Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: OSSM 2.5.0
Affects Version/s: OSSM 2.1.3, OSSM 2.2.0
Component/s: Customer Impact, Maistra
Labels:
- close-loop-done

Story Points:
2
Blocked:
False
Blocked Reason:
None
Ready:
False
Affects:

Documentation (Ref Guide, User Guide, etc.)
Documentation Type:

Release Notes
Release Note Text:
Istio CNI v2.5 will not be deployed on nodes with label `maistra.io/exclude-cni: 'true'`. Adding the label to a node will result in removing previously deployed Istio CNI pod.
Release Note Type:
Feature
Git Pull Request:
https://github.com/maistra/istio-operator/pull/1057, https://github.com/istio/istio/pull/42038, https://github.com/maistra/istio-operator/pull/1422

Sprint:
Sprint 60, Sprint 61, Sprint 62

Target Version:

OSSM 2.5.0

SFDC Cases Links:
SFDC Cases Counter:

Update:

We added nodeAffinity to istio-cni chart in upstream Istio and now we have to decide how we can expose this setting for customers. Ideas:
1) We can hardcode nodeAffinity + matchExpression + NotIn label maistra.io/exclude-cni
2) We allow to customize nodeAffinity by exposing it in spec.runtime...cni.nodeAfinity etc.

The second option looks more flexible, however, we deploy one istio-cni daemon set for all SMCPs, so it looks that the second option does not make sense.

Beside that we should plan testing scope.

First refinement:

istio-cni is currently deployed to all OCP nodes by default. This is necessary, as it needs to be present on every OCP node that runs OSSM workloads. Some customers, however, appear to be running OSSM on specific nodes only, and would like to be able to restrict the istio-cni pod to run only on the nodes that are also used to run OSSM workloads.

Acceptance Criteria:

add nodeSelector to istio-cni chart to restrict the DaemonSet, to Nodes that don't have the label maistra.io/exclude-cni
create OSSMDOCS ticket that explains how to opt-out nodes of CNI (by adding the label)

Original description:

Currently the istio-cni-node DaemonSet has kubernetes.io/os=linux set as nodeSelector. Meaning the DaemonSet will run on every OpenShift Container Platform 4 - Node of the OpenShift Container Platform 4 - Cluster.

In certain environments, OpenShift Container Platform 4 - Clusters may be segmented for different customer use-cases (via specific OpenShift Container Platform 4 - Node) where not every use-case will run and require OpenShift Service Mesh. Still, the istio-cni-node pod will run on each OpenShift Container Platform 4 - Node consuming unncessary resources (and thus generating unnecessary costs).

Based on this, it's required that the nodeSelector for the istio-cni-node DaemonSet can be configured by customers to restrict the DaemonSet to OpenShift Container Platform 4 - Node(s) that are part of the OpenShift Service Mesh.

That way resources can be saved as the components of OpenShift Service Mesh will only run where required and where components and projects part of the Mesh are operating.

relates to

OSSM-5713 MTT: Create test case for `maistra.io/exclude-cni=true` label

Closed

Assignee:: Jacek Ewertowski

Reporter:: Simon Reber

Contributors:: Jacek Ewertowski, Matej Kralik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2022/06/30 8:28 AM

Updated:: 2024/03/20 7:40 AM

Resolved:: 2024/01/16 1:12 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates