Navigation :

Install Istio by using the Istio Lifecycle Manager

Streamline the Istio installation process by using Gloo Mesh to install Istio in your workload clusters, as part of Istio lifecycle management.

With a Gloo Mesh-managed installation, you no longer need to use istioctl to individually install Istio in each workload cluster. Instead, you can supply IstioOperator configurations in a IstioLifecycleManager resource to your management cluster. Gloo Mesh translates this resource into Istio control planes, gateways, and related resources in your registered workload clusters for you.

The Istio Lifecycle Manager is a beta feature, and requires Gloo Mesh Enterprise version 2.1.0 or later.

Before you begin

Set the names of your clusters from your infrastructure provider. If your clusters have different names, specify those names instead.
```
export REMOTE_CLUSTER1=<cluster-1>
export REMOTE_CLUSTER2=<cluster-2>
...
```
Save the kubeconfig contexts for your clusters. Run kubectl config get-contexts, look for your cluster in the CLUSTER column, and get the context name in the NAME column. Note: Do not use context names with underscores. The context name is used as a SAN specification in the generated certificate that connects workload clusters to the management cluster, and underscores in SAN are not FQDN compliant. You can rename a context by running kubectl config rename-context "<oldcontext>" <newcontext>.
```
export MGMT_CONTEXT=<management-cluster-context>
export REMOTE_CONTEXT1=<remote-cluster-1-context>
export REMOTE_CONTEXT2=<remote-cluster-2-context>
...
```
To use a Gloo Mesh hardened image of Istio, you must have a Solo account. Make sure that you can log in to the Support Center. If not, contact your account administrator to get the repo key for the Istio version that you want to install from the Istio images built by Solo.io support article.
Create an IstioLifecycleManager resource in Kubernetes or OpenShift.

Use the lifecycle manager to manage Istio installations in Kubernetes

Prepare Gloo IstioLifecycleManager and GatewayLifecycleManager custom resources to manage your Istio installation.

Save the Istio version information as environment variables.
- For REPO, use a Gloo Istio repo key that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article. For more information, see Get the Gloo Istio version that you want to use.
- For ISTIO_IMAGE, save the version that you downloaded, such as 1.15.3, and append the solo tag, which is required to use many enterprise features. You can optionally append other Gloo Istio tags, as described in About Gloo Istio. If you downloaded a different version than the following, make sure to specify that version instead.
- For REVISION, take the Istio major and minor version numbers and replace the period with a hyphen, such as 1-15.
```
export REPO=<repo-key>
export ISTIO_IMAGE=1.15.3-solo
export REVISION=1-15
```
Prepare an IstioLifecycleManager resource to manage istiod control planes.
1. Download the gm-istiod.yaml example file.
  - Single cluster setup
  - Multicluster setup
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-istiod.yaml > gm-istiod.yaml
```
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-istiod.yaml > gm-istiod.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, and either $CLUSTER_NAME for single cluster setups or $REMOTE_CLUSTER1 and $REMOTE_CLUSTER2 for multicluster setups. Save the updated file as gm-istiod-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-istiod.yaml > gm-istiod-values.yaml
open gm-istiod-values.yaml
```
3. Check the settings in the IstioLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For single-cluster setups, you must edit the file to specify only the name of your cluster (value of $CLUSTER_NAME). For each cluster, defaultRevision: true ensures that the Istio operator spec for the control plane installation is applied and active in the cluster.
  - Root namespace: If you do not specify a namespace, the root namespace for the installed Istio resources in workload clusters is set to istio-system. If the istio-system namespace does not already exist, it is created for you.
  - Trust domain: By default, the trustDomain value is automatically set by the installer to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value in the trustDomain field, and include the value in the list of cluster names. For example, if you specify trustDomain: cluster-1-trust-override in the operator spec, you then specify the cluster name (cluster-1) and the trust domain (cluster-1-trust-override) in the list of cluster names. Additionally, because Gloo requires multiple trust domains for east-west routing, the PILOT_SKIP_VALIDATE_TRUST_DOMAIN field is set to "true" by default.
4. Apply the IstioLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-istiod-values.yaml --context $MGMT_CONTEXT
```
Optional: If you have a multicluster setup, prepare a GatewayLifecycleManager custom resource to manage the east-west gateways.
1. Download the gm-ew-gateway.yaml example file.
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ew-gateway.yaml > gm-ew-gateway.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, $REMOTE_CLUSTER1, and $REMOTE_CLUSTER2. Save the updated file as gm-ew-gateway-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-ew-gateway.yaml > gm-ew-gateway-values.yaml
open gm-ew-gateway-values.yaml
```
3. Check the settings in the GatewayLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For each cluster, activeGateway: true ensures that the Istio operator spec for the gateway is deployed and actively used by the istiod control plane.
  - Gateway namespaces: If you do not specify a namespace for the gateway, the default namespace is set to gloo-mesh-gateways. If the gloo-mesh-gateways namespace does not already exist, it is created in each workload cluster for you.
4. Apply the GatewayLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-ew-gateway-values.yaml --context $MGMT_CONTEXT
```
Optional: If you have a Gloo Gateway license, prepare a GatewayLifecycleManager custom resource to manage the ingress gateways.
1. Download the gm-ingress-gateway.yaml example file.
  - Single cluster setup
  - Multicluster setup
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
```
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, and either $CLUSTER_NAME for single cluster setups or $REMOTE_CLUSTER1 and $REMOTE_CLUSTER2 for multicluster setups. Save the updated file as gm-ingress-gateway-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-ingress-gateway.yaml > gm-ingress-gateway-values.yaml
open gm-ingress-gateway-values.yaml
```
3. Check the settings in the GatewayLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For single-cluster setups, specify only the name of your cluster (value of $CLUSTER_NAME). For each cluster, activeGateway: true ensures that the Istio operator spec for the gateway is deployed and actively used by the istiod control plane.
  - Gateway namespaces: If you do not specify a namespace for the gateway, the default namespace is set to gloo-mesh-gateways. If the gloo-mesh-gateways namespace does not already exist, it is created in each workload cluster for you.
4. Apply the GatewayLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-ingress-gateway-values.yaml --context $MGMT_CONTEXT
```

In each workload cluster, verify that the namespaces for your Istio installations are created.

kubectl get ns --context $REMOTE_CONTEXT1

For example, the gm-iop-1-15, gloo-mesh-gateways, and istio-system namespaces are created:

NAME               STATUS   AGE
default            Active   56m
gloo-mesh          Active   36m
gm-iop-1-15        Active   91s
gloo-mesh-gateways Active   90s
istio-system       Active   91s
kube-node-lease    Active   57m
kube-public        Active   57m
kube-system        Active   57m

In each namespace, verify that the Istio resources that you specified in your Istio operator configuration successfully installed. For example, verify that the Istio control plane pods are running.

Operator namespace:

kubectl get all -n gm-iop-1-15 --context $REMOTE_CONTEXT1

Example output:

NAME                                            READY   STATUS    RESTARTS   AGE
pod/istio-operator-1-15-678fd95cc6-ltbvl   1/1     Running   0          4m12s

NAME                               TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/istio-operator-1-15   ClusterIP   10.204.15.247   <none>        8383/TCP   4m12s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-operator-1-15   1/1     1            1           4m12s

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-operator-1-15-678fd95cc6   1         1         1       4m12s

Istiod namespace:

kubectl get all -n istio-system --context $REMOTE_CONTEXT1

Example output:

NAME                                   READY   STATUS    RESTARTS   AGE
pod/istiod-1-15-b65676555-g2vmr   1/1     Running   0          8m57s

NAME                       TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                 AGE
service/istiod-1-15   ClusterIP   10.204.6.56   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   8m56s

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istiod-1-15   1/1     1            1           8m57s

NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/istiod-1-15-b65676555   1         1         1       8m57s

