IBM Cloud Docs
Setting up the Istio managed add-on

Setting up the Istio managed add-on

Istio on IBM Cloud® Kubernetes Service provides a seamless installation of Istio, automatic updates and lifecycle management of Istio control plane components, and integration with platform logging and monitoring tools.

Removing other Istio installations from a cluster

If you previously installed Istio in the cluster by using the IBM Helm chart or through another method, clean up that Istio installation before you enable the managed Istio add-on.

Before you begin: Verify that Istio is already installed in the cluster. Run kubectl get namespaces and look for the istio-system namespace in the output.

To remove other Istio installations:

  • If you installed Istio by using the IBM Cloud Istio Helm chart,

    1. Uninstall the Istio Helm deployment.
      helm del istio --purge
    2. If you used Helm 2.9 or earlier, delete the extra job resource.
      kubectl -n istio-system delete job --all
    3. The uninstallation process can take up to 10 minutes. Before you install the Istio managed add-on in the cluster, run kubectl get namespaces and verify that the istio-system namespace is removed.

  • If you installed Istio manually or used the Istio community Helm chart, see the Istio uninstall documentation.

  • If you previously installed BookInfo in the cluster, clean up those resources.

    1. Change the directory to the Istio file location.
      cd <filepath>/istio-1.24.6
    2. Delete all BookInfo services, pods, and deployments in the cluster.
      samples/bookinfo/platform/kube/cleanup.sh
    3. The uninstallation process can take up to 10 minutes. Before you install the Istio managed add-on in the cluster, run kubectl get namespaces and verify that the istio-system namespace is removed.

Installing the Istio add-on

Instead of the community Istio, you can install the managed Istio add-on.

Before you begin

Installing the Istio add-on from the console

  1. In your cluster dashboard, click the name of the cluster where you want to install the Istio add-on.

  2. Navigate to the Add-ons section.

  3. On the Managed Istio card, click Install.

  4. Click Install again.

  5. On the Managed Istio card, verify that the add-on is listed.

Installing the Istio add-on with the CLI

Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

  1. Review the supported Istio versions.

    ibmcloud ks addon-versions --addon istio

  2. Enable the istio add-on. The default version of the generally available Istio managed add-on, 1.24.6, is installed.

    ibmcloud ks cluster addon enable istio --cluster <cluster_name_or_ID>

  3. Verify that the managed Istio add-on has a status of Addon Ready.

    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>

    Example output

    NAME            Version     Health State   Health Status
istio           1.24.6       normal         Addon Ready

  4. You can also check out the individual components of the add-on to ensure that the Istio services and their corresponding pods are deployed.

    kubectl get svc -n istio-system

    kubectl get pods -n istio-system

  5. Next, you can include your apps in the Istio service mesh.

Installing the istioctl CLI

Install the istioctl CLI client on your computer. For more information, see the istioctl command reference.

  1. Check the version of Istio that you installed in your cluster.
    istioctl version
  2. Download the version of istioctl that matches your cluster's Istio version to your computer.
    curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.24.6 sh -
  3. Navigate to the Istio package directory.
    cd istio-1.24.6
  4. Linux and macOS users: Add the istioctl client to your PATH system variable.
    export PATH=$PWD/bin:$PATH

Customizing the Istio installation

You can customize a set of Istio configuration options by editing the managed-istio-custom ConfigMap resource. These settings include extra control over monitoring, logging, and networking in your control plane and service mesh.

