istio-cni
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
2
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
3
image: cgr.dev/chainguard-private/istio-install-cni:1.29@sha256:09914e307bc619cdbd4aeb06372a586e9dbe6234b38908a742df263adca99148
4
_internal_defaults_do_not_set:
5
hub: ""
6
tag: ""
7
variant: ""
8
image: install-cni
9
pullPolicy: ""
10
# Same as `global.logging.level`, but will override it if set
11
logging:
12
level: ""
13
# Configuration file to insert istio-cni plugin configuration
14
# by default this will be the first file found in the cni-conf-dir
15
# Example
16
# cniConfFileName: 10-calico.conflist
17
18
# CNI-and-platform specific path defaults.
19
# These may need to be set to platform-specific values, consult
20
# overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
21
cniBinDir: /opt/cni/bin
22
cniConfDir: /etc/cni/net.d
23
cniConfFileName: ""
24
cniNetnsDir: "/var/run/netns"
25
# If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
26
istioOwnedCNIConfigFileName: ""
27
istioOwnedCNIConfig: false
28
excludeNamespaces:
29
- kube-system
30
# Allows user to set custom affinity for the DaemonSet
31
affinity: {}
32
# Additional labels to apply on the daemonset level
33
daemonSetLabels: {}
34
# Custom annotations on pod level, if you need them
35
podAnnotations: {}
36
# Additional labels to apply on the pod level
37
podLabels: {}
38
# Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
39
# Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
40
chained: true
41
# Custom configuration happens based on the CNI provider.
42
# Possible values: "default", "multus"
43
provider: "default"
44
# Configure ambient settings
45
ambient:
46
# If enabled, ambient redirection will be enabled
47
enabled: false
48
# If ambient is enabled, this selector will be used to identify the ambient-enabled pods
49
enablementSelectors:
50
- podSelector:
51
matchLabels: {istio.io/dataplane-mode: ambient}
52
- podSelector:
53
matchExpressions:
54
- {key: istio.io/dataplane-mode, operator: NotIn, values: [none]}
55
namespaceSelector:
56
matchLabels: {istio.io/dataplane-mode: ambient}
57
# Set ambient config dir path: defaults to /etc/ambient-config
58
configDir: ""
59
# If enabled, and ambient is enabled, DNS redirection will be enabled
60
dnsCapture: true
61
# If enabled, and ambient is enabled, enables ipv6 support
62
ipv6: true
63
# If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
64
# This is enabled by default
65
reconcileIptablesOnStartup: true
66
# If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
67
shareHostNetworkNamespace: false
68
# If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors
69
enableAmbientDetectionRetry: false
70
repair:
71
enabled: true
72
hub: ""
73
tag: ""
74
# Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
75
# This defines the action the controller will take when a pod is detected as broken.
76
77
# labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
78
# This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
79
# Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
80
labelPods: false
81
# deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
82
# Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
83
deletePods: false
84
# repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
85
# Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
86
# This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
87
repairPods: true
88
initContainerName: "istio-validation"
89
brokenPodLabelKey: "cni.istio.io/uninitialized"
90
brokenPodLabelValue: "true"
91
# Set to `type: RuntimeDefault` to use the default profile if available.
92
seccompProfile: {}
93
# SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
94
seLinuxOptions: {}
95
resources:
96
requests:
97
cpu: 100m
98
memory: 100Mi
99
resourceQuotas:
100
enabled: false
101
pods: 5000
102
tolerations:
103
# Make sure istio-cni-node gets scheduled on all nodes.
104
- effect: NoSchedule
105
operator: Exists
106
# Mark the pod as a critical add-on for rescheduling.
107
- key: CriticalAddonsOnly
108
operator: Exists
109
- effect: NoExecute
110
operator: Exists
111
# K8s DaemonSet update strategy.
112
# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
113
updateStrategy:
114
type: RollingUpdate
115
rollingUpdate:
116
maxUnavailable: 1
117
# Sets the per-pod terminationGracePeriodSeconds setting.
118
# A higher value gives more time for CNI cleanup during rolling updates,
119
# preventing "failed to find plugin istio-cni" errors.
120
# Default K8s value is 30 seconds.
121
terminationGracePeriodSeconds: 30
122
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
123
revision: ""
124
# For Helm compatibility.
125
ownerName: ""
126
global:
127
# Default hub for Istio images.
128
# Releases are published to docker hub under 'istio' project.
129
# Dev builds from prow are on gcr.io
130
hub: gcr.io/istio-testing
131
# Default tag for Istio images.
132
tag: latest
133
# Variant of the image to use.
134
# Currently supported are: [debug, distroless]
135
variant: ""
136
# Specify image pull policy if default behavior isn't desired.
137
# Default behavior: latest images will be Always else IfNotPresent.
138
imagePullPolicy: ""
139
# change cni scope level to control logging out of istio-cni-node DaemonSet
140
logging:
141
level: info
142
logAsJson: false
143
# When enabled, default NetworkPolicy resources will be created
144
networkPolicy:
145
enabled: false
146
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
147
# to use for pulling any images in pods that reference this ServiceAccount.
148
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
149
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
150
# Must be set for any cluster configured with private docker registry.
151
imagePullSecrets: []
152
# - private-registry-key
153
154
# Default resources allocated
155
defaultResources:
156
requests:
157
cpu: 100m
158
memory: 100Mi
159
# In order to use native nftable rules instead of iptable rules, set this flag to true.
160
nativeNftables: false
161
# resourceScope controls what resources will be processed by helm.
162
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
163
# It can be one of:
164
# - all: all resources are processed
165
# - cluster: only cluster-scoped resources are processed
166
# - namespace: only namespace-scoped resources are processed
167
resourceScope: all
168
# A `key: value` mapping of environment variables to add to the pod
169
env: {}
170
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.