Red Hat SummitChapter 4. Updating the Istio CNI
Review the update procedure for the Istio Container Network Interface (CNI). Ensure the CNI plugin remains compatible with the OpenShift Service Mesh control plane during an upgrade.
4.1. About the Istio CNI update process
The Istio Container Network Interface (CNI) update process uses Inplace updates. When the IstioCNI resource changes, the daemonset automatically replaces the existing istio-cni-node pods with the specified version of the CNI plugin.
You can use the following field to manage version updates:
spec.version-
defines the CNI plugin version to install. Specify the value in the format
vX.Y.Z, whereX.Y.Zrepresents the required version. For example, usev1.27.3to install the CNI plugin version1.27.3.
To update the CNI plugin, change the spec.version field with the target version. The IstioCNI resource also includes a values field that exposes configuration options from the istio-cni chart.
In ambient mode, the Istio CNI component manages traffic redirection. During RevisionBased upgrades, the component remains compatible with the control plane’s old version and continues to manage traffic redirection for both the old and the new control planes throughout the migration.
The Istio CNI is compatible with a control plane running the same minor version or one minor version higher.
After you update the Istio control plane, update the Istio CNI component. The OpenShift Service Mesh Operator deploys a new version of the CNI plugin, replacing the existing one. The istio-cni-node DaemonSet pods update using a rolling update strategy, ensuring that traffic redirection rules remain active during the entire update process.
4.1.1. Updating the Istio CNI resource version
You can update the Istio Container Network Interface (CNI) resource version by changing the version in the resource. Then, the Service Mesh Operator deploys a new version of the CNI plugin that replaces the old version of the CNI plugin. The istio-cni-node pods automatically reconnect to the new CNI plugin.
Prerequisites
-
You are logged in to OpenShift Container Platform as a user with the
cluster-adminrole. - You have installed the Red Hat OpenShift Service Mesh Operator and deployed Istio.
-
You have installed the Istio CNI plugin with the required version. In the following example, the
IstioCNIresource nameddefaultis deployed in theistio-cninamespace. -
You have either updated the Istio control plane to the required version (for
Inplacestrategy) or created a new control plane revision (forRevisionBasedstrategy).
Procedure
Change the version in the
Istioresource. For example, to update to Istio1.27.3, set thespec.versionfield to1.27.3by running the following command:oc patch istiocni default -n istio-cni --type='merge' -p '{"spec":{"version":"v1.27.3"}}'$ oc patch istiocni default -n istio-cni --type='merge' -p '{"spec":{"version":"v1.27.3"}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Wait for the
IstioCNIDaemonSet to reach theReadystatus after the update by running the following command:oc wait --for=condition=Ready istiocnis/default --timeout=5m
$ oc wait --for=condition=Ready istiocnis/default --timeout=5mCopy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm that the new version of the CNI plugin is ready by running the following command:
oc get istiocni default
$ oc get istiocni defaultCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should see an output similar to the following example:
NAME READY STATUS VERSION AGE default True Healthy v{istio-latest} 7d1hNAME READY STATUS VERSION AGE default True Healthy v{istio-latest} 7d1hCopy to Clipboard Copied! Toggle word wrap Toggle overflow Check the status of the pods by running the following command:
oc get pods -n istio-cni
$ oc get pods -n istio-cniCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should see an output similar to the following example:
NAME READY STATUS RESTARTS AGE istio-cni-node-abc12 1/1 Running 0 3m istio-cni-node-def34 1/1 Running 0 3m istio-cni-node-ghi56 1/1 Running 0 3m
NAME READY STATUS RESTARTS AGE istio-cni-node-abc12 1/1 Running 0 3m istio-cni-node-def34 1/1 Running 0 3m istio-cni-node-ghi56 1/1 Running 0 3mCopy to Clipboard Copied! Toggle word wrap Toggle overflow
When you use the RevisionBased strategy, the Istio CNI component remains compatible with many control plane versions. It continues to manage traffic redirection for both the old and the new control planes throughout the migration. The Istio CNI is compatible with a control plane running the same minor version or one minor version higher.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}