Upgrade Notes of Istio (from v1.20 to v1.22)
2024年06月14日
This post focuses on the upgrade of Istio, from v1.20.3 to v1.22.1.
Upgrading across more than two minor versions (e.g.,
Find the current version of Istio:
$ istioctl proxy-status
$ ISTIO_VER=1.21.3
$ LOCAL_ARCH=$(uname -m)
$ echo $LOCAL_ARCH
$ curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
$ istioctl x precheck
$ cd istio-${ISTIO_VER}
Modify the file
$ istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
$ istioctl proxy-status
If any pod's Istio version is not updated, force it update.
% k delete po -l app=example
$ istioctl proxy-status
Upgrade from Istio 1.21.3 to 1.22.1.
$ ISTIO_VER=1.22.1
$ LOCAL_ARCH=$(uname -m)
$ curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
$ curl -kL https://istio.io/downloadIstioctl | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=$(uname -m) sh -
$ sudo cp $HOME/.istioctl/bin/istioctl /usr/local/bin/
$ istioctl x precheck
$ cd istio-${ISTIO_VER}
$ nano manifests/charts/gateways/istio-ingress/values.yaml
$ istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
$ istioctl proxy-status
Organizing Cluster Access Using kubeconfig Files
Install with Istioctl
Using the Istioctl Command-line Tool
Background
The post Release Notes of Site Upgrades holds the catalog of the whole upgrade's note.This post focuses on the upgrade of Istio, from v1.20.3 to v1.22.1.
Upgrading across more than two minor versions (e.g.,
1.6.x to 1.9.x) in one step is not officially tested or recommended.Find the current version of Istio:
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION activator-bfb97979b-j***7.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-94f498c7b-b***x 1.20.3
Prerequisites
Download the Istio Release
Go to the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS):$ ISTIO_VER=1.21.3
$ LOCAL_ARCH=$(uname -m)
$ echo $LOCAL_ARCH
aarch64
$ curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 102 100 102 0 0 676 0 --:--:-- --:--:-- --:--:-- 680
100 4899 100 4899 0 0 20374 0 --:--:-- --:--:-- --:--:-- 20374
Downloading istio-1.21.3 from https://github.com/istio/istio/releases/download/1.21.3/istio-1.21.3-linux-arm64.tar.gz ...
Istio 1.21.3 Download Complete!
Istio has been successfully downloaded into the istio-1.21.3 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /home/ec2-user/istio-1.21.3/bin directory to your environment path variable with:
export PATH="$PATH:/home/ec2-user/istio-1.21.3/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/
Upgrade Istio to v1.21.3
Upgrade Istio to v1.21.3$ istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
$ cd istio-${ISTIO_VER}
Modify the file
manifests/charts/gateways/istio-ingress/values.yaml:...
#serviceAnnotations: {}
# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilyPolicy: ""
ipFamilies: []
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
serviceAnnotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
...
$ istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
istioctl install --set profile=demo --charts=./manifests/ \ --set components.cni.enabled=true \ --set components.cni.namespace=kube-system
WARNING: Istio is being upgraded from 1.20.3 to 1.21.3.
Running this command will overwrite it; use revisions to upgrade alongside the existing version.
Before upgrading, you may wish to use 'istioctl x precheck' to check for upgrade warnings.
This will install the Istio 1.21.3 "demo" profile (with components: Istio core, Istiod, CNI, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete Made this installation the default for injection and validation.
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION activator-6db****5c7-klnr8.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.20.3 autoscaler-6f5****848-76ph2.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.20.3 blog-v1-64d****7f8-hzfb2.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.20.3 blog-v2-75b****4c5-zh248.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.20.3 controller-677****cdf-tzc5n.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.20.3 domainmapping-webhook-566****94d-w4kxm.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.20.3 istio-egressgateway-7c6****cd4-rxc9l.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-5gzct.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-lc8xc.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-s4rmb.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-bvx69 1.21.3 net-istio-webhook-864****d95-pmk6c.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.20.3 pk2hash-test-first-deployment-777****6c9-bg8qc.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.20.3 webhook-6d8****64-4m6f4.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-bvx69 1.20.3
If any pod's Istio version is not updated, force it update.
