Istio-operator changes nodePort on ingress-gateway even though there is no change on manifest


we are running our automation over cluster setup regularly from actual status of the branch.

Even though there is no change in configuration (manifest), istio operator changes nodePort on ingress gateway (service of type LoadBalancer) which causes URL downs alerts on defined VS - because underlaying load balancer needs to cope with changed port.

We are using istio 1.7.7.

Similar problem was reported here:

and here:

Do you know why the nodePort is being changed?
Do you know about any workaround?

Best regards

Hi, apparently this is a known issue and is fixed by using server-side apply … but only on k8s 1.18+ … which version are you using ? ( i am not on that that’s why i got the issue )

The workaround i put in place is to specify the NodePort myself, that way the port does not change ever again


we are using k8s version 1.19.

It turned out that we didn’t use istio-operator but we used istioctl ("/bin/istioctl install -f").
I’m sorry for confusion.
We did some tests using istio-operator (istioctl operator init) and we didn’t see any nodePort changes.
We will continue testing. It looks promising with istio-operator.

Best regards

We are facing this issue with the operator too. if you haven’t seen this issue yet, means pod hasn’t got restarted yet. It may happen anytime when the pod gets restarted. When the operator comes up with a new pod, it will try to apply the service manifest(including all other components from operator spec) again and this triggers nodeport changes.

k8s version: 1.18
istio: 1.8.4