manifests/charts/istio-cni/README.md
This chart installs the Istio CNI Plugin. See the CNI installation guide for more information.
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
See helm repo for command documentation.
To install the chart with the release name istio-cni:
helm install istio-cni istio/cni -n kube-system
Installation in kube-system is recommended to ensure the system-node-critical
priorityClassName can be used. You can install in other namespace only on K8S clusters that allow
'system-node-critical' outside of kube-system.
To view supported configuration options and documentation, run:
helm show values istio/istio-cni
Istio Helm charts have a concept of a profile, which is a bundled collection of value presets.
These can be set with --set profile=<profile>.
For example, the demo profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
Explicitly set values have highest priority, then profile settings, then chart defaults.
As an implementation detail of profiles, the default values for the chart are all nested under defaults.
When configuring the chart, you should not include this.
That is, --set some.field=true should be passed, not --set defaults.some.field=true.
To enable ambient, you can use the ambient profile: --set profile=ambient.
For Calico, you must also modify the settings to allow source spoofing:
kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'FELIX_WORKLOADSOURCESPOOFING with value Any in spec.template.spec.containers.env for daemonset calico-node. (This will allow PODs with specified annotation to skip the rpf check. )On GKE, 'kube-system' is required.
If using helm template, --set cni.cniBinDir=/home/kubernetes/bin is required - with helm install
it is auto-detected.