% k delete po -l app=example
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION activator-6db****5c7-7xl25.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 autoscaler-6f5****848-jjwj9.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 blog-v1-64d****7f8-qdvbc.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-bvx69 1.21.3 blog-v2-75b****4c5-94qqz.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.21.3 controller-677****cdf-svthn.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.21.3 domainmapping-webhook-566****94d-z4mtz.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.21.3 istio-egressgateway-7c6****cd4-rxc9l.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-5gzct.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-lc8xc.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 istio-ingressgateway-7b7****f56-s4rmb.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-bvx69 1.21.3 net-istio-webhook-864****d95-zdgll.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-6lsmr 1.21.3 pk2hash-test-first-deployment-777****6c9-mrfmj.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-bvx69 1.21.3 webhook-6d8****64-rlb8l.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-859****49f-8m8lp 1.21.3
Upgrade from Istio 1.21.3 to 1.22.1.
$ ISTIO_VER=1.22.1
$ LOCAL_ARCH=$(uname -m)
$ curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 102 100 102 0 0 872 0 --:--:-- --:--:-- --:--:-- 879
100 4899 100 4899 0 0 32846 0 --:--:-- --:--:-- --:--:-- 32846
Downloading istio-1.22.1 from https://github.com/istio/istio/releases/download/1.22.1/istio-1.22.1-linux-arm64.tar.gz ...
Istio 1.22.1 Download Complete!
Istio has been successfully downloaded into the istio-1.22.1 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /home/ec2-user/istio-1.22.1/bin directory to your environment path variable with:
export PATH="$PATH:/home/ec2-user/istio-1.22.1/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/
$ curl -kL https://istio.io/downloadIstioctl | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=$(uname -m) sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 95 100 95 0 0 1516 0 --:--:-- --:--:-- --:--:-- 1532
100 4636 100 4636 0 0 24349 0 --:--:-- --:--:-- --:--:-- 24349
Downloading istioctl-1.22.1 from https://github.com/istio/istio/releases/download/1.22.1/istioctl-1.22.1-linux-arm64.tar.gz ...
istioctl-1.22.1-linux-arm64.tar.gz download complete!
Add the istioctl to your path with:
export PATH=$HOME/.istioctl/bin:$PATH
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/docs/reference/commands/istioctl/
$ sudo cp $HOME/.istioctl/bin/istioctl /usr/local/bin/
$ istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
$ cd istio-${ISTIO_VER}
$ nano manifests/charts/gateways/istio-ingress/values.yaml
...
#serviceAnnotations: {}
# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilyPolicy: ""
ipFamilies: []
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
serviceAnnotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
...
$ istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
istioctl install --set profile=demo --charts=./manifests/ \ --set components.cni.enabled=true \ --set components.cni.namespace=kube-system
WARNING: Istio is being upgraded from 1.21.3 to 1.22.1.
Running this command will overwrite it; use revisions to upgrade alongside the existing version.
Before upgrading, you may wish to use 'istioctl x precheck' to check for upgrade warnings.
This will install the Istio 1.22.1 "demo" profile (with components: Istio core, Istiod, CNI, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete Made this installation the default for injection and validation.
$ istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION activator-6db****5c7-bds6d.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 autoscaler-6f5****848-xtc7x.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 blog-v1-64d****7f8-xfjqb.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 blog-v2-75b****4c5-9c8q4.blog Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-g25mn 1.22.1 controller-677****cdf-596q5.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-w829k 1.22.1 domainmapping-webhook-566****94d-64jp5.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-g25mn 1.22.1 istio-egressgateway-848****84d-k49kq.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-6bc****596-8gl2g 1.22.1 istio-ingressgateway-6d5****96b-22pls.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 istio-ingressgateway-6d5****96b-b4bx6.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 istio-ingressgateway-6d5****96b-z2cgc.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1 net-istio-webhook-864****d95-hk5tg.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-w829k 1.22.1 pk2hash-test-first-deployment-777****6c9-2qzb9.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-w829k 1.22.1 webhook-6d8****64-5dswg.knative-serving Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-6bc****596-8gl2g 1.22.1
References
Organizing Cluster Access Using kubeconfig Files
Install with Istioctl
Using the Istioctl Command-line Tool