Install Istio by using the Istio Lifecycle Manager

Streamline the Istio installation process by using Gloo Mesh to install Istio in your workload clusters, as part of the Istio lifecycle management.

With a Gloo Mesh-managed installation, you no longer need to use istioctl to individually install Istio in each workload cluster. Instead, you can supply IstioOperator configurations in IstioLifecycleManager and GatewayLifecycleManager resources to your management cluster. Gloo Mesh translates these resources into Istio control planes, gateways, and related resources in your registered workload clusters for you.

Before you begin

  1. Review the version reference to choose the Solo distribution of Istio that you want to use, and save the version information in the following environment variables.

    • For REPO, use the repo key for the Solo distribution of Istio that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.
    • For ISTIO_IMAGE, save the version that you want to use with the solo tag, such as 1.20.2-solo. You can optionally append other tags of Solo distributions of Istio as needed.
      Istio 1.20 is supported only as patch version 1.20.1-patch1 and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Platform features that rely on Istio ServiceEntries.
    • For REVISION, take the Istio major and minor versions and replace the periods with hyphens, such as 1-20.
      • Note: For testing environments only, you can deploy a revisionless installation. Revisionless installations permit in-place upgrades, which are quicker than the canary-based upgrades that are required for revisioned installations. To omit a revision, skip setting the revision environment variable. Then in subsequent steps, you edit the sample files that you download to remove the revision and gatewayRevision fields. Note that if you deploy multiple Istio installations in the same cluster, only one installation can be revisionless.
    export REPO=<repo-key>
    export ISTIO_IMAGE=1.20.2-solo
    export REVISION=1-20
    
  2. Deploy managed Istio in a multicluster or single-cluster setup.

Throughout this guide, you use example configuration files that have pre-filled values. You can update some of the values, but unexpected behaviors might occur. For example, if you change the default istio-ingressgateway name, you cannot also use Kubernetes horizontal pod autoscaling. For more information, see the Troubleshooting docs.

If your organization restricts elevated Kubernetes RBAC permissions for security reasons, you might need to install the Istio CNI plug-in. The OpenShift steps provide an example. For more information, see the Istio docs.

Manage Istio installations in a multicluster setup

  1. Set the names of your clusters from your infrastructure provider. If your clusters have different names, specify those names instead.

    export REMOTE_CLUSTER1=<cluster1>
    export REMOTE_CLUSTER2=<cluster2>
    ...
    
  2. Save the kubeconfig contexts for your clusters. Run kubectl config get-contexts, look for your cluster in the CLUSTER column, and get the context name in the NAME column. Note: Do not use context names with underscores. The context name is used as a SAN specification in the generated certificate that connects workload clusters to the management cluster, and underscores in SAN are not FQDN compliant. You can rename a context by running kubectl config rename-context "<oldcontext>" <newcontext>.
    export MGMT_CONTEXT=<management-cluster-context>
    export REMOTE_CONTEXT1=<remote-cluster1-context>
    export REMOTE_CONTEXT2=<remote-cluster2-context>
    ...
    
  3. Prepare an IstioLifecycleManager resource to manage istiod control planes.

    1. Download the example file.
      curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-istiod.yaml > gm-istiod.yaml
      
      1. Elevate the permissions of the following service accounts that will be created. These permissions allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift. For more information, see the Istio on OpenShift documentation.
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT1
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT1
        # Update revision as needed
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gm-iop-1-20 --context $REMOTE_CONTEXT1
        
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT2
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT2
        # Update revision as needed
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gm-iop-1-20 --context $REMOTE_CONTEXT2
        
      2. Create the gloo-mesh-gateways project, and create a NetworkAttachmentDefinition custom resource for the project.
        kubectl create ns gloo-mesh-gateways --context $REMOTE_CONTEXT1
        cat <<EOF | oc --context $REMOTE_CONTEXT1 -n gloo-mesh-gateways create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
          name: istio-cni
        EOF
        
        kubectl create ns gloo-mesh-gateways --context $REMOTE_CONTEXT2
        cat <<EOF | oc --context $REMOTE_CONTEXT2 -n gloo-mesh-gateways create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
          name: istio-cni
        EOF
        
      3. Download the gm-istiod.yaml example file.
        curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-istiod-openshift.yaml > gm-istiod.yaml
        
