Skip to content

Switch to Istio CNI by default #3135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Switch to Istio CNI by default #3135

wants to merge 3 commits into from

Conversation

madmecodes
Copy link
Contributor

Switch to Istio CNI by default

This PR changes the default Istio installation to use Istio CNI instead of standard Istio.
Key benefits include:

  • Eliminates the need for privileged Istio init containers
  • Improves compatibility with Pod Security Standards (PSS)
  • Enables native sidecars support for better init container network access

Changes include:

  • Updated example/kustomization.yaml to use Istio CNI paths
  • Updated README.md to reflect new installation paths
  • Added note about Ray operator being configured for Istio CNI compatibility

This change is part of the broader Rootless Kubeflow initiative #2528
and follows up on previous work #3061.

@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@madmecodes
Copy link
Contributor Author

@juliusvonkohout For GCP hostPath check,

manifests/common/istio-cni-1-24/istio-install/base/install.yaml

Line 3009 in 9825950

path: /opt/cni/bin

am i suppose to spin the cluster in GCP/GKE ad check the paths? will that cost me?

@juliusvonkohout
Copy link
Member

@juliusvonkohout For GCP hostPath check,

manifests/common/istio-cni-1-24/istio-install/base/install.yaml

Line 3009 in 9825950

path: /opt/cni/bin

am i suppose to spin the cluster in GCP/GKE ad check the paths? will that cost me?

I know the paths and that it is correct for gcp. The question is how we can enable both cni directories at the same time. Since the default ones are correct for Azure, Kind and others.

@juliusvonkohout juliusvonkohout linked an issue May 17, 2025 that may be closed by this pull request
Istio CNI by default #3061
Open
7 tasks
@juliusvonkohout
Copy link
Member

See #3061 (comment). We need to support both paths at the same time somehow.

@madmecodes
Copy link
Contributor Author

Okay, looking into this

See #3061 (comment). We need to support both paths at the same time somehow.

@madmecodes
Copy link
Contributor Author

Why This Multi-Path Approach woukd Work?

The patch adds both the standard path (/opt/cni/bin) and the GCP-specific path (/home/kubernetes/bin) as separate volume mounts in the Istio CNI DaemonSet.

  1. The CNI installer in the container will attempt to install the CNI binary to both paths
  2. Regardless of whether the node is running on standard Kubernetes or GCP/GKE, one of the paths will exist and be the correct one.
  3. If a path doesn't exist, mounting a non-existent hostPath simply results in an empty directory, which causes no harm.

@juliusvonkohout what do you think, can this be a potential approach?

@juliusvonkohout
Copy link
Member

Why This Multi-Path Approach woukd Work?

The patch adds both the standard path (/opt/cni/bin) and the GCP-specific path (/home/kubernetes/bin) as separate volume mounts in the Istio CNI DaemonSet.

1. The CNI installer in the container will attempt to install the CNI binary to both paths

2. Regardless of whether the node is running on standard Kubernetes or GCP/GKE, one of the paths will exist and be the correct one.

3. If a path doesn't exist, mounting a non-existent hostPath simply results in an empty directory, which causes no harm.

@juliusvonkohout what do you think, can this be a potential approach?

Yes, could work. Do you mind testing it on GCP? I think there is a small free 4GB node available by default if you have a gmail adress. You jus tneed to install Istio, so it should be enough. I can then later also test on some GCP clusters.

@juliusvonkohout
Copy link
Member

Do you mind fixing python3: can't open file '/home/runner/work/manifests/manifests/tests/gh-actions/test_pipeline.py': [Errno 2] No such file or directory in https://github.com/kubeflow/manifests/actions/runs/15084697684/job/42405783624?pr=3135 in a separate PR ? I think the file has just been renamed since we have v1 and v2 kfp tests. CC @kunal-511 to help

@juliusvonkohout juliusvonkohout mentioned this pull request May 19, 2025
Open
3 tasks
@kunal-511
Copy link
Contributor

@madmecodes The test_pipeline.py has been changed to test_pipeline_v2.py in #3129

@madmecodes
Copy link
Contributor Author

madmecodes commented May 19, 2025
edited
Loading

@madmecodes The test_pipeline.py has been changed to test_pipeline_v2.py in #3129

The test_pipeline.py has been changed to test_pipeline_v2.py in #3129

this is updated #3136

@madmecodes madmecodes mentioned this pull request May 20, 2025
Merged
3 tasks
madmecodes added 2 commits May 20, 2025 15:51
@madmecodes
documents and changes the default Istio installation to use Istio CNI…
da32638 
… instead of standard Istio.

Signed-off-by: madmecodes <ayushguptadev1@gmail.com>
@madmecodes
Update istio-cni with multi path using patch
83ac6c9 
Signed-off-by: madmecodes <ayushguptadev1@gmail.com>
@madmecodes madmecodes force-pushed the istio-cni-default branch from 35a911b to 83ac6c9 Compare May 20, 2025 10:23
@madmecodes
update: re-enable trigger paths
f0773b1 
Signed-off-by: madmecodes <ayushguptadev1@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliusvonkohout juliusvonkohout Awaiting requested review from juliusvonkohout

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Istio CNI by default
3 participants
@madmecodes @juliusvonkohout @kunal-511