NAME                                                   REFERENCE                     TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/istiod-1-15   Deployment/istiod-1-15   1%/80%    1         5         1          8m58s

Gateway namespace: Your output might vary depending on which gateways you installed. Note that the gateways might take a few minutes to be created.

kubectl get all -n gloo-mesh-gateways --context $REMOTE_CONTEXT1

Example output:

NAME                                                   READY   STATUS    RESTARTS   AGE
pod/istio-eastwestgateway-1-15-66f464ff44-qlhfk   1/1     Running   0          2m6s
pod/istio-ingressgateway-1-15-77d5f76bc8-j6qkp    1/1     Running   0          2m18s

NAME                                      TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                      AGE
service/istio-eastwestgateway             LoadBalancer   10.204.4.172   34.86.225.164    15021:30889/TCP,15443:32489/TCP              2m5s
service/istio-ingressgateway              LoadBalancer   10.44.4.140    34.150.235.221   15021:31321/TCP,80:32525/TCP,443:31826/TCP   2m16s

NAME                                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-eastwestgateway-1-15   1/1     1            1           2m6s
deployment.apps/istio-ingressgateway-1-15    1/1     1            1           2m18s

NAME                                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-eastwestgateway-1-15-66f464ff44   1         1         1       2m6s
replicaset.apps/istio-ingressgateway-1-15-77d5f76bc8    1         1         1       2m18s

NAME                                                                  REFERENCE                                    TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/istio-eastwestgateway-1-15   Deployment/istio-eastwestgateway-1-15   <unknown>/80%   1         5         0          2m7s
horizontalpodautoscaler.autoscaling/istio-ingressgateway-1-15    Deployment/istio-ingressgateway-1-15    4%/80%          1         5         1          2m19s

Use the lifecycle manager to manage Istio installations in OpenShift

Prepare Gloo IstioLifecycleManager and GatewayLifecycleManager custom resources to manage your Istio installation.

Save the Istio version information as environment variables.
- For REPO, use a Gloo Istio repo key that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article. For more information, see Get the Gloo Istio version that you want to use.
- For ISTIO_IMAGE, save the version that you downloaded, such as 1.15.3, and append the solo tag, which is required to use many enterprise features. You can optionally append other Gloo Istio tags, as described in About Gloo Istio. If you downloaded a different version than the following, make sure to specify that version instead.
- For REVISION, take the Istio major and minor version numbers and replace the period with a hyphen, such as 1-15.
```
export REPO=<repo-key>
export ISTIO_IMAGE=1.15.3-solo
export REVISION=1-15
```

Elevate the permissions of the istio-system and istio-operator service accounts that will be created. These permissions allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.

oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT1
oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT2
oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-operator --context $REMOTE_CONTEXT1
oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-operator --context $REMOTE_CONTEXT2