    2. Update the example file with the environment variables that you previously set. Save the updated file as gm-istiod-values.yaml.
      • For example, you can run a terminal command to substitute values:
        envsubst < gm-istiod.yaml > gm-istiod-values.yaml
        
    3. Verify that the configuration is correct. For example, in spec.installations.clusters, verify that entries are listed for each workload cluster name. You can also further edit the file to provide your own details. For more information, see the API reference.
      open gm-istiod-values.yaml
      

      For testing environments only, you can deploy a revisionless installation by removing the revision field from istiod-values.yaml. Revisionless installations permit in-place upgrades, which are quicker than the canary-based upgrades that are required for revisioned installations. Note that if you deploy multiple Istio installations in the same cluster, only one installation can be revisionless.

    4. Apply the IstioLifecycleManager resource to your management cluster.
      kubectl apply -f gm-istiod-values.yaml --context $MGMT_CONTEXT
      
  4. Prepare a GatewayLifecycleManager custom resource to manage the east-west gateways.

    1. Download the gm-ew-gateway.yaml example file.
      curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ew-gateway.yaml > gm-ew-gateway.yaml
      
    2. Update the example file with the environment variables that you previously set. Save the updated file as gm-ew-gateway-values.yaml.
      • For example, you can run a terminal command to substitute values:
        envsubst < gm-ew-gateway.yaml > gm-ew-gateway-values.yaml
        
    3. Verify that the configuration is correct. For example, in spec.installations.clusters, verify that entries are listed for each workload cluster name. You can also further edit the file to provide your own details. For more information, see the API reference.
      open gm-ew-gateway-values.yaml
      

      For revisionless installations in testing environments only, remove the gatewayRevision fields.

    4. Apply the GatewayLifecycleManager resource to your management cluster.
      kubectl apply -f gm-ew-gateway-values.yaml --context $MGMT_CONTEXT
      
  5. Optional: If you have a Gloo Gateway license, prepare a GatewayLifecycleManager custom resource to manage the ingress gateways.

    1. Download the gm-ingress-gateway.yaml example file.
      curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
      
    2. Update the example file with the environment variables that you previously set. Save the updated file as gm-ew-gateway-values.yaml.
      • For example, you can run a terminal command to substitute values:
        envsubst < gm-ingress-gateway.yaml > gm-ingress-gateway-values.yaml
        
    3. Verify that the configuration is correct. For example, in spec.installations.clusters, verify that entries are listed for each workload cluster name. You can also further edit the file to provide your own details. For more information, see the API reference.
      open gm-ingress-gateway-values.yaml
      
      • You can add cloud provider-specific load balancer annotations to the istioOperatorSpec.components.ingressGateways.k8s section. For example, you might add the following AWS annotations to the end of the file:
                ...
                  k8s:
                    service:
                      ...
                    serviceAnnotations:
                      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
                      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
                      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
                      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
                      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:<cert>"
                      service.beta.kubernetes.io/aws-load-balancer-type: external
        
      • For revisionless installations in testing environments only, remove the gatewayRevision fields.
    4. Apply the GatewayLifecycleManager resource to your management cluster.
      kubectl apply -f gm-ingress-gateway-values.yaml --context $MGMT_CONTEXT
      
  6. Verify that the namespaces for your Istio installations are created in each workload cluster.

    kubectl get ns --context $REMOTE_CONTEXT1
    kubectl get ns --context $REMOTE_CONTEXT2
    

    For example, the gm-iop-1-20, gloo-mesh-gateways, and istio-system namespaces are created:

    NAME               STATUS   AGE
    default            Active   56m
    gloo-mesh          Active   36m
    gm-iop-1-20        Active   91s
    gloo-mesh-gateways Active   90s
    istio-system       Active   91s
    kube-node-lease    Active   57m
    kube-public        Active   57m
    kube-system        Active   57m
    
  7. In each namespace, verify that the Istio resources that you specified in your Istio operator configuration are successfully installing. For example, verify that the Istio control plane pods are running.

    kubectl get all -n gm-iop-1-20 --context $REMOTE_CONTEXT1
    

    Example output:

    NAME                                         READY   STATUS    RESTARTS   AGE
    pod/istio-operator-1-20-678fd95cc6-ltbvl     1/1     Running   0          4m12s
    
