Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Installing OpenShift Service Mesh

Installing OpenShift Service Mesh consists of three main tasks: installing the OpenShift Operator, deploying Istio, and customizing the Istio configuration. Then, you can also choose to install the sample bookinfo application to push data through the mesh and explore mesh functionality.

Warning

Before installing OpenShift Service Mesh 3, make sure you are not running OpenShift Service Mesh 3 and OpenShift Service Mesh 2 in the same cluster, because it causes conflicts unless configured correctly. To migrate from OpenShift Service Mesh 2, see Migrating from OpenShift Service Mesh 2.6.

To deploy Istio using the Red Hat OpenShift Service Mesh Operator, you must create an Istio resource. Then, the Operator creates an IstioRevision resource, which represents one revision of the Istio control plane. Based on the IstioRevision resource, the Operator deploys the Istio control plane, which includes the istiod Deployment resource and other resources.

The Red Hat OpenShift Service Mesh Operator may create additional instances of the IstioRevision resource, depending on the update strategy defined in the Istio resource.

2.1.1. About Istio control plane update strategies
Copiar enlace

The update strategy affects how the update process is performed. The spec.updateStrategy field in the Istio resource configuration determines how the OpenShift Service Mesh Operator updates the Istio control plane. When the Operator detects a change in the spec.version field or identifies a new minor release with a configured vX.Y-latest alias, it initiates an upgrade procedure. For each mesh, you select one of two strategies:

  • InPlace
  • RevisionBased

InPlace is the default strategy for updating OpenShift Service Mesh.

2.2. Installing the Service Mesh Operator
Copiar enlace

Warning

For clusters without OpenShift Service Mesh instances, install the Service Mesh Operator. OpenShift Service Mesh operates cluster-wide and needs a scope configuration to prevent conflicts between Istio control planes. For clusters with OpenShift Service Mesh 3 or later, see "Deploying multiple service meshes on a single cluster".

Prerequisites

  • You have deployed a cluster on OpenShift Container Platform 4.14 or later.
  • You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.

Procedure

  1. In the OpenShift Container Platform web console, navigate to the Operators OperatorHub page.
  2. Search for the Red Hat OpenShift Service Mesh 3 Operator.
  3. Locate the Service Mesh Operator, and click to select it.
  4. When the prompt that discusses the community operator opens, click Continue.
  5. Click Install.

  6. On the Install Operator page, perform the following steps:

    1. Select All namespaces on the cluster (default) as the Installation Mode. This mode installs the Operator in the default openshift-operators namespace, which enables the Operator to watch and be available to all namespaces in the cluster.
    2. Select Automatic as the Approval Strategy. This ensures that the Operator Lifecycle Manager (OLM) handles the future upgrades to the Operator automatically. If you select the Manual approval strategy, OLM creates an update request. As a cluster administrator, you must then manually approve the OLM update request to update the Operator to the new version.

    3. Select an Update Channel.

      • Choose the stable channel to install the latest stable version of the Red Hat OpenShift Service Mesh 3 Operator. It is the default channel for installing the Operator.
      • To install a specific version of the Red Hat OpenShift Service Mesh 3 Operator, choose the corresponding stable-<version> channel. For example, to install the Red Hat OpenShift Service Mesh Operator version 3.0.x, use the stable-3.0 channel.
  7. Click Install to install the Operator.

Verification

  1. Click Operators Installed Operators to verify that the Service Mesh Operator is installed. Succeeded should show in the Status column.

2.2.1. About Service Mesh custom resource definitions
Copiar enlace

Installing the Red Hat OpenShift Service Mesh Operator also installs custom resource definitions (CRD) that administrators can use to configure Istio for Service Mesh installations. The Operator Lifecycle Manager (OLM) installs two categories of CRDs: Sail Operator CRDs and Istio CRDs.