  1. Describe the managed-istio-custom ConfigMap resource to review its contents and the inline documentation.

    kubectl describe cm managed-istio-custom -n ibm-operators

  2. Edit the managed-istio-custom ConfigMap resource.

    kubectl edit cm managed-istio-custom -n ibm-operators

  3. In the data section, add the <key>: "<value>" pair of one or more of the following configuration options.

    istio-components-pilot-requests-cpu
    Default value: "500m"
    Configure the CPU request in milli CPU for the istiod component pod. Use caution when changing this value. Setting this value too low might prevent the control plane from working properly, and setting this value too high might prevent the istiod pod from being scheduled.
    istio-global-logging-level
    Default value: "default:info"
    Define the scope of logs and the level of log messages for control plane components. A scope represents a functional area within a control plane component and each scope supports specific log information levels. The default logging scope, which is for non-categorized log messages, is applied to all components in the control plane at the basic info level.
    To specify log levels for individual component scopes, enter a comma-separated list of scopes and levels, such as "<scope>:<level>,<scope>:<level>". For a list of the scopes for each control plane component and the information level of log messages, see the Istio component logging documentation. To change the log level of the data plane, use the istioctl proxy-config log <pod> --level <level> command.
    istio-global-outboundTrafficPolicy-mode
    Default value: "ALLOW_ANY"
    By default, all outbound traffic from the service mesh is permitted. To block outbound traffic from the service mesh to any host that is not defined in the service registry or that does not have a ServiceEntry within the service mesh, set to REGISTRY_ONLY.
    istio-global-proxy-accessLogFile
    Default value: ""
    Envoy proxies print access information to their standard output. These logs are helpful when you debug ingress or egress issues. To view this access information when running kubectl logs commands for the Envoy containers, set to "/dev/stdout".
    istio-monitoring-telemetry
    Default value: "true"
    By default, telemetry metrics and Prometheus support is enabled. To remove any performance issues associated with telemetry metrics and disable all monitoring, set to "false".
    istio-meshConfig-enableTracing
    Default value: "true"
    By default, Istio generates trace spans for 1 out of every 100 requests. To disable trace spans, set to "false".
    istio-pilot-traceSampling
    Default value: "1.0"
    By default, Istio generates trace spans for 1 out of every 100 requests, which is a sampling rate of 1%. To generate more trace spans, increase the percentage value.
    istio-components-pilot-hpa-maxReplicas
    Default value: "5"
    By default, Istio sets the default horizontal pod autoscaler (HPA) max pods for istiod to 5. Do not increase this value unless you have a large service mesh where istiod needs increased resources to update the configurations.

    For example, your ConfigMap might look like the following example.

    apiVersion: v1
data:
  istio-ingressgateway-zone-1: dal10
  <key: value> # such as istio-egressgateway-public-1-enabled: "false"
kind: ConfigMap
metadata:
  name: managed-istio-custom
  namespace: ibm-operators

    Don't see an option from this table in your ConfigMap? Because your ConfigMap contains user-defined values, the ConfigMap is not updated with any options that are released over time. Instead, you can back up a copy of your ConfigMap and delete the ConfigMap from your cluster. After about 5 minutes, a default ConfigMap that contains the new options is created in your cluster. Then, you can copy your previously configured settings from your backup to this default ConfigMap, configure any new settings, and apply the changes.

  4. Save and close the configuration file.

  5. If you changed the istio-global-logging-level or istio-global-proxy-accessLogFile settings, you must restart your data plane pods to apply the changes to them.

    1. Get the list of all data plane pods that are not in the istio-system namespace.

      istioctl version --short=false | grep "data plane version" | grep -v istio-system

      Example output

      data plane version: version.ProxyInfo{ID:"test-6f86fc4677-vsbsf.default", IstioVersion:"1.24.6"}
data plane version: version.ProxyInfo{ID:"rerun-xfs-f8958bb94-j6n89.default", IstioVersion:"1.24.6"}
data plane version: version.ProxyInfo{ID:"test2-5cbc75859c-jh6bx.default", IstioVersion:"1.24.6"}
data plane version: version.ProxyInfo{ID:"minio-test-78b5d4597d-hkpvt.default", IstioVersion:"1.24.6"}
data plane version: version.ProxyInfo{ID:"sb-887f89d7d-7s8ts.default", IstioVersion:"1.24.6"}
data plane version: version.ProxyInfo{ID:"gid-deployment-5dc86db4c4-kdshs.default", IstioVersion:"1.24.6"}

    2. Restart each pod by deleting it. In the output of the previous step, the pod name and namespace are listed in each entry as data plane version: version.ProxyInfo{ID:"<pod_name>.<namespace>", IstioVersion:"1.24.6"}.

      kubectl delete pod <pod_name> -n <namespace>
Want to change a ConfigMap setting?
If you want to change a setting that you added to the ConfigMap, you can use a patch script. For example, if you added the istio-global-proxy-accessLogFile: "/dev/stdout" setting and later want to change it back to "", you can run kubectl patch cm managed-istio-custom -n ibm-operators --type='json' -p='[{"op": "add", "path": "/data/istio-global-proxy-accessLogFile", "value":""}]'.
Need to debug your customization setup in 1.24 or later?
Check the helm value.yaml and the helm results logs in the managed-istio-istiod-control-plane-values configmap in the ibm-operators namespace. The value.yaml will show you whether your change was added. The helm results will show you if there were any syntax errors.
kubectl get cm -n ibm-operators managed-istio-istiod-control-plane-values -o json | jq -r .data.\"values.yaml\"
kubectl get cm -n ibm-operators managed-istio-istiod-control-plane-values -o json | jq -r .data.\"values.yaml.helm.result\"

Thu, 23 Oct 2025 19:58:48 GMT HELM_SUCCESS: Release "istiod" has been upgraded. Happy Helming!
NAME: istiod
LAST DEPLOYED: Thu Oct 23 19:58:42 2025
NAMESPACE: istio-system
STATUS: deployed
REVISION: 275
TEST SUITE: None
NOTES:
"istiod" successfully installed!
Need to debug your customization setup in 1.23?
Check the logs for the addon-istio-operator (Istio version 1.10 to 1.23) pod by running kubectl logs -n ibm-operators -l name=managed-istio-operator. The Istio operator validates and reconciles any custom Istio changes that you make.

If you disable the Istio add-on, the managed-istio-custom ConfigMap is not removed during uninstallation. When you re-enable the Istio add-on, your customized ConfigMap is applied during installation. If you don't want to re-use your custom settings in a later installation of Istio, you must delete the ConfigMap after you disable the Istio add-on by running kubectl delete cm -n ibm-operators managed-istio-custom. When you re-enable the Istio add-on, the default ConfigMap is applied during installation.

Migrating from the Istio add-on to community Istio

If you are using the managed Istio add-on versions 1.21 to 1.23, you can migrate to a later version of the community Istio instead.

Before you begin: If you no longer need Istio, you can uninstall the add-on without installing the community Istio instead of completing these step.

Step 1: Disabling the Istio add-on from the console

Disable the add-on from the console or CLI.

  1. In your cluster dashboard, click the name of the cluster where you want to remove the Istio add-on.

  2. Navigate to the Add-ons section.

  3. On the Managed Istio card, click the Action menu icon.

  4. Click Uninstall. The managed Istio add-on is disabled in this cluster.

  5. On the Managed Istio card, verify that the add-on you uninstalled is no longer listed.

Step 1: Disabling the Istio add-ons from the CLI

Disable the add-on and verify that no additional Istio add-ons remain.

  1. Disable the istio add-on.
    ibmcloud ks cluster addon disable istio --cluster <cluster_name_or_ID> -f
  2. Verify that all managed Istio add-ons are disabled in this cluster. No Istio add-ons are returned in the output.
    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>
  3. Wait 10 minutes before continuing to the next step. This gives us time to unmanaged the istio operator.

Step 2: Scale down the Istio operator

Scale down the Istio operator deployment. When migrating from the Istio add-on's use of the in-cluster Istio operator to community Istio's use of istioctl, you must avoid having both installation methods fighting for control of Istio. The steps of scaling down the operator, deleting the IOPs, and then deleting the operator removes the in-cluster operator without uninstalling Istio.

Run the following command:

kubectl scale deployment -n ibm-operators addon-istio-operator --replicas=0

Step 3: Saving resources

Save any resources that you created or modified in the istio-system namespace and all Kubernetes resources that were automatically generated by custom resource definitions (CRDs).

