Platform-Specific Prerequisites
This document covers any platform or environment specific prerequisites for installing Istio in ambient mode.
Platform
Google Kubernetes Engine (GKE)
On GKE, Istio components with the system-node-critical
priorityClassName
can only be installed in namespaces that have a ResourceQuota defined. By default in GKE, onlykube-system
has a defined ResourceQuota for thenode-critical
class.istio-cni
andztunnel
both require thenode-critical
class, and so in GKE, both components must either:Be installed into
kube-system
(notistio-system
)Be installed into another namespace (such as
istio-system
) in which a ResourceQuota has been manually created, for example:apiVersion: v1 kind: ResourceQuota metadata: name: gcp-critical-pods namespace: istio-system spec: hard: pods: 1000 scopeSelector: matchExpressions: - operator: In scopeName: PriorityClass values: - system-node-critical
Minikube
- If you are using Minikube with the Docker driver,
you must append
--set cni.cniNetnsDir="/var/run/docker/netns"
to thehelm install
command so that theistio-cni
node agent can correctly manage and capture pods on the node.
MicroK8s
- If you are using MicroK8s, you must append
--set values.cni.cniConfDir=/var/snap/microk8s/current/args/cni-network --set values.cni.cniBinDir=/var/snap/microk8s/current/opt/cni/bin
to thehelm install
command, as MicroK8s uses nonstandard locations for CNI configuration and binaries.
CNI
Cilium
Cilium currently defaults to proactively deleting other CNI plugins and their config, and must be configured with
cni.exclusive = false
to properly support chaining. See the Cilium documentation for more details.Due to how Cilium manages node identity and internally allow-lists node-level health probes to pods, applying default-DENY
NetworkPolicy
in a Cilium CNI install underlying Istio in ambient mode, will causekubelet
health probes (which are by-default exempted from NetworkPolicy enforcement by Cilium) to be blocked.This can be resolved by applying the following
CiliumClusterWideNetworkPolicy
:apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "allow-ambient-hostprobes" spec: description: "Allows SNAT-ed kubelet health check probes into ambient pods" endpointSelector: {} ingress: - fromCIDR: - "169.254.7.127/32"
Please see issue #49277 and CiliumClusterWideNetworkPolicy for more details.