    NAME                            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
    service/istio-operator-1-20     ClusterIP   10.204.15.247   <none>        8383/TCP   4m12s
    
    NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istio-operator-1-20     1/1     1            1           4m12s
    
    NAME                                               DESIRED   CURRENT   READY   AGE
    replicaset.apps/istio-operator-1-20-678fd95cc6     1         1         1       4m12s
    
    kubectl get all -n istio-system --context $REMOTE_CONTEXT1
    

    Example output:

    NAME                            READY   STATUS    RESTARTS   AGE
    pod/istiod-1-20-b65676555-g2vmr     1/1     Running   0          8m57s
    
    NAME                    TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                 AGE
    service/istiod-1-20     ClusterIP   10.204.6.56   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   8m56s
    
    NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istiod-1-20     1/1     1            1           8m57s
    
    NAME                                      DESIRED   CURRENT   READY   AGE
    replicaset.apps/istiod-1-20-b65676555     1         1         1       8m57s
    
    NAME                                                REFERENCE                     TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
    horizontalpodautoscaler.autoscaling/istiod-1-20     Deployment/istiod-1-20       1%/80%    1         5         1          8m58s
    

    Note that the gateways might take a few minutes to be created.

    kubectl get all -n gloo-mesh-gateways --context $REMOTE_CONTEXT1
    

    Example output:

    NAME                                                READY   STATUS    RESTARTS   AGE
    pod/istio-eastwestgateway-1-20-66f464ff44-qlhfk     1/1     Running   0          2m6s
    pod/istio-ingressgateway-1-20-77d5f76bc8-j6qkp      1/1     Running   0          2m18s
    
    NAME                              TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                      AGE
    service/istio-eastwestgateway     LoadBalancer   10.204.4.172   34.86.225.164    15021:30889/TCP,15443:32489/TCP              2m5s
    service/istio-ingressgateway      LoadBalancer   10.44.4.140    34.150.235.221   15021:31321/TCP,80:32525/TCP,443:31826/TCP   2m16s
    
    NAME                                           READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istio-eastwestgateway-1-20     1/1     1            1           2m6s
    deployment.apps/istio-ingressgateway-1-20      1/1     1            1           2m18s
    
    NAME                                                      DESIRED   CURRENT   READY   AGE
    replicaset.apps/istio-eastwestgateway-1-20-66f464ff44     1         1         1       2m6s
    replicaset.apps/istio-ingressgateway-1-20-77d5f76bc8      1         1         1       2m18s
    
    NAME                                                               REFERENCE                                 TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
    horizontalpodautoscaler.autoscaling/istio-eastwestgateway-1-20     Deployment/istio-eastwestgateway-1-20     <unknown>/80%   1         5         0          2m7s
    horizontalpodautoscaler.autoscaling/istio-ingressgateway-1-20      Deployment/istio-ingressgateway-1-20      4%/80%          1         5         1          2m19s
    

  8. Optional for OpenShift: Expose the gateways by using OpenShift routes.

    oc -n gloo-mesh-gateways expose svc istio-eastwestgateway --port=http2 --context $REMOTE_CONTEXT1
    oc -n gloo-mesh-gateways expose svc istio-eastwestgateway --port=http2 --context $REMOTE_CONTEXT2
    
    oc -n gloo-mesh-gateways expose svc istio-ingressgateway --port=http2 --context $REMOTE_CONTEXT1
    oc -n gloo-mesh-gateways expose svc istio-ingressgateway --port=http2 --context $REMOTE_CONTEXT2
    
  9. Now that Istio is up and running, you can create service namespaces for your teams to run app workloads in. For example, you might start out with the Bookinfo sample application.

    1. Label the namespace with the Istio revision so that Istio sidecars are deployed to your app pods.

      export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
      kubectl label ns <namespace> istio.io/rev=$REVISION --overwrite --context $REMOTE_CONTEXT
      

      Note: If you deployed revisionless installations in testing environments, you can instead label your workload namespaces with kubectl label ns <namespace> istio-injection=enabled --context $REMOTE_CONTEXT.

    2. If you already deployed app pods to the namespace, restart the workloads so that sidecars are injected into the pods. For example, you might roll out a restart to each deployment by using a command similar to the following.

      kubectl rollout restart deployment -n <namespace> <deployment> --context $REMOTE_CONTEXT
      
    3. OpenShift only: Follow these additional steps for each service project. For more information, see the Istio on OpenShift documentation.

      1. Create a NetworkAttachmentDefinition custom resource.
        cat <<EOF | oc --context $REMOTE_CONTEXT -n <project> create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
        name: istio-cni
        EOF
        
      2. Elevate the permissions of the service account to allow the gateway to make use of a user ID that is normally restricted by OpenShift.
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project> --context $REMOTE_CONTEXT
        

Manage Istio installations in a single-cluster setup

  1. Save your cluster name in an environment variable.

    export CLUSTER_NAME=<cluster_name>
    
  2. Prepare an IstioLifecycleManager resource to manage the istiod control plane.

    1. Download the example file.
      curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-istiod.yaml > gm-istiod.yaml
      
      1. Elevate the permissions of the following service accounts that will be created. These permissions allow the gateways to make use of a user ID that is normally restricted by OpenShift. For more information, see the Istio on OpenShift documentation.
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gloo-mesh-gateways
        # Update revision as needed
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:gm-iop-1-20
        
      2. Elevate the permissions of the service account in each project where you want to deploy workloads. This permission allows the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project>
        
      3. Create the gloo-mesh-gateways project, and create a NetworkAttachmentDefinition custom resource for the project.
        kubectl create ns gloo-mesh-gateways
        cat <<EOF | oc -n gloo-mesh-gateways create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
          name: istio-cni
        EOF
        
      4. Create a NetworkAttachmentDefinition custom resource for each project where you want to deploy workloads.
        cat <<EOF | oc -n <project> create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
          name: istio-cni
        EOF
        
      5. Download the gm-istiod.yaml example file.
        curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-istiod-openshift.yaml > gm-istiod.yaml
        
    2. Update the example file with the environment variables that you previously set, and optionally further edit the file to provide your own details. Save the updated file as gm-istiod-values.yaml. For more information, see the API reference.
      • For example, you can run a terminal command to substitute values:
        envsubst < gm-istiod.yaml > gm-istiod-values.yaml
        open gm-istiod-values.yaml
        

      For testing environments only, you can deploy revisionless installations by removing the revision fields from gm-istiod-values.yaml. Revisionless installations permit in-place upgrades, which are quicker than the canary-based upgrades that are required for revisioned installations. Note that if you deploy multiple Istio installations in the same cluster, only one installation can be revisionless.

    3. Apply the IstioLifecycleManager resource to your cluster.
      kubectl apply -f gm-istiod-values.yaml
      
  3. Optional: If you have a Gloo Gateway license, prepare a GatewayLifecycleManager custom resource to manage the ingress gateways.

    1. Download the gm-ingress-gateway.yaml example file.
      curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
      
    2. Update the example file with the environment variables that you previously set, and optionally further edit the file to provide your own details. Save the updated file as gm-ingress-gateway-values.yaml. For more information, see the API reference.
      • For example, you can run a terminal command to substitute values:
        envsubst < gm-ingress-gateway.yaml > gm-ingress-gateway-values.yaml
        open gm-ingress-gateway-values.yaml
        
      • You can optionally add cloud provider-specific load balancer annotations to the istioOperatorSpec.components.ingressGateways.k8s section. For example, you might add the following AWS annotations to the end of the file:
                ...
                  k8s:
                    service:
                      ...
                    serviceAnnotations:
                      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
                      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
                      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
                      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
                      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:<cert>"
                      service.beta.kubernetes.io/aws-load-balancer-type: external
        

      For revisionless installations in testing environments only, remove the gatewayRevision fields.

    3. Apply the GatewayLifecycleManager resource to your management cluster.
      kubectl apply -f gm-ingress-gateway-values.yaml
      
  4. Verify that the namespaces for your Istio installations are created.

    kubectl get ns
    

    For example, the gm-iop-1-20, gloo-mesh-gateways, and istio-system namespaces are created:

    NAME               STATUS   AGE
    default            Active   56m
    gloo-mesh          Active   36m
    gloo-mesh-config   Active   38m
    gloo-mesh-gateways Active   90s
    gm-iop-1-20        Active   91s
    istio-system       Active   91s
    kube-node-lease    Active   57m
    kube-public        Active   57m
    kube-system        Active   57m
    
