Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-5362

Install istio-cni in same namespace as the control plane

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • Sail MVP2
    • None
    • Sail Operator
    • None
    • Sprint 13

      In OSSM 2.x we had to install istio-cni into a different namespace because we didn't want the mesh admin to have access to a privileged ServiceAccount. In OSSM 3.x, the mesh admin is a cluster admin, so there's no need to install istio-cni in any other namespace.

      Upstream installs istio-cni in the same namespace as the control plane.

      If we install istio-cni in the same namespace, then we can use ownerReferences instead of custom labels. This removes the need for adding a finalizer to the Istio resource, which makes the uninstallation of the operator easier to perform, since the Istio resource and CRD can be removed even if the operator is stopped beforehand.

              mluksa@redhat.com Marko Luksa
              mluksa@redhat.com Marko Luksa
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: