Back in January I have written a blog post about installing the Istio control plane on AKS in HA mode.
Since the release of Istio 1.5 this month the overall architecture of the Istio control plane has changed.
-> https://istio.io/news/releases/1.5.x/announcing-1.5/#introducing-istiod
With the introduction of Istiod the number of deployed pods get dramatically reduced, when running a high available Istio control plane to at least four pods. Those four pods are two Istiod pods, representing the core of the control plane, and two Istio ingress gateway pods.
Beside that you might have some more pods representing add-on components like Grafana, Prometheus and Kiali.
Instead of using istioctl with --set option, I transferred those settings into a YAML template utilizing the IstioOperator API more easily.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
addonComponents:
grafana:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
prometheus:
enabled: true
components:
ingressGateways:
- enabled: true
k8s:
hpaSpec:
minReplicas: 2
overlays:
- apiVersion: v1
kind: Service
name: istio-ingressgateway
patches:
- path: spec.ports
value:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
pilot:
enabled: true
k8s:
hpaSpec:
minReplicas: 2
overlays:
- apiVersion: policy/v1beta1
kind: PodDisruptionBudget
name: istiod
patches:
- path: spec.selector.matchLabels
value:
app: istiod
istio: pilot
values:
global:
mtls:
enabled: true
controlPlaneSecurityEnabled: true
proxy:
accessLogFile: "/dev/stdout"
accessLogEncoding: "JSON"
gateways:
istio-ingressgateway:
sds:
enabled: true
sidecarInjectorWebhook:
rewriteAppHTTPProbe: true
As you see in the template, I am setting the HPA minReplicas to 2 and thus ensure having a minimal HA setup for the Istio control plane.
Furthermore, I am using the overlays option to overwrite some specific settings.
Istio ingress gateway – Reduce number of exposed ports
My initial intention here came from a cost perspective regarding the costs of Standard Load Balancer rules in Azure. But it is also a good approach from the security perspective to only expose necessary ports.
In my case port 80, 443 and 15020 for the Envoy proxy health check endpoint.
...
overlays:
- apiVersion: v1
kind: Service
name: istio-ingressgateway
patches:
- path: spec.ports
value:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
...
Istiod PodDisruptionBudget issue
Same issue as described in my previous blog post, but now just for another component. The PDB for Istiod has three labels for the selector defined.
❯ kubectl describe poddisruptionbudgets.policy istiod
Name: istiod
Namespace: istio-system
Min available: 1
Selector: app=istiod,istio=pilot,release=istio
Status:
Allowed disruptions: 0
Current: 0
Desired: 1
Total: 0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal NoPods 27s (x4 over 58s) controllermanager No matching pods found
Unfortunately, the Istiod Kubernetes Deployment template has only two of them defined.
When using selector labels, you need a match of all of them not only a partial match. Therefore, I am overwriting the PDB selector labels to only include the ones specified in the Kubernetes Deployment template.
...
overlays:
- apiVersion: policy/v1beta1
kind: PodDisruptionBudget
name: istiod
patches:
- path: spec.selector.matchLabels
value:
app: istiod
istio: pilot
...
This ensures a working PDB for Istiod.
❯ kubectl describe poddisruptionbudgets.policy istiod
Name: istiod
Namespace: istio-system
Min available: 1
Selector: app=istiod,istio=pilot
Status:
Allowed disruptions: 1
Current: 2
Desired: 1
Total: 2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal NoPods 70s (x6 over 2m41s) controllermanager No matching pods found
Appendix A – IstioOperator API templates
You can find the IstioOperator API template for Istio 1.5 under the following link.
-> https://github.com/neumanndaniel/kubernetes/blob/master/istio/istio-1.5.yaml
I also transferred the istioctl command from my previous blog post targeting Istio 1.4 to an IstioOperator API template.
-> https://github.com/neumanndaniel/kubernetes/blob/master/istio/istio-1.4.yaml