Use Charmed Istio with Canonical Kubernetes

Canonical Kubernetes out of the box uses Cilium as its CNI provider. Cilium is a eBPF based CNI provider which also includes traffic redirection at the kernel level for efficiency. This traffic redirection can conflict with Istio's workflow as explained here.

For Istio and Cilium to work together, some changes are required to the defaults with which the charmed istio and canonical Kubernetes are deployed.

Configuring Canonical Kubernetes

Note

There is currently no documented way to configure Cilium using Canonical Kubernetes. But it can be done using one of the recommended ways by Cilium.

Note

This documentation only covers the configuration changes required from the default state of Canonical Kubernetes. If a custom Cilium configuration is used, please refer to this Cilium documentation for compatibility with Istio.

The following requirements must be met for Canonical Kubernetes to work with Charmed Istio

• socketLB.hostNamespaceOnly: true (Helm) or bpf-lb-sock-hostns-only: "true" (Cilium CLI)

Configuring Charmed Istio

For Charmed Istio to work together with Cilium (given Cilium has the recommended configuration), the platform configuration of the istio-k8s charm must be unset. This can, for example, be done using

juju config istio-k8s platform=""

Once Charmed Istio and Canonical Kubernetes are configured as recommended, the service-mesh capabilities of Istio should function normally.