Sail Operator 1.0.0 released: manage Istio with an operator
Dive in into the basics of the Sail Operator and check out an example to see how easy it is to use it to manage Istio.
The Sail Operator is a community project launched by Red Hat to build a modern operator for Istio. First announced in August 2024, we are pleased to announce Sail Operator is now GA with a clear mission: to simplify and streamline Istio management in your cluster.
Simplified deployment & management
The Sail Operator is engineered to cut down the complexity of installing and running Istio. It automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio versions in your cluster. The Sail Operator APIs are built around Istio’s Helm chart APIs, which means that all the Istio configurations are available through the Sail Operator CRD’s values.
We encourage users to go through our documentation to learn more about this new way to manage your Istio environment.
The main resources that are part of the Sail Operator are:
Istio: manages an Istio control plane.IstioRevision: represents a revision of the control plane.IstioRevisionTag: represents a stable revision tag, which functions as an alias for an Istio control plane revision.IstioCNI: manages Istio’s CNI node agent.ZTunnel: manage the ambient mode ztunnel DaemonSet (Alpha feature).
Main features and support
- Each component of the Istio control plane is managed independently by the Sail Operator through dedicated Kubernetes Custom Resources (CRs). The Sail Operator provides separate CRDs for components such as
Istio,IstioCNI, andZTunnel, allowing you to configure, manage, and upgrade them individually. Additionally, there are CRDs forIstioRevisionandIstioRevisionTagto manage Istio control plane revisions. - Support for multiple Istio versions. Currently the 1.0.0 version supports: 1.24.3, 1.24.2, 1.24.1, 1.23.5, 1.23.4, 1.23.3, 1.23.0.
- Two update strategies are supported:
InPlaceandRevisionBased. Check our documentation for more information about the update types supported. - Support for multicluster Istio deployment models: multi-primary, primary-remote, external control plane. More information and examples in our documentation.
- Ambient mode support is Alpha: check our specific documentation.
- Addons are managed separately from the Sail Operator. They can be easily integrated with the Sail Operator, check this section for the documentation for examples and more information.
Why now?
As cloud native architectures continue to evolve, we feel a robust and user-friendly operator for Istio is more essential than ever. The Sail Operator offers developers and operations teams a consistent, secure, and efficient solution that feels familiar to those used to working with operators. Its GA release signals a mature solution, ready to support even the most demanding production environments.
Try it out
Would you like to try out Sail Operator? This example will show you how to safely do an update of your Istio control plane by using the revision-based upgrade strategy. This means you will have two Istio control planes running at the same time, allowing you to migrate workloads easily, minimizing the risk of traffic disruptions.
Prerequisites:
- Running cluster
- Helm
- Kubectl
- Istioctl
Install the Sail Operator using Helm
$ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator
$ helm repo update
$ kubectl create namespace sail-operator
$ helm install sail-operator sail-operator/sail-operator --version 1.0.0 -n sail-operatorThe operator is now installed in your cluster:
NAME: sail-operator
LAST DEPLOYED: Tue Mar 18 12:00:46 2025
NAMESPACE: sail-operator
STATUS: deployed
REVISION: 1
TEST SUITE: NoneCheck the operator pod is running:
$ kubectl get pods -n sail-operator
NAME READY STATUS RESTARTS AGE
sail-operator-56bf994f49-j67ft 1/1 Running 0 87sCreate Istio and IstioRevisionTag resources
Create an Istio resource with the version v1.24.2 and an IstioRevisionTag:
$ kubectl create ns istio-system
$ cat <<EOF | kubectl apply -f-
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
name: default
spec:
namespace: istio-system
updateStrategy:
type: RevisionBased
inactiveRevisionDeletionGracePeriodSeconds: 30
version: v1.24.2
---
apiVersion: sailoperator.io/v1
kind: IstioRevisionTag
metadata:
name: default
spec:
targetRef:
kind: Istio
name: default
EOFNote that the IstioRevisionTag has a target reference to the Istio resource with the name default
Check the state of the resources created:
istiodpods are running$ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istiod-default-v1-24-2-bd8458c4-jl8zm 1/1 Running 0 3m45sIstioresource created$ kubectl get istio NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 1 1 1 default-v1-24-2 Healthy v1.24.2 4m27sIstioRevisionTagresource created$ kubectl get istiorevisiontag NAME STATUS IN USE REVISION AGE default NotReferencedByAnything False default-v1-24-2 4m43s
Note that the IstioRevisionTag status is NotReferencedByAnything. This is because there are currently no resources using the revision default-v1-24-2.