  1. Save the managed-istio-custom ConfigMap to troubleshoot a problem or to reinstall the add-on later.

    kubectl get cm -n ibm-operators managed-istio-custom -o yaml > Customizations.yaml

  2. Save all IstioOperator CRs (IOPs). The in-cluster Istio operator has a finalizer on the IOPs to prevent their deletion until the in-cluster operator deletes the resources that are defined in the IOPs. As part of removing the Istio operator without deleting Istio, you must remove the finalizers.

    • List the IOP resources:

      kubectl get iop -A

    • For each IOP resource listed, remove the finalizer.

      Example using the managed-istio IOP:

      kubectl patch -n ibm-operators istiooperator/managed-istio --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'

    • For each IOP resource listed, save each to a file:

      kubectl get iop -n <IOP_namespace> <IOP_name> -o yaml > <IOP_name>.yaml

  3. Wait 10 minutes before continuing to the next step.

Step 4: Changing the installer of the IOPs

Delete all Istio operator (IOP) resources, such as for a custom ingress gateway.

  1. Make sure your istioctl cli tool is at the necessary patch version.

    istioctl version

  2. For each IOP file that you saved in the previous step, run the istioctl upgrade command to upgrade Istio to the version that matches the istioctl version. This command also changes the installation and upgrade mechanism from using the in-cluster operator to istioctl.

    istioctl upgrade -f <filename>.yaml

Step 5: Removing the Istio operator and IOPs

Delete the Istio operator deployment, service account, cluster role binding, cluster role, and all IOPs. Istio was transfered from the in-cluster Istio operator to the istioctl based installation. Now you can clean up the remains of the in-cluster Istio operator installation while it is scaled down.

  1. Run the following commands to delete the istio operator deployment:

    kubectl delete deployment -n ibm-operators addon-istio-operator --ignore-not-found=true
kubectl delete serviceaccount -n ibm-operators addon-istio-operator --ignore-not-found=true
kubectl delete clusterrolebinding addon-istio-operator --ignore-not-found=true
kubectl delete clusterrole addon-istio-operator --ignore-not-found=true

  2. Delete the IOPs.

    • List the IOP resources:
      kubectl get iop -A
    • For each IOP resource listed, delete it:
      kubectl delete IstioOperator <resource_name> -n <namespace>

Step 6: Removing the ConfigMap

Because the ConfigMap was saved earlier, it can be removed.

Remove the managed-istio-custom ConfigMap.

kubectl delete cm -n ibm-operators managed-istio-custom

The removal of the add-on is complete and you can continue to use and upgrade the community Istio as needed.

Uninstalling the Istio add-on

If you're finished working with Istio, you can clean up the Istio resources in your cluster and uninstall the Istio add-ons.

Step 1: Saving resources before uninstallation

Any resources that you created or modified in the istio-system namespace are removed. To keep these resources, save them before you uninstall the Istio add-on.

  1. Save the managed-istio-custom ConfigMap to troubleshoot a problem or to reinstall the add-on later.

    kubectl get cm -n ibm-operators managed-istio-custom -o yaml > Customizations.yaml

  2. For version 1.23 and earlier, save all IstioOperator CRs (IOPs).

    a. List the IOP resources:

    kubectl get iop -A

    b. For each IOP resource listed, save each to a file:

    kubectl get iop -n <IOP_namespace> <IOP_name> -o yaml > <IOP_name>.yaml

Step 2: Uninstalling the Istio add-on

Uninstall the add-on from the console or CLI. For Istio 1.20 and earlier, any custom Istio operator (IOP) resources are automatically deleted.

Uninstalling the Istio add-on from the console

  1. In your cluster dashboard, click the name of the cluster where you want to remove the Istio add-on.

  2. Navigate to the Add-ons section.

  3. On the Managed Istio card, click the Action menu icon.

  4. Click Uninstall. The managed Istio add-on is disabled in this cluster and all Istio resources in this cluster are removed.