Prepare an IstioLifecycleManager resource to manage istiod control planes.
1. Download the gm-istiod.yaml example file.
  - Single cluster setup
  - Multicluster setup
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-istiod-openshift.yaml > gm-istiod.yaml
```
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-istiod-openshift.yaml > gm-istiod.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, and either $CLUSTER_NAME for single cluster setups or $REMOTE_CLUSTER1 and $REMOTE_CLUSTER2 for multicluster setups. Save the updated file as gm-istiod-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-istiod.yaml > gm-istiod-values.yaml
open gm-istiod-values.yaml
```
3. Check the settings in the IstioLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For each cluster, defaultRevision: true ensures that the Istio operator spec for the control plane installation is applied and active in the cluster.
  - Root namespace: If you do not specify a namespace, the root namespace for the installed Istio resources in workload clusters is set to istio-system. If the istio-system namespace does not already exist, it is created for you.
  - Trust domain: By default, the trustDomain value is automatically set by the installer to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value in the trustDomain field, and include the value in the list of cluster names. For example, if you specify trustDomain: cluster-1-trust-override in the operator spec, you then specify the cluster name (cluster-1) and the trust domain (cluster-1-trust-override) in the list of cluster names. Additionally, because Gloo requires multiple trust domains for east-west routing, the PILOT_SKIP_VALIDATE_TRUST_DOMAIN field is set to "true" by default.
4. Apply the IstioLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-istiod-values.yaml --context $MGMT_CONTEXT
```
Optional: If you have a multicluster setup, prepare a GatewayLifecycleManager custom resource to manage the east-west gateways.
1. Download the gm-ew-gateway.yaml example file.
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ew-gateway.yaml > gm-ew-gateway.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, $REMOTE_CLUSTER1, and $REMOTE_CLUSTER2. Save the updated file as gm-ew-gateway-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-ew-gateway.yaml > gm-ew-gateway-values.yaml
open gm-ew-gateway-values.yaml
```
3. Check the settings in the GatewayLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For each cluster, activeGateway: true ensures that the Istio operator spec for the gateway is deployed and actively used by the istiod control plane.
  - Gateway namespaces: If you do not specify a namespace for the gateway, the default namespace is set to gloo-mesh-gateways. If the gloo-mesh-gateways namespace does not already exist, it is created in each workload cluster for you.
4. Apply the GatewayLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-ew-gateway-values.yaml --context $MGMT_CONTEXT
```
Optional: If you have a Gloo Gateway license, prepare a GatewayLifecycleManager custom resource to manage the ingress gateways.
1. Download the gm-ingress-gateway.yaml example file.
  - Single cluster setup
  - Multicluster setup
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/single-cluster/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
```
```
curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/gm-managed/gm-ingress-gateway.yaml > gm-ingress-gateway.yaml
```
2. Update the example file with the environment variables that you previously set for $REPO, $ISTIO_IMAGE, $REVISION, and either $CLUSTER_NAME for single cluster setups or $REMOTE_CLUSTER1 and $REMOTE_CLUSTER2 for multicluster setups. Save the updated file as gm-ingress-gateway-values.yaml.
  - Tip: Instead of updating the file manually, try running a terminal command to substitute values, such as the following command.
```
envsubst < gm-ingress-gateway.yaml > gm-ingress-gateway-values.yaml
open gm-ingress-gateway-values.yaml
```
3. Check the settings in the GatewayLifecycleManager resource. You can further edit the file to provide your own details.
  - Clusters: Specify the registered cluster names in the clusters section. For single-cluster setups, specify only the name of your cluster (value of $CLUSTER_NAME). For each cluster, activeGateway: true ensures that the Istio operator spec for the gateway is deployed and actively used by the istiod control plane.
  - Gateway namespaces: If you do not specify a namespace for the gateway, the default namespace is set to gloo-mesh-gateways. If the gloo-mesh-gateways namespace does not already exist, it is created in each workload cluster for you.
4. Apply the GatewayLifecycleManager resource to your management cluster.
```
kubectl apply -f gm-ingress-gateway-values.yaml --context $MGMT_CONTEXT
```

In each workload cluster, verify that the projects for your Istio installations are created.

oc get projects --context $REMOTE_CONTEXT1
oc get projects --context $REMOTE_CONTEXT2

For example, the gm-iop-1-15, gloo-mesh-gateways, and istio-system projects are created:

NAME               STATUS   AGE
default            Active   56m
gloo-mesh          Active   36m
gm-iop-1-15   Active   91s
gloo-mesh-gateways Active   90s
istio-system       Active   91s
kube-node-lease    Active   57m
kube-public        Active   57m
kube-system        Active   57m

In each project, verify that the Istio resources that you specified in your Istio operator configuration are successfully installing. For example, verify that the Istio control plane pods are running.