Sail Operator CRDs define custom resources for installing and maintaining the Istio components required to operate a service mesh. These custom resources belong to the sailoperator.io API group and include the Istio, IstioRevision, IstioCNI, and ZTunnel resource kinds. For more information on how to configure these resources, see the sailoperator.io API reference documentation.

Istio CRDs are associated with mesh configuration and service management. These CRDs define custom resources in several istio.io API groups, such as networking.istio.io and security.istio.io. The CRDs also include various resource kinds, such as AuthorizationPolicy, DestinationRule, and VirtualService, that administrators use to configure a service mesh.

2.3. About Istio deployment
Copiar enlace

To deploy Istio, you must create two resources: Istio and IstioCNI. The Istio resource deploys and configures the Istio Control Plane. The IstioCNI resource deploys and configures the Istio Container Network Interface (CNI) plugin. You should create these resources in separate projects; therefore, you must create two projects as part of the Istio deployment process.

You can use the OpenShift web console or the OpenShift CLI (oc) to create a project or a resource in your cluster.

Note

In the OpenShift Container Platform, a project is essentially a Kubernetes namespace with additional annotations, such as the range of user IDs that can be used in the project. Typically, the OpenShift Container Platform web console uses the term project, and the CLI uses the term namespace, but the terms are essentially synonymous.

2.3.1. Creating the Istio project using the web console
Copiar enlace

The Service Mesh Operator deploys the Istio control plane to a project that you create. In this example, istio-system is the name of the project.

Prerequisties

  • The Red Hat OpenShift Service Mesh Operator must be installed.
  • You are logged in to the OpenShift Container Platform web console as cluster-admin.

Procedure

  1. In the OpenShift Container Platform web console, click Home Projects.
  2. Click Create Project.
  3. At the prompt, enter a name for the project in the Name field. For example, istio-system. The other fields provide supplementary information to the Istio resource definition and are optional.
  4. Click Create. The Service Mesh Operator deploys Istio to the project you specified.

2.3.2. Creating the Istio resource using the web console
Copiar enlace

Create the Istio resource that will contain the YAML configuration file for your Istio deployment. The Red Hat OpenShift Service Mesh Operator uses information in the YAML file to create an instance of the Istio control plane.

Prerequisties

  • The Service Mesh Operator must be installed.
  • You are logged in to the OpenShift Container Platform web console as cluster-admin.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select istio-system in the Project drop-down menu.
  3. Click the Service Mesh Operator.
  4. Click Istio.
  5. Click Create Istio.
  6. Select the istio-system project from the Namespace drop-down menu.

  7. Click Create. This action deploys the Istio control plane.

    When State: Healthy appears in the Status column, Istio is successfully deployed.

2.3.3. Creating the IstioCNI project using the web console
Copiar enlace

The Service Mesh Operator deploys the Istio CNI plugin to a project that you create. In this example, istio-cni is the name of the project.

Prerequisties

  • The Red Hat OpenShift Service Mesh Operator must be installed.
  • You are logged in to the OpenShift Container Platform web console as cluster-admin.

Procedure

  1. In the OpenShift Container Platform web console, click Home Projects.
  2. Click Create Project.
  3. At the prompt, you must enter a name for the project in the Name field. For example, istio-cni. The other fields provide supplementary information and are optional.
  4. Click Create.

2.3.4. Creating the IstioCNI resource using the web console
Copiar enlace

Create an Istio Container Network Interface (CNI) resource, which contains the configuration file for the Istio CNI plugin. The Service Mesh Operator uses the configuration specified by this resource to deploy the CNI pod.

Prerequisties

  • The Red Hat OpenShift Service Mesh Operator must be installed.
  • You are logged in to the OpenShift Container Platform web console as cluster-admin.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select istio-cni in the Project drop-down menu.
  3. Click the Service Mesh Operator.
  4. Click IstioCNI.
  5. Click Create IstioCNI.
  6. Ensure that the name is default.

  7. Click Create. This action deploys the Istio CNI plugin.

    When State: Healthy appears in the Status column, the Istio CNI plugin is successfully deployed.