  5. On the Managed Istio card, verify that the add-on you uninstalled is no longer listed.

Uninstalling the Istio add-on from the CLI

If you did not install the deprecated istio-sample-bookinfo and istio-extras add-ons, skip steps 1 and 2.

  1. Disable the istio-sample-bookinfo add-on.
    ibmcloud ks cluster addon disable istio-sample-bookinfo --cluster <cluster_name_or_ID>
  2. Disable the istio-extras add-on.
    ibmcloud ks cluster addon disable istio-extras --cluster <cluster_name_or_ID>
  3. Disable the istio add-on.
    ibmcloud ks cluster addon disable istio --cluster <cluster_name_or_ID> -f
  4. Verify that all managed Istio add-ons are disabled in this cluster. No Istio add-ons are returned in the output.
    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>

Step 3: Removing resources

After the resources are saved and the add-on is disabled, the resources can be removed.

  1. The managed-istio-custom ConfigMap is not removed during uninstallation. If you later re-enable the Istio add-on, any customized settings that you made to the ConfigMap are applied during installation. If you don't want to re-use your custom settings in a later installation of Istio, you must delete the ConfigMap.

    kubectl delete cm -n ibm-operators managed-istio-custom

  2. For version 1.23 and earlier, delete the custom Istio operator (IOP) resources and the IOP.

    a. Delete any custom Istio operator (IOP) resources that you created, such as for a custom ingress gateway. When you run this command, the Istio operator automatically removes any resources that the IOP resource created, such as deployments or services.

    kubectl delete IstioOperator <resource_name> -n <namespace>

    b. Delete the managed-istio IOP.

    kubectl delete iop -n ibm-operators managed-istio

  3. For version 1.24 and later, save and then delete the addon-istio gateway ConfigMaps, remove the custom gateways, and delete the Istio control plane.

    a. Save the addon-istio gateway ConfigMaps.

    kubectl get cm -n ibm-operators managed-istio-ingressgateway-values -o json | jq -r .data.\"values.yaml\" > ingress-gateway.values
kubectl get cm -n ibm-operators managed-istio-egressgateway-values -o json | jq -r .data.\"values.yaml\" > egress-gateway.values

    b. Delete the addon-istio gateway ConfigMaps.

    kubectl delete cm -n ibm-operators managed-istio-egressgateway-values 
kubectl delete cm -n ibm-operators managed-istio-ingressgateway-values

    c. Remove the custom gateways.

    d. Delete the Istio control plane.

    istioctl uninstall -y --purge

    Output:

    All Istio resources will be pruned from the cluster

Removed apps/v1, Kind=Deployment/istiod.istio-system.
Removed /v1, Kind=Service/istiod.istio-system.
Removed /v1, Kind=ConfigMap/istio.istio-system.
Removed /v1, Kind=ConfigMap/istio-sidecar-injector.istio-system.
Removed /v1, Kind=Pod/istiod-7f59b54bfd-p5f4d.istio-system.
Removed /v1, Kind=Pod/istiod-7f59b54bfd-zckw6.istio-system.
Removed policy/v1, Kind=PodDisruptionBudget/istiod.istio-system.
Removed autoscaling/v2, Kind=HorizontalPodAutoscaler/istiod.istio-system.
Removed admissionregistration.k8s.io/v1, Kind=MutatingWebhookConfiguration/istio-sidecar-injector..
✔ Uninstall complete

  4. Wait 10 minutes before continuing to the next step.

Step 4: Remove the Istio operator

For version 1.23 and earlier, after the add-on is completely uninstalled, you can remove the Istio operator.

Delete the Istio operator deployment, service account, cluster role binding, and cluster role.

kubectl delete deployment -n ibm-operators addon-istio-operator --ignore-not-found=true
kubectl delete serviceaccount -n ibm-operators addon-istio-operator --ignore-not-found=true
kubectl delete clusterrolebinding addon-istio-operator --ignore-not-found=true
kubectl delete clusterrole addon-istio-operator --ignore-not-found=true