- Upgrade using Helm
- Upgrade steps
- Istio CNI upgrade
- Control plane upgrade
- Sidecar upgrade
- See also
- Upgrade steps
Upgrade using Helm
Follow this guide to upgrade the Istio control plane and sidecar proxies of anexisting Istio deployment that was previously installed using Helm. The upgradeprocess may install new binaries and may change configuration and API schemas.The upgrade process may result in service downtime. To minimize downtime,please ensure your Istio control plane components and your applications arehighly available with multiple replicas.
Be sure to check out the upgrade notesfor a concise list of things you should know before upgrading your deployment to Istio 1.4.
Istio does NOT support skip level upgrades. Only upgrades from 1.3 to 1.4are supported. If you are on an older version, please upgrade to 1.3 first.
Upgrade steps
Download the new Istio releaseand change directory to the new release directory.
Istio CNI upgrade
If you have installed or are planning to install Istio CNI,choose one of the following mutually exclusive options to check whetherIstio CNI is already installed and to upgrade it:
You can use Kubernetes’ rolling update mechanism to upgrade the Istio CNI components.This is suitable for cases where kubectl apply
was used to deploy Istio CNI.
- To check whether
istio-cni
is installed, search foristio-cni-node
podsand in which namespace they are running (typically,kube-system
oristio-system
):
$ kubectl get pods -l k8s-app=istio-cni-node --all-namespaces
$ NAMESPACE=$(kubectl get pods -l k8s-app=istio-cni-node --all-namespaces --output='jsonpath={.items[0].metadata.namespace}')
- If
istio-cni
is currently installed in a namespace other thankube-system
(for example,istio-system
), deleteistio-cni
:
$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=$NAMESPACE | kubectl delete -f -
- Install or upgrade
istio-cni
in thekube-system
namespace:
$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl apply -f -
If you installed Istio CNI using Helm and Tiller,the preferred upgrade option is to let Helm take care of the upgrade.
- Check whether
istio-cni
is installed, and in which namespace:
$ helm status istio-cni
(Re-)install or upgrade
istio-cni
depending on the status:- If
istio-cni
is not currently installed and you decide to install it:
- If
$ helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system
- If
istio-cni
is currently installed in a namespace other thankube-system
(for example,istio-system
), delete it:
$ helm delete --purge istio-cni
Then install it again in the kube-system
namespace:
$ helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system
- If
istio-cni
is currently installed in thekube-system
namespace, upgrade it:
$ helm upgrade istio-cni install/kubernetes/helm/istio-cni --namespace kube-system
Control plane upgrade
Pilot, Galley, Policy, Telemetry and Sidecar injector.Choose one of the following mutually exclusive optionsto update the control plane:
You can use Kubernetes’ rolling update mechanism to upgrade the control plane components.This is suitable for cases where kubectl apply
was used to deploy the Istio components,including configurations generated usinghelm template.
- Use
kubectl apply
to upgrade all of Istio’s CRDs. Wait a few seconds for the KubernetesAPI server to commit the upgraded CRDs:
$ kubectl apply -f install/kubernetes/helm/istio-init/files/
- Wait for all Istio CRDs to be created:
$ kubectl -n istio-system wait --for=condition=complete job --all
- Apply the update templates:
$ helm template install/kubernetes/helm/istio --name istio \
--namespace istio-system | kubectl apply -f -
You must pass the same settings as when you first installed Istio.
The rolling update process will upgrade all deployments and configmaps to the new version.After this process finishes, your Istio control plane should be updated to the new version.Your existing application should continue to work without any change. If there is anycritical issue with the new control plane, you can rollback the changes by applying theyaml files from the old version.
If you installed Istio using Helm and Tiller,the preferred upgrade option is to let Helm take care of the upgrade.
- Upgrade the
istio-init
chart to update all the Istio Custom Resource Definitions (CRDs).
$ helm upgrade --install istio-init install/kubernetes/helm/istio-init --namespace istio-system
- Wait for all Istio CRDs to be created:
$ kubectl -n istio-system wait --for=condition=complete job --all
- Upgrade the
istio
chart:
$ helm upgrade istio install/kubernetes/helm/istio --namespace istio-system
If Istio CNI is installed, enable it by adding the —set istio_cni.enabled=true
setting.
Sidecar upgrade
After the control plane upgrade, the applications already running Istio willstill be using an older sidecar. To upgrade the sidecar, you will need to re-inject it.
If you’re using automatic sidecar injection, you can upgrade the sidecarby doing a rolling update for all the pods, so that the new version of thesidecar will be automatically re-injected.
Your kubectl
version must be >= 1.15 to run the following command. Upgrade if necessary.
$ kubectl rollout restart deployment --namespace default
If you’re using manual injection, you can upgrade the sidecar by executing:
$ kubectl apply -f <(istioctl kube-inject -f $ORIGINAL_DEPLOYMENT_YAML)
If the sidecar was previously injected with some customized inject configurationfiles, you will need to change the version tag in the configuration files to the newversion and re-inject the sidecar as follows:
$ kubectl apply -f <(istioctl kube-inject \
--injectConfigFile inject-config.yaml \
--filename $ORIGINAL_DEPLOYMENT_YAML)
See also
Upgrade Istio using istioctl [Experimental]
Upgrade or downgrade Istio using the istioctl upgrade command.
DNS Certificate Management
Provision and manage DNS certificates in Istio.
Secure Webhook Management
A more secure way to manage Istio webhooks.
Demystifying Istio's Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Customizable Install with Helm
Install and configure Istio for in-depth evaluation or production use.
Customizable Install with Istioctl
Install and customize any Istio configuration profile for in-depth evaluation or production use.