Handling Policy of Resource Configuration Using IstioOperator
When Istio is installed using Istio Operator, the workloads of components (istiod, istio-ingressgateway, and istio-egressgateway) managed by Istio Operator need updating, for example, mesh version upgrade and expansion of istio-ingressgateway instances. You can update these workloads on the Workloads page of the CCE console, on the System Component Management page of the ASM console (for Enterprise mesh), or directly modify the IstioOperator resource (IOP entry).
Handling Policy
To avoid configuration conflicts and ensure stable running of Istio workloads, you are advised to:
- Define key and non-key running configurations for workloads.
Table 1 Key running configurations of each resource type Resource Type
Item
Description
Deployment
spec.replicas
Number of pods
spec.strategy
Upgrade policies
spec.template.nodeSelector
Scheduling policies
spec.template.affinity
Scheduling policies
spec.template.tolerations
Scheduling policies
spec.template.containers.resources
Resource requests and limits
DaemonSet
spec.updateStrategy
Upgrade policies
spec.template.nodeSelector
Scheduling policies
spec.template.affinity
Scheduling policies
spec.template.tolerations
Scheduling policies
spec.template.containers.resources
Resource requests and limits
StatefulSet
spec.replicas
Number of pods
spec.updateStrategy
Upgrade policies
spec.template.nodeSelector
Scheduling policies
spec.template.affinity
Scheduling policies
spec.template.tolerations
Scheduling policies
spec.template.containers.resources
Resource requests and limits
Pod
spec.nodeSelector
Scheduling policies
spec.affinity
Scheduling policies
spec.tolerations
Scheduling policies
spec.containers.resources
Resource requests and limits
- By default, the Istio Operator does not update key running configurations of workloads in the current cluster. Only non-key running configurations can be updated.
- The annotation key asm.huaweicloud.com/reconcileFromIstioOperatorCR is added to the IstioOperator CRD to describe the configuration validation policy.
After you configure and enable the policy (asm.huaweicloud.com/reconcileFromIstioOperatorCR:'true'), the Istio Operator performs update according to the configurations defined in the IstioOperator CRD. If this parameter is set to false, the default policy of Istio Operator is used.
The following clearly describe how the preceding policies are configured and take effect using a Basic mesh of v1.8.6:
- Modify the key running configurations of the istio-egressgateway component at the IOP entry.
- Log in to the ASM console and click the target mesh to go to its details page.
- In the navigation pane, choose Mesh Configuration and click the Istio Resource Management tab.
- In the drop-down lists, select Istio Resources: istiooperators and Namespace: istio-system.
- Click Edit in the Operation column of the private-data-plane resource and change the number of istio-egressgateway instances from 2 to 3.
... spec: components: egressGateways: - enabled: true k8s: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: istio operator: In values: - master weight: 1 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - istio-egressgateway topologyKey: kubernetes.io/hostname podAnnotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default replicaCount: 3 strategy: rollingUpdate: maxSurge: 0 name: istio-egressgateway ...
- Restart the istio-egressgateway workload.
- Log in to the CCE console and click the target cluster for which the mesh has been enabled to go to the cluster details page.
- In the navigation pane, choose Resources > Workloads, set Namespace to istio-system, click More > Redeploy in the Operation column of the istio-egressgateway workload, and click Yes in the dialog box displayed.
- Check whether the configurations take effect.
If the number of instances of the istio-egressgateway workload is still 2, the key running configurations of the workload modified at the IOP entry do not take effect by default.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.