Deploy sample application
Create a namespace and label it to enable Istio injection:
$ kubectl create namespace sample
$ kubectl label namespace sample istio-injection=enabledAfter labeling the namespace you will see that the IstioRevisionTag resource status will change to ‘In Use: True’, because there is now a resource using the revision default-v1-24-2:
$ kubectl get istiorevisiontag
NAME STATUS IN USE REVISION AGE
default Healthy True default-v1-24-2 6m24sDeploy the sample application:
$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.25/samples/sleep/sleep.yaml -n sampleConfirm the proxy version of the sample app matches the control plane version:
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-5fcd8fd6c8-q4c9x.sample Kubernetes SYNCED (78s) SYNCED (78s) SYNCED (78s) SYNCED (78s) IGNORED istiod-default-v1-24-2-bd8458c4-jl8zm 1.24.2Upgrade the Istio control plane to version 1.24.3
Update the Istio resource with the new version:
$ kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.24.3"}}'Check the Istio resource. You will see that there are two revisions and they are both ‘ready’:
$ kubectl get istio
NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE
default 2 2 2 default-v1-24-3 Healthy v1.24.3 10mThe IstioRevisiontag now references the new revision:
$ kubectl get istiorevisiontag
NAME STATUS IN USE REVISION AGE
default Healthy True default-v1-24-3 11mThere are two IstioRevisions, one for each Istio version:
$ kubectl get istiorevision
NAME TYPE READY STATUS IN USE VERSION AGE
default-v1-24-2 True Healthy True v1.24.2 11m
default-v1-24-3 True Healthy True v1.24.3 92sThe Sail Operator automatically detects whether a given Istio control plane is being used and writes this information in the “In Use” status condition that you see above. Right now, all IstioRevisions and our IstioRevisionTag are considered “In Use”:
- The old revision
default-v1-24-2is considered in use because it is referenced by the sample application’s sidecar. - The new revision
default-v1-24-3is considered in use because it is referenced by the tag. - The tag is considered in use because it is referenced by the sample namespace.
Confirm there are two control plane pods running, one for each revision:
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istiod-default-v1-24-2-bd8458c4-jl8zm 1/1 Running 0 16m
istiod-default-v1-24-3-68df97dfbb-v7ndm 1/1 Running 0 6m32sConfirm the proxy sidecar version remains the same:
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-5fcd8fd6c8-q4c9x.sample Kubernetes SYNCED (6m40s) SYNCED (6m40s) SYNCED (6m40s) SYNCED (6m40s) IGNORED istiod-default-v1-24-2-bd8458c4-jl8zm 1.24.2Restart the sample pod:
$ kubectl rollout restart deployment -n sampleConfirm the proxy sidecar version is updated:
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-6f87fcf556-k9nh9.sample Kubernetes SYNCED (29s) SYNCED (29s) SYNCED (29s) SYNCED (29s) IGNORED istiod-default-v1-24-3-68df97dfbb-v7ndm 1.24.3When an IstioRevision is no longer in use and is not the active revision of an Istio resource (for example, when it is not the version that is set in the spec.version field), the Sail Operator will delete it after a grace period, which defaults to 30 seconds. Confirm the deletion of the old control plane and IstioRevision:
The old control plane pod is deleted
$ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istiod-default-v1-24-3-68df97dfbb-v7ndm 1/1 Running 0 10mThe old
IstioRevisionis deleted$ kubectl get istiorevision NAME TYPE READY STATUS IN USE VERSION AGE default-v1-24-3 True Healthy True v1.24.3 13mThe
Istioresource now only has one revision$ kubectl get istio NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 1 1 1 default-v1-24-3 Healthy v1.24.3 24m
Congratulations! You have successfully updated your Istio control plane using the revision-based upgrade strategy.
Conclusion
The Sail Operator automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio in your cluster. The Sail Operator is an istio-ecosystem project, and we encourage you to try it out and provide feedback to help us improve it, you can check our contribution guide for more information about how to contribute to the project.