2.4. Scoping the Service Mesh with discovery selectors
Copiar enlace

Service Mesh includes workloads that meet the following criteria:

  • The control plane has discovered the workload.
  • The workload has an Envoy proxy sidecar injected.

By default, the control plane discovers workloads in all namespaces across the cluster, with the following results:

  • Each proxy instance receives configuration for all namespaces, including workloads not enrolled in the mesh.
  • Any workload with the appropriate pod or namespace injection label receives a proxy sidecar.

In shared clusters, you might want to limit the scope of Service Mesh to only certain namespaces. This approach is especially useful if multiple service meshes run in the same cluster.

2.4.1. About discovery selectors
Copiar enlace

With discovery selectors, the mesh administrator can control which namespaces the control plane can access. By using a Kubernetes label selector, the administrator sets the criteria for the namespaces visible to the control plane, excluding any namespaces that do not match the specified criteria.

Note

Istiod always opens a watch to OpenShift for all namespaces. However, discovery selectors ignore objects that are not selected very early in its processing, minimizing costs.

The discoverySelectors field accepts an array of Kubernetes selectors, which apply to labels on namespaces. You can configure each selector for different use cases:

  • Custom label names and values. For example, configure all namespaces with the label istio-discovery=enabled.
  • A list of namespace labels by using set-based selectors with OR logic. For instance, configure namespaces with istio-discovery=enabled OR region=us-east1.
  • Inclusion and exclusion of namespaces. For example, configure namespaces with istio-discovery=enabled AND the label app=helloworld.
Note

Discovery selectors are not a security boundary. Istiod continues to have access to all namespaces even when you have configured the discoverySelector field.

2.4.2. Scoping a Service Mesh by using discovery selectors
Copiar enlace

If you know which namespaces to include in the Service Mesh, configure discoverySelectors during or after installation by adding the required selectors to the meshConfig.discoverySelectors section of the Istio resource. For example, configure Istio to discover only namespaces labeled istio-discovery=enabled.

Prerequisites

  • The OpenShift Service Mesh operator is installed.
  • An Istio CNI resource is created.

Procedure

  1. Add a label to the namespace containing the Istio control plane, for example, the istio-system system namespace. 

    $ oc label namespace istio-system istio-discovery=enabled
    Copy to Clipboard Toggle word wrap

  2. Modify the Istio control plane resource to include a discoverySelectors section with the same label. 

    kind: Istio
apiVersion: sailoperator.io/v1
metadata:
  name: default
spec:
  namespace: istio-system
  values:
    meshConfig:
      discoverySelectors:
        - matchLabels:
            istio-discovery: enabled
    Copy to Clipboard Toggle word wrap

  3. Apply the Istio CR: 

    $ oc apply -f istio.yaml
    Copy to Clipboard Toggle word wrap
  4. Ensure that all namespaces that will contain workloads that are to be part of the Service Mesh have both the discoverySelector label and, if needed, the appropriate Istio injection label.
Note

Discovery selectors help restrict the scope of a single Service Mesh and are essential for limiting the control plane scope when you deploy multiple Istio control planes in a single cluster.

Next steps

2.5. About the Bookinfo application
Copiar enlace

Installing the bookinfo example application consists of two main tasks: deploying the application and creating a gateway so the application is accessible outside the cluster.

You can use the bookinfo application to explore service mesh features. Using the bookinfo application, you can easily confirm that requests from a web browser pass through the mesh and reach the application.

The bookinfo application displays information about a book, similar to a single catalog entry of an online book store. The application displays a page that describes the book, lists book details (ISBN, number of pages, and other information), and book reviews.

The bookinfo application is exposed through the mesh, and the mesh configuration determines how the microservices comprising the application are used to serve requests. The review information comes from one of three services: reviews-v1, reviews-v2 or reviews-v3. If you deploy the bookinfo application without defining the reviews virtual service, then the mesh uses a round robin rule to route requests to a service.

