#The Istio CNI update process

The Istio Container Network Interface (CNI) update process uses in-place updates. When the IstioCNI resource changes, the daemonset automatically replaces the existing istio-cni-node pods with the specified version of the CNI plugin.

You can use the following field to manage version updates:

• spec.version

  defines the CNI plugin version to install. Specify the value in the format vX.Y.Z, where X.Y.Z represents the desired version. For example, use v1.28.6 to install the CNI plugin version 1.28.6.

To update the CNI plugin, modify the spec.version field with the target version. The IstioCNI resource also includes a values field that exposes configuration options from the istio-cni chart.

When the mesh operates in ambient mode, the Istio CNI component is responsible for traffic redirection. If you upgrade by using the RevisionBased strategy, the same CNI component stays compatible with the previous control plane version and keeps redirecting traffic for both the existing and the newly deployed control planes for the duration of the migration.

Once you finish upgrading the Istio control plane, proceed to upgrade the Istio CNI component. The Alauda Service Mesh v2 Operator rolls out the new CNI plugin version to replace the previous deployment. Pods in the istio-cni-node DaemonSet are then refreshed through a rolling update, which keeps traffic redirection rules in effect for the entire upgrade window.

#Updating the Istio CNI resource version

You can update the Istio CNI resource version by changing the version in the resource. Then, the Service Mesh v2 Operator deploys a new version of the CNI plugin that replaces the old version of the CNI plugin. The istio-cni-node pods automatically reconnect to the new CNI plugin.

Prerequisites

• You are logged in to the Alauda Container Platform web console as cluster-admin.
• You have installed the Alauda Service Mesh v2 Operator, and deployed Istio.
• You have installed the Istio CNI plugin with the desired version. In this example, the IstioCNI resource named default is deployed in the istio-cni namespace.
• Depending on the chosen update strategy, you have already prepared the control plane: for the InPlace strategy, the Istio control plane has been upgraded to the target version; for the RevisionBased strategy, a new control plane revision has been created.

Procedure

1. Change the version in the Istio resource. For example, to update to Istio 1.28.6, set the spec.version field to v1.28.6 by running the following command:

   kubectl patch istiocni default --type='merge' -p '{"spec":{"version":"v1.28.6"}}'

2. After the patch is applied, wait until the IstioCNI DaemonSet reports the Ready condition by running the following command:

   kubectl wait --for=condition=Ready istiocnis/default --timeout=5m

3. Confirm that the new version of the CNI plugin is ready by running the following command:

   kubectl get istiocni default

   Example Output

   NAME      NAMESPACE   PROFILE   READY   STATUS    VERSION   AGE
   default   istio-cni             True    Healthy   v1.28.6   30m

4. Inspect the resulting CNI pods by running the following command:

   kubectl get pods -n istio-cni

   Example Output

   NAME                   READY   STATUS    RESTARTS   AGE
   istio-cni-node-225z6   1/1     Running   0          2m
   istio-cni-node-97j9k   1/1     Running   0          2m
   istio-cni-node-c4fw6   1/1     Running   0          2m
   NOTE

   If you adopt the RevisionBased strategy, the Istio CNI component can interoperate with several control plane versions at once. The component keeps handling traffic redirection for both the previous and the newly deployed control planes during the migration. Compatibility holds when the control plane runs at the same minor version as the CNI or at most one minor version above.