Alauda Service Mesh v2 Docs
  • English

    • Installing Istio ambient mode

    You can deploy Istio in ambient mode on Alauda Container Platform with Alauda Service Mesh Operator 2.1.1 or later.

    TOC

    PrerequisitesProcedureInstall the Istio Container Network Interface (CNI)Install the Istio control planeInstall the ZTunnel proxy

    Prerequisites

    • The Alauda Container Platform Networking for Multus plugin must be installed, and kube-ovn must be v4.1.5 or later.
    • Alauda Service Mesh Operator 2.1.1 or later is installed.
    • An active ACP CLI (kubectl) session by a cluster administrator with the cluster-admin role.
    • You have istioctl installed locally so that you can use to run these instructions.

    Procedure

    Install the Istio Container Network Interface (CNI)

    1. Create the istio-cni namespace and add a label istio-discovery=enabled:

      kubectl create namespace istio-cni
kubectl label namespace istio-cni istio-discovery=enabled

    2. Create the IstioCNI resource named istio-cni.yaml:

      apiVersion: sailoperator.io/v1
kind: IstioCNI
metadata:
  name: default
spec:
  namespace: istio-cni
  profile: ambient
  values:
    cni:
      cniConfDir: /etc/cni/multus/net.d
      excludeNamespaces:
        - istio-cni
        - kube-system
      ambient:
        reconcileIptablesOnStartup: true
      1. You must set the profile field to ambient.
      2. Set spec.values.cni.ambient.reconcileIptablesOnStartup to true. The reconcileIptablesOnStartup option enables the IstioCNI agent to detect and repair incompatible iptables rules in already-running ambient pods during CNI agent startup, handling scenarios such as upgrades or rule drift.

    3. Apply the IstioCNI CR:

      kubectl apply -f istio-cni.yaml

    4. Wait for the IstioCNI pods to become ready:

      kubectl wait --for=condition=Ready istiocnis/default --timeout=3m

    Install the Istio control plane

    1. Create the istio-system namespace and add a label istio-discovery=enabled:

      kubectl create namespace istio-system
kubectl label namespace istio-system istio-discovery=enabled

    2. Create an Istio resource named istio.yaml:

      apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  profile: ambient
  values:
    pilot:
      trustedZtunnelNamespace: ztunnel
    meshConfig:
      discoverySelectors:
        - matchLabels:
            istio-discovery: enabled
      1. You must set the profile field to ambient.
      2. You must configure .spec.values.pilot.trustedZtunnelNamespace to match the namespace where the ZTunnel resource will be installed..
      3. The discoverySelectors configuration ensures that the control plane only monitors namespaces labeled with istio-discovery=enabled, which helps reduce configuration overhead and enables multiple service meshes to coexist on the same cluster. See Discovery selectors in ambient mode for details.

    3. Apply the Istio custom resource (CR):

      kubectl apply -f istio.yaml

    4. Wait for the Istio control plane to become ready:

      kubectl wait --for=condition=Ready istios/default --timeout=3m

    Install the ZTunnel proxy

    1. Create the ztunnel namespace and add a label istio-discovery=enabled:

      kubectl create namespace ztunnel
kubectl label namespace ztunnel istio-discovery=enabled
      NOTE

      The namespace name for the ZTunnel resource must match the trustedZtunnelNamespace parameter in the Istio configuration.

    2. Create the ZTunnel resource named ztunnel.yaml:

      apiVersion: sailoperator.io/v1
kind: ZTunnel
metadata:
  name: default
spec:
  namespace: ztunnel

    3. Apply the ZTunnel CR:

      kubectl apply -f ztunnel.yaml

    4. Wait for the ZTunnel pods to become ready:

      kubectl wait --for=condition=Ready ztunnel/default --timeout=3m