By deploying the reviews virtual service, you can specify a different behavior. For example, you can specify that if a user logs into the bookinfo application, then the mesh routes requests to the reviews-v2 service, and the application displays reviews with black stars. If a user does not log into the bookinfo application, then the mesh routes requests to the reviews-v3 service, and the application displays reviews with red stars.

For more information, see Bookinfo Application in the upstream Istio documentation.

2.5.1. Deploying the Bookinfo application
Copiar enlace

Prerequisites

  • You have deployed a cluster on OpenShift Container Platform 4.15 or later.
  • You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
  • You have access to the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift Service Mesh Operator, created the Istio resource, and the Operator has deployed Istio.
  • You have created IstioCNI resource, and the Operator has deployed the necessary IstioCNI pods.

Procedure

  1. In the OpenShift Container Platform web console, navigate to the Home Projects page.
  2. Click Create Project.

  3. Enter bookinfo in the Project name field.

    The Display name and Description fields provide supplementary information and are not required.

  4. Click Create.

  5. Apply the Istio discovery selector and injection label to the bookinfo namespace by entering the following command: 

    $ oc label namespace bookinfo istio-discovery=enabled istio-injection=enabled
    Copy to Clipboard Toggle word wrap
    Note

    In this example, the name of the Istio resource is default. If the Istio resource name is different, you must set the istio.io/rev label to the name of the Istio resource instead of adding the istio-injection=enabled label.

  6. Apply the bookinfo YAML file to deploy the bookinfo application by entering the following command: 

    oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml -n bookinfo
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the bookinfo service is available by running the following command: 

    $ oc get services -n bookinfo
    Copy to Clipboard Toggle word wrap

    Example output

    NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   172.30.137.21   <none>        9080/TCP   44s
productpage   ClusterIP   172.30.2.246    <none>        9080/TCP   43s
ratings       ClusterIP   172.30.33.85    <none>        9080/TCP   44s
reviews       ClusterIP   172.30.175.88   <none>        9080/TCP   44s
    Copy to Clipboard Toggle word wrap

  2. Verify that the bookinfo pods are available by running the following command: 

    $ oc get pods -n bookinfo
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                             READY   STATUS    RESTARTS   AGE
details-v1-698d88b-km2jg         2/2     Running   0          66s
productpage-v1-675fc69cf-cvxv9   2/2     Running   0          65s
ratings-v1-6484c4d9bb-tpx7d      2/2     Running   0          65s
reviews-v1-5b5d6494f4-wsrwp      2/2     Running   0          65s
reviews-v2-5b667bcbf8-4lsfd      2/2     Running   0          65s
reviews-v3-5b9bd44f4-44hr6       2/2     Running   0          65s
    Copy to Clipboard Toggle word wrap

    When the Ready columns displays 2/2, the proxy sidecar was successfully injected. Confirm that Running appears in the Status column for each pod.

  3. Verify that the bookinfo application is running by sending a request to the bookinfo page. Run the following command: 

    $ oc exec "$(oc get pod -l app=ratings -n bookinfo -o jsonpath='{.items[0].metadata.name}')" -c ratings -n bookinfo -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
    Copy to Clipboard Toggle word wrap

2.5.2. About accessing the Bookinfo application using a gateway
Copiar enlace

The Red Hat OpenShift Service Mesh Operator does not deploy gateways. Gateways are not part of the control plane. As a security best-practice, Ingress and Egress gateways should be deployed in a different namespace than the namespace that contains the control plane.

You can deploy gateways using either the Gateway API or the gateway injection method.

Gateway injection uses the same mechanisms as Istio sidecar injection to create a gateway from a Deployment resource that is paired with a Service resource. The Service resource can be made accessible from outside an OpenShift Container Platform cluster.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console as cluster-admin.
  • The Red Hat OpenShift Service Mesh Operator must be installed.
  • The Istio resource must be deployed.

Procedure

  1. Create the istio-ingressgateway deployment and service by running the following command: 

    $ oc apply -n bookinfo -f ingress-gateway.yaml
    Copy to Clipboard Toggle word wrap
    Note

    This example uses a sample ingress-gateway.yaml file that is available in the Istio community repository.

  2. Configure the bookinfo application to use the new gateway. Apply the gateway configuration by running the following command: 

    $ oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/networking/bookinfo-gateway.yaml -n bookinfo
    Copy to Clipboard Toggle word wrap
    Note

    To configure gateway injection with the bookinfo application, this example uses a sample gateway configuration file that must be applied in the namespace where the application is installed.

  3. Use a route to expose the gateway external to the cluster by running the following command: 

    $ oc expose service istio-ingressgateway -n bookinfo
    Copy to Clipboard Toggle word wrap

  4. Modify the YAML file to automatically scale the pod when ingress traffic increases.

    Example configuration

    apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  labels:
    istio: ingressgateway
    release: istio
  name: ingressgatewayhpa
  namespace: bookinfo
spec:
  maxReplicas: 5
    1 
    
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 80
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: istio-ingressgateway
    Copy to Clipboard Toggle word wrap

    1
    This example sets the the maximum replicas to 5 and the minimum replicas to 2. It also creates another replica when utilization reaches 80%.

  5. Specify the minimum number of pods that must be running on the node.

    Example configuration

    apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  labels:
    istio: ingressgateway
    release: istio
  name: ingressgatewaypdb
  namespace: bookinfo
spec:
  minAvailable: 1
    1 
    
  selector:
    matchLabels:
      istio: ingressgateway
    Copy to Clipboard Toggle word wrap

    1
    This example ensures one replica is running if a pod gets restarted on a new node.

  6. Obtain the gateway host name and the URL for the product page by running the following command: 

    $ HOST=$(oc get route istio-ingressgateway -n bookinfo -o jsonpath='{.spec.host}')
    Copy to Clipboard Toggle word wrap

  7. Verify that the productpage is accessible from a web browser by running the following command: 

    $ echo productpage URL: http://$HOST/productpage
    Copy to Clipboard Toggle word wrap

2.5.4. Accessing the Bookinfo application by using Gateway API
Copiar enlace

The Kubernetes Gateway API deploys a gateway by creating a Gateway resource. In OpenShift Container Platform 4.15 and later, Red Hat OpenShift Service Mesh implements the Gateway API custom resource definitions (CRDs). However, in OpenShift Container Platform 4.18 and earlier, the CRDs are not installed by default. Hence, in OpenShift Container Platform 4.15 through 4.18, you must manually install the CRDs. Starting with OpenShift Container Platform 4.19, these CRDs are automatically installed and managed, and you can no longer create, update, or delete them.

For details about enabling Gateway API for Ingress in OpenShift Container Platform 4.19 and later, see "Configuring ingress cluster traffic" in the OpenShift Container Platform documentation.

Note

Red Hat provides support for using the Kubernetes Gateway API with Red Hat OpenShift Service Mesh. Red Hat does not provide support for the Kubernetes Gateway API custom resource definitions (CRDs). In this procedure, the use of community Gateway API CRDs is shown for demonstration purposes only.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console as cluster-admin.
  • The Red Hat OpenShift Service Mesh Operator must be installed.
  • The Istio resource must be deployed.

Procedure

  1. Enable the Gateway API CRDs for OpenShift Container Platform 4.18 and earlier, by running the following command: 

    $ oc get crd gateways.gateway.networking.k8s.io &> /dev/null ||  { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; }
    Copy to Clipboard Toggle word wrap

  2. Create and configure a gateway by using the Gateway and HTTPRoute resources by running the following command: 

    $ oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/gateway-api/bookinfo-gateway.yaml -n bookinfo
    Copy to Clipboard Toggle word wrap
    Note

    To configure a gateway with the bookinfo application by using the Gateway API, this example uses a sample gateway configuration file that must be applied in the namespace where the application is installed.

  3. Ensure that the Gateway API service is ready, and has an address allocated by running the following command: 

    $ oc wait --for=condition=programmed gtw bookinfo-gateway -n bookinfo
    Copy to Clipboard Toggle word wrap

  4. Retrieve the host by running the following command: 

    $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}')
    Copy to Clipboard Toggle word wrap

  5. Retrieve the port by running the following command: 

    $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
    Copy to Clipboard Toggle word wrap

  6. Retrieve the gateway URL by running the following command: 

    $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
    Copy to Clipboard Toggle word wrap

  7. Obtain the gateway host name and the URL of the product page by running the following command: 

    $ echo "http://${GATEWAY_URL}/productpage"
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the productpage is accessible from a web browser.

2.6. Customizing Istio configuration
Copiar enlace

The values field of the Istio custom resource definition, which was created when the control plane was deployed, can be used to customize Istio configuration using Istio’s Helm configuration values. When you create this resource using the OpenShift Container Platform web console, it is pre-populated with configuration settings to enable Istio to run on OpenShift.

Procedure

  1. Click Operators Installed Operators.
  2. Click Istio in the Provided APIs column.
  3. Click the Istio instance, named default, in the Name column.
  4. Click YAML to view the Istio configuration and make modifications.

For a list of available configuration for the values field, refer to Istio’s artifacthub chart documentation.

2.7. About Istio High Availability
Copiar enlace

Running the Istio control plane in High Availability (HA) mode prevents single points of failure, and ensures continuous mesh operation even if an istiod pod fails. By using HA, if one istiod pod becomes unavailable, another one continues to manage and configure the Istio data plane, preventing service outages or disruptions. HA provides scalability by distributing the control plane workload, enables graceful upgrades, supports disaster recovery operations, and protects against zone-wide mesh outages.

There are two ways for a system administrator to configure HA for the Istio deployment:

  • Defining a static replica count: This approach involves setting a fixed number of istiod pods, providing a consistent level of redundancy.
  • Using autoscaling: This approach dynamically adjusts the number of istiod pods based on resource utilization or custom metrics, providing more efficient resource consumption for fluctuating workloads.

2.7.1. Configuring Istio HA by using autoscaling
Copiar enlace

Configure the Istio control plane in High Availability (HA) mode to prevent a single point of failure, and ensure continuous mesh operation even if one of the istiod pods fails. Autoscaling defines the minimum and maximum number of Istio control plane pods that can operate. OpenShift Container Platform uses these values to scale the number of control planes in operation based on resource utilization, such as CPU or memory, to efficiently respond to the varying number of workloads and overall traffic patterns within the mesh.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator.
  • You have deployed the Istio resource.

Procedure

  1. In the OpenShift Container Platform web console, click Installed Operators.
  2. Click Red Hat OpenShift Service Mesh 3 Operator.
  3. Click Istio.
  4. Click the name of the Istio installation. For example, default.
  5. Click YAML.

  6. Modify the Istio custom resource (CR) similar to the following example:

    Example configuration

    apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  values:
    pilot:
      autoscaleMin: 2
    1 
    
      autoscaleMax: 5
    2 
    
      cpu:
        targetAverageUtilization: 80
    3 
    
      memory:
        targetAverageUtilization: 80
    4
    Copy to Clipboard Toggle word wrap

    1
    Specifies the minimum number of Istio control plane replicas that always run.
    2
    Specifies the maximum number of Istio control plane replicas, allowing for scaling based on load. To support HA, there must be at least two replicas.
    3
    Specifies the target CPU utilization for autoscaling to 80%. If the average CPU usage exceeds this threshold, the Horizontal Pod Autoscaler (HPA) automatically increases the number of replicas.
    4
    Specifies the target memory utilization for autoscaling to 80%. If the average memory usage exceeds this threshold, the HPA automatically increases the number of replicas.

Verification

  • Verify the status of the Istio control pods by running the following command: 

    $ oc get pods -n istio-system -l app=istiod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                      READY   STATUS    RESTARTS   AGE
istiod-7c7b6564c9-nwhsg   1/1     Running   0          70s
istiod-7c7b6564c9-xkmsl   1/1     Running   0          85s
    Copy to Clipboard Toggle word wrap

    Two istiod pods are running. Two pods, the minimum requirement for an HA Istio control plane, indicates that a basic HA setup is in place.

2.7.1.1. API settings for Service Mesh HA autoscaling mode
Copiar enlace

Use the following istio custom resource definition (CRD) parameters when you configure a service mesh for High Availability (HA) by using autoscaling.

Expand
Table 2.1. HA API parameters
ParameterDescription

autoScaleMin

Defines the minimum number of istiod pods for an istio deployment. Each pod contains one instance of the Istio control plane.

OpenShift only uses this parameter when the Horizontal Pod Autoscaler (HPA) is enabled for the Istio deployment. This is the default behavior.

autoScaleMax

Defines the maximum number of istiod pods for an Istio deployment. Each pod contains one instance of the Istio control plane.

For OpenShift to automatically scale the number of istiod pods based on load, you must set this parameter to a value that is greater than the value that you defined for the autoScaleMin parameter.

You must also configure metrics for autoscaling to work properly. If no metrics are configured, the autoscaler does not scale up or down.

OpenShift only uses this parameter when Horizontal Pod Autoscaler (HPA) is enabled for the Istio deployment. This is the default behavior.

cpu.targetAverageUtilization

Defines the target CPU utilization for the istiod pod. If the average CPU usage exceeds the threshold that this parameter defines, the HPA automatically increases the number of replica pods.

memory.targetAverageUtilization

Defines the target memory utilization for the istiod pod. If the average memory usage exceeds the threshold that this parameter defines, the HPA automatically increases the number of replica pods.

behavior

You can use the behavior field to define additional policies that OpenShift uses to scale Istio resources up or down.

For more information, see Configurable Scaling Behavior.

2.7.2. Configuring Istio HA by using replica count
Copiar enlace

Configure the Istio control plane in High Availability (HA) mode to prevent a single point of failure, and ensure continuous mesh operation even if one of the istiod pods fails. The replica count defines a fixed number of Istio control plane pods that can operate. Use replica count for mesh environments where the control plane workload is relatively stable or predictable, or when you prefer to manually scale the istiod pod.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator.
  • You have deployed the Istio resource.

Procedure

  1. Obtain the name of the Istio resource by running the following command: 

    $ oc get istio -n istio-sytem
    Copy to Clipboard Toggle word wrap

    Example output

    NAME      REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
default   1           1       0        default           Healthy   v1.24.6   24m
    Copy to Clipboard Toggle word wrap

    The name of the Istio resource is default.

  2. Update the Istio custom resource (CR) by adding the autoscaleEnabled and replicaCount parameters by running the following command: 

    $ oc patch istio default -n istio-system --type merge -p '
spec:
  values:
    pilot:
      autoscaleEnabled: false
    1 
    
      replicaCount: 2
    2 
    
'
    Copy to Clipboard Toggle word wrap
    1
    Specifies a setting that disables autoscaling and ensures that the number of replicas remains fixed.
    2
    Specifies the number of Istio control plane replicas. To support HA, there must be at least two replicas.

Verification

  1. Verify the status of the Istio control pods by running the following command: 

    $ oc get pods -n istio-system -l app=istiod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                      READY   STATUS    RESTARTS   AGE
istiod-7c7b6564c9-nwhsg   1/1     Running   0          70s
istiod-7c7b6564c9-xkmsl   1/1     Running   0          85s
    Copy to Clipboard Toggle word wrap

    Two istiod pods are running, which is the minimum requirement for an HA Istio control plane and indicates that a basic HA setup is in place.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat