWRITE"
addon_version = local.addon_version
configuration_values = jsonencode({
meshConfig : {
accessLogFile : "/dev/stdout"
},
pilot : {
autoscaleEnabled : false,
replicaCount : 2
}
})
}
From the directory of the main.tf file, run the Terraform commands to build the EKS add-on infrastructure.
terraform init
terraform plan
terraform apply -auto-approve
If you applied custom configurations, you can verify them within the related components of your EKS cluster.
For instance, to confirm the meshConfig example mentioned earlier, check the configuration via the ConfigMap with the following command.
If you customized a setting such as the number of replicas in the previous example, verify that your changes are made. For example, the following command verifies that the replicas are now set to 2.
Add-on management: The EKS add-on simplifies installing Istio. When Solo releases a new version of Istio for the EKS add-on, you can upgrade to this version by following the AWS guide.
In the search box, enter solo to filter the results for the Solo.io Istio Distribution add-on.
Click the add-on, and then click Remove.
In the pop-up window, type the add-on name and click Remove. You can keep Istio running in your cluster but disable EKS add-on management by toggling Preserve on cluster.
Note: To keep Istio running in your cluster but turn off EKS add-on management, include the --preserve option.