Hi Sourabh,
To make sure I understand, you want to modify an existing Istio install’s istio-sidecar-injector
configmap to enable Istio CNI, right? If that’s the case, what needs to be done is to edit the template
and remove the istio-init
entry in the initContainers
section. That will allow you to use auto-sidecar injection OR istioctl as shown in the Istio CNI install guide.
You can see a detailed example of what the istio_cni.enabled=true
helm setting does via:
~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set istio_cni.enabled=true > ~/tmp/istio_instalL_cni.yaml
~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system > ~/tmp/istio_instalL_nocni.yaml
~/tmp/istio/istio-1.1.1 diff ~/tmp/istio_instalL_cni.yaml ~/tmp/istio_instalL_nocni.yaml
658a659,695
> initContainers:
> [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
> - name: istio-init
> image: "docker.io/istio/proxy_init:1.1.1"
> args:
> - "-p"
> - [[ .MeshConfig.ProxyListenPort ]]
> - "-u"
> - 1337
> - "-m"
> - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
> - "-i"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]"
> - "-x"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]"
> - "-b"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
> - "-d"
> - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]"
> [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
> - "-k"
> - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
> [[ end -]]
> imagePullPolicy: IfNotPresent
> resources:
> requests:
> cpu: 10m
> memory: 10Mi
> limits:
> cpu: 100m
> memory: 50Mi
> securityContext:
> capabilities:
> add:
> - NET_ADMIN
> restartPolicy: Always
> [[ end -]]
Hope this helps!
–Tim