  5. In each namespace, verify that the Istio resources that you specified in your Istio operator configuration are successfully installing. For example, verify that the Istio control plane pods are running.

    kubectl get all -n gm-iop-1-20
    

    Example output:

    NAME                                         READY   STATUS    RESTARTS   AGE
    pod/istio-operator-1-20-678fd95cc6-ltbvl     1/1     Running   0          4m12s
    
    NAME                            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
    service/istio-operator-1-20     ClusterIP   10.204.15.247   <none>        8383/TCP   4m12s
    
    NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istio-operator-1-20     1/1     1            1           4m12s
    
    NAME                                               DESIRED   CURRENT   READY   AGE
    replicaset.apps/istio-operator-1-20-678fd95cc6     1         1         1       4m12s
    
    kubectl get all -n istio-system
    

    Example output:

    NAME                              READY   STATUS    RESTARTS   AGE
    pod/istiod-1-20-b65676555-g2vmr     1/1     Running   0          8m57s
    
    NAME                    TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                 AGE
    service/istiod-1-20     ClusterIP   10.204.6.56   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   8m56s
    
    NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istiod-1-20     1/1     1            1           8m57s
    
    NAME                                      DESIRED   CURRENT   READY   AGE
    replicaset.apps/istiod-1-20-b65676555     1         1         1       8m57s
    
    NAME                                                REFERENCE                     TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
    horizontalpodautoscaler.autoscaling/istiod-1-20     Deployment/istiod-1-20       1%/80%    1         5         1          8m58s
    

    Note that the gateways might take a few minutes to be created.

    kubectl get all -n gloo-mesh-gateways
    

    Example output:

    NAME                                                READY   STATUS    RESTARTS   AGE
    pod/istio-ingressgateway-1-20-77d5f76bc8-j6qkp      1/1     Running   0          2m18s
    
    NAME                            TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                      AGE
    service/istio-ingressgateway    LoadBalancer   10.44.4.140    34.150.235.221   15021:31321/TCP,80:32525/TCP,443:31826/TCP   2m16s
    
    NAME                                           READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/istio-ingressgateway-1-20      1/1     1            1           2m18s
    
    NAME                                                      DESIRED   CURRENT   READY   AGE
    replicaset.apps/istio-ingressgateway-1-20-77d5f76bc8      1         1         1       2m18s
    
    NAME                                                               REFERENCE                                 TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
    horizontalpodautoscaler.autoscaling/istio-ingressgateway-1-20      Deployment/istio-ingressgateway-1-20      4%/80%          1         5         1          2m19s
    

  6. Optional for OpenShift: Expose the ingress gateway by using an OpenShift route.

    oc -n gloo-mesh-gateways expose svc istio-ingressgateway --port=http2
    
  7. Now that Istio is up and running, you can create service namespaces for your teams to run app workloads in. For example, you might start out with the Bookinfo sample application. For any namespaces that you want to deploy apps to, be sure to follow these steps to include your services in the service mesh.

    1. Label the namespace with the Istio revision so that Istio sidecars are deployed to your app pods.

      export REVISION=$(kubectl get pod -L app=istiod -n istio-system -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
      kubectl label ns <namespace> istio.io/rev=$REVISION --overwrite
      

      Note: If you deployed revisionless installations in testing environments, you can instead label your workload namespaces with kubectl label ns <namespace> istio-injection=enabled.

    2. If you already deployed app pods to the namespace, restart the workloads so that sidecars are injected into the pods. For example, you might roll out a restart to each deployment by using a command similar to the following.

      kubectl rollout restart deployment -n <namespace> <deployment>
      
    3. OpenShift only: Follow these additional steps for each service project. For more information, see the Istio on OpenShift documentation.

      1. Create a NetworkAttachmentDefinition custom resource.
        cat <<EOF | oc -n <project> create -f -
        apiVersion: "k8s.cni.cncf.io/v1"
        kind: NetworkAttachmentDefinition
        metadata:
        name: istio-cni
        EOF
        
      2. Elevate the permissions of the service account to allow the gateway to make use of a user ID that is normally restricted by OpenShift.
        oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project>
        

Next steps

Now that you have Gloo Mesh Enterprise and Istio installed, you can use Gloo Mesh to manage your Istio service mesh resources. You don't need to directly configure any Istio resources going forward.