Operator revision project:

oc get all -n gm-iop-1-15 --context $REMOTE_CONTEXT1

Example output:

NAME                                            READY   STATUS    RESTARTS   AGE
pod/istio-operator-1-15-678fd95cc6-ltbvl   1/1     Running   0          4m12s

NAME                               TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/istio-operator-1-15   ClusterIP   10.204.15.247   <none>        8383/TCP   4m12s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-operator-1-15   1/1     1            1           4m12s

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-operator-1-15-678fd95cc6   1         1         1       4m12s

Istiod project:

oc get all -n istio-system --context $REMOTE_CONTEXT1

Example output:

NAME                                   READY   STATUS    RESTARTS   AGE
pod/istiod-1-15-b65676555-g2vmr   1/1     Running   0          8m57s

NAME                       TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                 AGE
service/istiod-1-15   ClusterIP   10.204.6.56   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   8m56s

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istiod-1-15   1/1     1            1           8m57s

NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/istiod-1-15-b65676555   1         1         1       8m57s

NAME                                                   REFERENCE                     TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/istiod-1-15   Deployment/istiod-1-15   1%/80%    1         5         1          8m58s

Gateway project: Note that the gateways might take a few minutes to be created.

oc get all -n gloo-mesh-gateways --context $REMOTE_CONTEXT1

Example output:

NAME                                                   READY   STATUS    RESTARTS   AGE
pod/istio-eastwestgateway-1-15-66f464ff44-qlhfk   1/1     Running   0          2m6s
pod/istio-ingressgateway-1-15-77d5f76bc8-j6qkp    1/1     Running   0          2m18s

NAME                                      TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                      AGE
service/istio-eastwestgateway             LoadBalancer   10.204.4.172   34.86.225.164    15021:30889/TCP,15443:32489/TCP              2m5s
service/istio-ingressgateway              LoadBalancer   10.44.4.140    34.150.235.221   15021:31321/TCP,80:32525/TCP,443:31826/TCP   2m16s

NAME                                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-eastwestgateway-1-15   1/1     1            1           2m6s
deployment.apps/istio-ingressgateway-1-15    1/1     1            1           2m18s

NAME                                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-eastwestgateway-1-15-66f464ff44   1         1         1       2m6s
replicaset.apps/istio-ingressgateway-1-15-77d5f76bc8    1         1         1       2m18s

NAME                                                                  REFERENCE                                    TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/istio-eastwestgateway-1-15   Deployment/istio-eastwestgateway-1-15   <unknown>/80%   1         5         0          2m7s
horizontalpodautoscaler.autoscaling/istio-ingressgateway-1-15    Deployment/istio-ingressgateway-1-15    4%/80%          1         5         1          2m19s

In each workload cluster, create a NetworkAttachmentDefinition custom resource for each project where you want to deploy workloads.

cat <<EOF | oc --context $REMOTE_CONTEXT1 -n <project> create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: istio-cni
EOF

cat <<EOF | oc --context $REMOTE_CONTEXT2 -n <project> create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: istio-cni
EOF

Elevate the permissions of the service account in each project where you want to deploy workloads. This permission allows the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.
```
oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project> --context $REMOTE_CONTEXT1
oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project> --context $REMOTE_CONTEXT2
```

Deploy workloads

Now that Istio is up and running, you can create service namespaces for your teams to run app workloads in. For example, you might start out with the Bookinfo sample application. Those steps guide you through creating workspaces for your workloads, deploying Bookinfo across workload clusters, and using ingress and east-west gateways to shift traffic across clusters.

For any service namespace, be sure to label the namespace with the revision so that Istio sidecars are deployed to your app pods: kubectl label ns <namespace> istio.io/rev=$REVISION.

Next steps

Now that you have Gloo Mesh Enterprise and Istio installed, you can use Gloo Mesh to manage your Istio service mesh resources. You don't need to directly configure any Istio resources going forward.

When it's time to upgrade Istio, you can use Gloo Mesh to upgrade Gloo Mesh-managed Istio installations.
Review how Gloo Mesh custom resources are automatically translated into Istio resources.
Configure workspaces to create boundaries for your teams’ resources.
Try out the Policies for steps to secure, observe, and control network traffic.