istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-cni/README.md

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-cni/README.md (about)

     1  # Istio CNI Helm Chart
     2  
     3  This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
     4  for more information.
     5  
     6  ## Setup Repo Info
     7  
     8  ```console
     9  helm repo add istio https://istio-release.storage.googleapis.com/charts
    10  helm repo update
    11  ```
    12  
    13  _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
    14  
    15  ## Installing the Chart
    16  
    17  To install the chart with the release name `istio-cni`:
    18  
    19  ```console
    20  helm install istio-cni istio/cni -n kube-system
    21  ```
    22  
    23  Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
    24  `priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
    25  'system-node-critical' outside of kube-system.
    26  
    27  ## Configuration
    28  
    29  To view support configuration options and documentation, run:
    30  
    31  ```console
    32  helm show values istio/istio-cni
    33  ```
    34  
    35  ### Profiles
    36  
    37  Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
    38  These can be set with `--set profile=<profile>`.
    39  For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
    40  
    41  For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
    42  
    43  Explicitly set values have highest priority, then profile settings, then chart defaults.
    44  
    45  As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
    46  When configuring the chart, you should not include this.
    47  That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
    48  
    49  ### Ambient
    50  
    51  To enable ambient, you can use the ambient profile: `--set profile=ambient`.
    52  
    53  #### Calico
    54  
    55  For Calico, you must also modify the settings to allow source spoofing:
    56  
    57  - if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
    58  - if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
    59  
    60  ### GKE notes
    61  
    62  On GKE, 'kube-system' is required.
    63  
    64  If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
    65  it is auto-detected.