istio-cni
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
2
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
3
image: cgr.dev/chainguard-private/istio-install-cni:1.30@sha256:07d56dfe00108c3ebfeb67e4e9c64110c58dcab933b69b95984594bec9a03f26
4
_internal_defaults_do_not_set:
5
hub: ""
6
tag: ""
7
variant: ""
8
image: install-cni
9
pullPolicy: ""
10
# Same as `global.logging.level`, but will override it if set
11
logging:
12
level: ""
13
# Configuration file to insert istio-cni plugin configuration
14
# by default this will be the first file found in the cni-conf-dir
15
# Example
16
# cniConfFileName: 10-calico.conflist
17
18
# CNI-and-platform specific path defaults.
19
# These may need to be set to platform-specific values, consult
20
# overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
21
cniBinDir: /opt/cni/bin
22
cniConfDir: /etc/cni/net.d
23
cniConfFileName: ""
24
cniNetnsDir: "/var/run/netns"
25
# If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
26
istioOwnedCNIConfigFileName: ""
27
istioOwnedCNIConfig: false
28
excludeNamespaces:
29
- kube-system
30
# Allows user to set custom affinity for the DaemonSet
31
affinity: {}
32
# Additional labels to apply on the daemonset level
33
daemonSetLabels: {}
34
# Custom annotations on pod level, if you need them
35
podAnnotations: {}
36
# Additional labels to apply on the pod level
37
podLabels: {}
38
# Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
39
# Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
40
chained: true
41
# Custom configuration happens based on the CNI provider.
42
# Possible values: "default", "multus"
43
provider: "default"
44
# Configure ambient settings
45
ambient:
46
# If enabled, ambient redirection will be enabled
47
enabled: false
48
# If ambient is enabled, this selector will be used to identify the ambient-enabled pods
49
enablementSelectors:
50
- podSelector:
51
matchLabels: {istio.io/dataplane-mode: ambient}
52
- podSelector:
53
matchExpressions:
54
- {key: istio.io/dataplane-mode, operator: NotIn, values: [none]}
55
namespaceSelector:
56
matchLabels: {istio.io/dataplane-mode: ambient}
57
# Set ambient config dir path: defaults to /etc/ambient-config
58
configDir: ""
59
# If enabled, and ambient is enabled, DNS redirection will be enabled
60
dnsCapture: true
61
# If enabled, and ambient is enabled, enables ipv6 support
62
ipv6: true
63
# If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
64
# This is enabled by default
65
reconcileIptablesOnStartup: true
66
# If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
67
shareHostNetworkNamespace: false
68
# If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors
69
enableAmbientDetectionRetry: false
70
repair:
71
enabled: true
72
hub: ""
73
tag: ""
74
# Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
75
# This defines the action the controller will take when a pod is detected as broken.
76
77
# labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
78
# This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
79
# Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
80
labelPods: false
81
# deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
82
# Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
83
deletePods: false
84
# repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
85
# Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
86
# This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
87
repairPods: true
88
initContainerName: "istio-validation"
89
brokenPodLabelKey: "cni.istio.io/uninitialized"
90
brokenPodLabelValue: "true"
91
# Set to `type: RuntimeDefault` to use the default profile if available.
92
seccompProfile: {}
93
# SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
94
seLinuxOptions: {}
95
# Use `useAppArmorAnnotation: true` to set up appArmor profile via `container.apparmor.security.beta.kubernetes.io` annotation.
96
# This is required for Kubernetes 1.29 (and earlier) which does not support setting appArmorProfile in the
97
# securityContext. Otherwise, appArmor profile will be set via appArmorProfile setting in securityContext.
98
useAppArmorAnnotation: true
99
resources:
100
requests:
101
cpu: 100m
102
memory: 100Mi
103
resourceQuotas:
104
enabled: false
105
pods: 5000
106
tolerations:
107
# Make sure istio-cni-node gets scheduled on all nodes.
108
- effect: NoSchedule
109
operator: Exists
110
# Mark the pod as a critical add-on for rescheduling.
111
- key: CriticalAddonsOnly
112
operator: Exists
113
- effect: NoExecute
114
operator: Exists
115
# K8s DaemonSet update strategy.
116
# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
117
updateStrategy:
118
type: RollingUpdate
119
rollingUpdate:
120
maxUnavailable: 1
121
# Sets the per-pod terminationGracePeriodSeconds setting.
122
# A higher value gives more time for CNI cleanup during rolling updates,
123
# preventing "failed to find plugin istio-cni" errors.
124
# Default K8s value is 30 seconds.
125
terminationGracePeriodSeconds: 30
126
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
127
revision: ""
128
# For Helm compatibility.
129
ownerName: ""
130
global:
131
# Default hub for Istio images.
132
# Releases are published to docker hub under 'istio' project.
133
# Dev builds from prow are on registry.istio.io/testing
134
hub: registry.istio.io/testing
135
# Default tag for Istio images.
136
tag: latest
137
# Variant of the image to use.
138
# Currently supported are: [debug, distroless]
139
variant: ""
140
# Specify image pull policy if default behavior isn't desired.
141
# Default behavior: latest images will be Always else IfNotPresent.
142
imagePullPolicy: ""
143
# change cni scope level to control logging out of istio-cni-node DaemonSet
144
logging:
145
level: info
146
logAsJson: false
147
# When enabled, default NetworkPolicy resources will be created
148
networkPolicy:
149
enabled: false
150
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
151
# to use for pulling any images in pods that reference this ServiceAccount.
152
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
153
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
154
# Must be set for any cluster configured with private docker registry.
155
imagePullSecrets: []
156
# - private-registry-key
157
158
# Default resources allocated
159
defaultResources:
160
requests:
161
cpu: 100m
162
memory: 100Mi
163
# In order to use native nftable rules instead of iptable rules, set this flag to true.
164
nativeNftables: false
165
# resourceScope controls what resources will be processed by helm.
166
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
167
# It can be one of:
168
# - all: all resources are processed
169
# - cluster: only cluster-scoped resources are processed
170
# - namespace: only namespace-scoped resources are processed
171
resourceScope: all
172
# A `key: value` mapping of environment variables to add to the pod
173
env: {}
174
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.