Google managed istio

jalateras · February 12, 2019, 10:43am

Does anyone what version of istio is supported in Google’s managed istio solution.

rafik8 · February 12, 2019, 11:23am

It seems that Istio version depends to GKE cluster master version. If you cluster is updated to the last version of GKE (1.11.6-gke.6), Istio version should be : 1.0.3-gke.3.
Please take a look at: https://cloud.google.com/istio/docs/istio-on-gke/installing#supported_gke_cluster_versions.
That what I could see also when checking istio config map:

stefanprodan · February 12, 2019, 1:35pm

The GKE Istio add-on 1.0.3-gke.3 has some issues, this is what I got so far:

HPA is broken

NAME                   REFERENCE                         TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
istio-egressgateway    Deployment/istio-egressgateway    <unknown>/80%   1         5         1          7d
istio-ingressgateway   Deployment/istio-ingressgateway   <unknown>/80%   1         5         1          7d
istio-pilot            Deployment/istio-pilot            <unknown>/80%   1         5         1          7d
istio-policy           Deployment/istio-policy           <unknown>/80%   1         5         1          7d
istio-telemetry        Deployment/istio-telemetry        <unknown>/80%   1         5         1          7d

the HPA was unable to compute the replica count: missing request for cpu on container
istio-proxy in pod istio-system/istio-ingressgateway-774d77cb7c-slbgv

Istio telemetry is crashing

Stackdriver returned: rpc error: code = InvalidArgument desc = One or more TimeSeries could not be written: The set of resource labels is incomplete. Missing labels: (zone).: timeSeries[65,66]
OpenCensus Stackdriver exporter: failed to upload span: buffer full

Ingress does not preserve client IP

The svc/istio-ingressgateway externalTrafficPolicy: Cluster should be Local but you can’t alter the LoadBalancer definition since GKE will override it.

Egress is blocked

/home/app $ curl -v google.com

< HTTP/1.1 404 Not Found
< date: Tue, 05 Feb 2019 17:56:02 GMT
< server: envoy
< content-length: 0

Workaround: add service entries for each external address.

yeti · October 11, 2019, 9:06pm

It feels that installing manually with helm allows much greater flexibility on not only version choice, but also installation options. I would tend to pass on GKE’s curated version.

Alex_Van_Boxel · October 13, 2019, 7:55am

I agree. The biggest problem with Google managed Istio is that you can’t upgrade Kubernetes, without Istio being upgraded. Last week we had a 2 hour outage because the ingress couldn’t read the certificates that were installed (it took 2 hours before we found the problem). So we’re going to switch to the helm installed one, we can also go faster upgrading Istio. This gives the following features I really want:

Enabling multiple gateways (one for interconnect traffic, one for external traffic)
SDS (can’t enable this on the Google managed Istio)
Separate upgrade cycle
(probably more, … but this is already enough)

happn_frizlab · February 17, 2021, 12:31am

PSA, should anyone be tempted to install a managed version of Istio: don’t.
Google directly told our company they have no plan on actually supporting Istio in a cluster. Feature has been in beta for years, and will never be out of beta.

You should install Istio manually in your cluster.

Topic		Replies	Views
Cannot access `istio-ingressgateway` when install istio on GKE Networking	0	2668	June 12, 2019
Upgrading istio on gke	0	613	May 13, 2020
Kubernetes 1.16 - GCP - Istio 1.4.3 Compatibilty Config	4	1106	March 20, 2020
Istio 1.10 with stackdriver tracing [GKE] Kiali	4	1522	August 31, 2021
Google Global Load Balancer with open source Istio on GKE Networking	4	3462	June 8, 2021

Google managed istio

Related topics