-
How to Migrate from Istio Ingress Gateway to Kubernetes Gateway API
Why? Before the last Istio upgrade I did with Sail Operator, there was Istio 1.19 running in my Kubernetes lab. And the Istio Ingress Gateway has worked very well for years, after I migrated from Kubernetes Ingress Controller. Now with Istio 1.23, Kubernetes Gateway API became an option along side with Istio Ingress Gateway. What…
-
How to Install the Sail Operator for Kubernetes
I was a late adopter of the Istio Operator but didn’t expect that it will be gone so soon. I didn’t want to go back to manage Istio using istioctl or Helm templates so I was in a rush to pick a successor for Istio Operator. After reading a few articles, looks like I’m gonna…
-
How to Allow and Respect Differences in ArgoCD
I’ve been using ArgoCD as my GitOps toolkit for my Kubernetes home lab for many years, nothing major to complain. I wanted to test canary deployment with Argo Rollouts with which Istio is supported. However Argo Rollouts is not really GitOps friendly – it modifies weight of routes without commit to git repository, to gradually…
-
How to Upgrade Istio the Git-Ops Way
Istio 1.17 has been running really well in my Garage Kubernetes lab, but I thought it’s time to give it an upgrade. It was installed and configured using istioctl utility last time when I bootstrapped the cluster. Since I’ve automated a lot of Kubernetes resources using ArgoCD I would like to upgrade Istio the git-ops…
-
How to Enable Compression in Istio Ingress Gateway
TL; DR: here’s a code snippet to turn on gzip compression for Istio’s ingress gateway, using Envoy filter. Tested with Istio 1.16 and Kubernetes 1.26. To test it with curl: 🙂
-
How to Use the Sidecar Resource to Optimise Memory Footprint of Istio Sidecar
In a populous GKE cluster, I saw the memory utilisation getting very high. After some investigation, to my surprise, a great deal of memory was consumed by tiny Istio sidecars. And they are getting bloated round the clock. The Istio sidecar essentially is an envoy proxy configured by Istio controller – istiod. It’s usually light-weight,…
-
How to Regulate Egress Access in Kubernetes with Istio
Usually I don’t mind to give pods unlimited egress access, ie. the pods I deployed can access the whole internet if it needs to. However when the pods take input from users it’s a whole different story. For example, running some sandbox applications such as an online Python learning environment, the workload can be abused…
-
An Canary Upgrade of Istio 1.9 to 1.11
Prerequisites: full Admin access to a Kubernetes cluster, which has an older version of Istio installed. A while ago I decided to try Istio in my garage Kubernetes lab, and replaced ingress-nginx with istio-ingressgateway. At the time being I installed Istio 1.9.4, the latest release is already 1.11.4. To avoid being left in the deprecated…