Help Center> Application Service Mesh> User Guide> Mesh Configuration> Istio Resource Management> Handling Policy of Resource Configuration Using IstioOperator
Updated on 2023-07-04 GMT+08:00
View PDF

Handling Policy of Resource Configuration Using IstioOperator

When Istio is installed using Istio Operator, the workloads of components (istiod, istio-ingressgateway, and istio-egressgateway) managed by Istio Operator need updating, for example, mesh version upgrade and expansion of istio-ingressgateway instances. You can update these workloads on the Workloads page of the CCE console, on the System Component Management page of the ASM console (for Enterprise mesh), or directly modify the IstioOperator resource (IOP entry).

Handling Policy

To avoid configuration conflicts and ensure stable running of Istio workloads, you are advised to:

  • Define key and non-key running configurations for workloads.
    Table 1 Key running configurations of each resource type

    Resource Type

    Item

    Description

    Deployment

    spec.replicas

    Number of pods

    spec.strategy

    Upgrade policies

    spec.template.nodeSelector

    Scheduling policies

    spec.template.affinity

    Scheduling policies

    spec.template.tolerations

    Scheduling policies

    spec.template.containers.resources

    Resource requests and limits

    DaemonSet

    spec.updateStrategy

    Upgrade policies

    spec.template.nodeSelector

    Scheduling policies

    spec.template.affinity

    Scheduling policies

    spec.template.tolerations

    Scheduling policies

    spec.template.containers.resources

    Resource requests and limits

    StatefulSet

    spec.replicas

    Number of pods

    spec.updateStrategy

    Upgrade policies

    spec.template.nodeSelector

    Scheduling policies

    spec.template.affinity

    Scheduling policies

    spec.template.tolerations

    Scheduling policies

    spec.template.containers.resources

    Resource requests and limits

    Pod

    spec.nodeSelector

    Scheduling policies

    spec.affinity

    Scheduling policies

    spec.tolerations

    Scheduling policies

    spec.containers.resources

    Resource requests and limits
  • By default, the Istio Operator does not update key running configurations of workloads in the current cluster. Only non-key running configurations can be updated.
  • The annotation key asm.huaweicloud.com/reconcileFromIstioOperatorCR is added to the IstioOperator CRD to describe the configuration validation policy.

    After you configure and enable the policy (asm.huaweicloud.com/reconcileFromIstioOperatorCR:'true'), the Istio Operator performs update according to the configurations defined in the IstioOperator CRD. If this parameter is set to false, the default policy of Istio Operator is used.

The following clearly describe how the preceding policies are configured and take effect using a Basic mesh of v1.8.6:

  1. Modify the key running configurations of the istio-egressgateway component at the IOP entry.

    1. Log in to the ASM console and click the target mesh to go to its details page.
    2. In the navigation pane, choose Mesh Configuration and click the Istio Resource Management tab.
    3. In the drop-down lists, select Istio Resources: istiooperators and Namespace: istio-system.
    4. Click Edit in the Operation column of the private-data-plane resource and change the number of istio-egressgateway instances from 2 to 3.
      ...
spec:
  components:
    egressGateways:
      - enabled: true
        k8s:
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
                - preference:
                    matchExpressions:
                      - key: istio
                        operator: In
                        values:
                          - master
                  weight: 1
            podAntiAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                - labelSelector:
                    matchExpressions:
                      - key: app
                        operator: In
                        values:
                          - istio-egressgateway
                  topologyKey: kubernetes.io/hostname
          podAnnotations:
            seccomp.security.alpha.kubernetes.io/pod: runtime/default
          replicaCount: 3
          strategy:
            rollingUpdate:
              maxSurge: 0
        name: istio-egressgateway
...

  2. Restart the istio-egressgateway workload.

    1. Log in to the CCE console and click the target cluster for which the mesh has been enabled to go to the cluster details page.
    2. In the navigation pane, choose Resources > Workloads, set Namespace to istio-system, click More > Redeploy in the Operation column of the istio-egressgateway workload, and click Yes in the dialog box displayed.

  3. Check whether the configurations take effect.

    If the number of instances of the istio-egressgateway workload is still 2, the key running configurations of the workload modified at the IOP entry do not take effect by default.