AKO on Istio
Overview
AKO can be deployed in an Istio environment. Currently, strict mTLS is supported in ClusterIP mode. This article explains the steps to deploy AKO on Istio and verify the deployment.
Note: This feature is currently under Tech Preview.
Deploying and Verifying AKO Deployment on Istio
To deploy AKO, follow the steps given below:
- Set the flag
istioEnabled
to True in values.yaml to allow AKO to work in an Istio environment. - Verify istio sidecar injection is enabled and working:
kubectl logs ako-0 -n avi-system -c istio-proxy
- Verify the
istio-secret
secret is created in the AKO namespace with cert-chain, key and root-cert data populated. These correspond to the workload and CA certificates.kubectl describe secret istio-secret -n <AKOnamesapce>
- Verify the PKI profile using
pkiprofile istio-pki-<clustername>-<AKOnamespace>
and sslkeyandcertificationistio-workload-<clustername>-<AKOnamespace>
are created on the Controller.
Service Name for AKO
AKO and the NSX Advanced Load Balancer Service Engines use a service name based on the AKO service account and AKO namespace such as cluster.local/ns/<AKOnamespace>/sa/<AKOServiceAccount>
.
For example, cluster.local/ns/avi-system/sa/ako-sa
This service name should be used when updating the auth policy CRD for Istio.
Caveat
- AKO prioritizes the Istio
pkiprofile
over any other PKI profile reference added usinghttprule
.
Note: AKO works only with L7.
Troubleshooting
-
Sidecar injection for AKO is not working
Workaround: Try enabling injection for the ako namespace. For example,kubectl label namespace avi-system istio-injection=enabled --overwrite
. -
istio-secret
is not created
Workaround: Check AKO cluster role has permissions to create or update secrets in the AKO namespace.
Document Revision History
Date | Change Summary |
---|---|
September 29, 2022 | Created the article for AKO on Istio |