Istio is one of the three core technologies in the container-based cloud native stack. The other two are Kubernetes and Knative, and both of them already support the arm64 architecture. Envoy, Istio’s data plane has supported arm64 as early as version 1.16 (October 2020 ). With the release of Istio 1.15, the control plane supports arm64 as well. You don’t need to build the arm image manually, it works out of the box.
How to setup Istio on arm before 1.15?
Istio uses Docker Hub as the production image repository and Google Container Registry as the development and test repository. For releases before 1.14, the official Istio image repository only contained images for the amd64 architecture. If your Kubernetes cluster is running on the arm, and you try to install Istio arm64 images you will get the following error:
exec user process caused: exec format error
To fix this issue, you can use the hub flag and provide a repository containing the arm64 architecture images to the Istio installation by running the following command:
$ istioctl install –set profile=demo –set hub=docker.io/mydockerhub -y
Up until Istio 1.15, if you wanted to run Istio on the arm64 architecture, you could either use the image created by the Istio community member who built Istio separately for the arm64, or you can build your arm64 image.
What has Istio done to support arm?
The following binaries and images must be compiled using the arm architecture for Istio to support the arm:
- istioctl: this is the easiest part and only requires cross-compilation using the Go language, which is supported by earlier versions of Istio.
- pilot: the image running in the control plane Istiod.
- proxyv2: images used in Ingress and Egress gateways and as sidecar proxies, automatically injected via Kubernetes mutating webhook.
The Envoy used in the Istio’s data plane is forked from the official Envoy repository. If Envoy already supported arm64 long ago, why didn’t Istio officially support it? Because Istio’s official CI environment prow.istio.io runs on GKE, which does not have the arm64 architecture machines, it cannot perform tests.
GKE officially started supporting arm64 VMs in July 2022. This makes it easier to compile and test Istio for arm64. See Run your Arm workloads on Google Kubernetes Engine with Tau T2A VMs.
As for building images for the arm architecture, you can use Docker BuildKit for multi-platform builds, and you can compile images for the specified arm architecture using the following command:
docker buildx build –platform linux/arm64
For more information about docker buildx, please refer to the Docker documentation.
In accordance with the node’s architecture, the Kubernetes Node will automatically pull up images for the corresponding platform architecture after you install Istio as usual.
Note that Istio does not officially support arm32 and only offers images for the amd64 and arm64 architectures.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo