Avi Kubernetes Operator All Versions

AKO 1.13 1.12 1.11 1.10

Deploying
AKO
 on Istio

AKO
 can be deployed in an Istio environment. Currently, strict mTLS is supported in ClusterIP mode. This section explains the steps to deploy
AKO
 on Istio and verify the deployment.
This feature is currently under Tech Preview.

Deploying and Verifying
AKO
 Deployment on Istio

To deploy
AKO
, follow the steps given below:
  1. Set the flag
    istioEnabled
     to
    True
     in values.yaml to allow
    AKO
     to work in an Istio environment.
  2. Verify istio sidecar injection is enabled and working:
    kubectl logs ako-0 -n avi-system -c istio-proxy
  3. Verify the
    istio-secret
     secret is created in the
    AKO
     namespace with cert-chain, key and root-cert data populated. These correspond to the workload and CA certificates.
    kubectl describe secret istio-secret -n <AKOnamesapce>
  4. Verify the PKI profile using
    pkiprofile istio-pki-<clustername>-<AKOnamespace>
     and
    sslkeyandcertification istio-workload-<clustername>-<AKOnamespace>
     are created on the Controller.

Service Name for
AKO

AKO
 and the
Avi Load Balancer
 Service Engines use a service name based on the
AKO
 service account and
AKO
 namespace such as
cluster.local/ns/<AKOnamespace>/sa/<AKOServiceAccount>
.
For example,
cluster.local/ns/avi-system/sa/ako-sa
This service name must be used when updating the auth policy CRD for Istio.

Caveat

AKO
 prioritizes the Istio pkiprofile over any other PKI profile reference added using
httprule
.
AKO
 works only with L7.

Troubleshooting

Issue
Workaround
Sidecar injection for
AKO
 is not working
Try enabling injection for the ako namespace.
For example,
kubectl label namespace avi-system istio-injection=enabled --overwrite
.
istio-secret
 is not created
Check
AKO
 cluster role has permissions to create or update secrets in the
AKO
 namespace.

Content feedback and comments