Version: v2.11

Additional Steps for Installing Istio on RKE2 and K3s Clusters

danger

Rancher-Istio will be deprecated in Rancher v2.12.0; turn to the SUSE Rancher Application Collection build of Istio for enhanced security (included in SUSE Rancher Prime subscriptions).

Detailed information can be found in this announcement.

When installing or upgrading the Istio Helm chart through Apps,

If you are installing the chart, click Customize Helm options before install and click Next.
You will see options for configuring the Istio Helm chart. On the Components tab, check the box next to Enabled CNI.
Add a custom overlay file specifying cniBinDir and cniConfDir. For more information on these options, refer to the Istio documentation. An example is below:

RKE2
K3s

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      k8s:
        overlays:
        - apiVersion: "apps/v1"
          kind: "DaemonSet"
          name: "istio-cni-node"
          patches:
          - path: spec.template.spec.containers.[name:install-cni].securityContext.privileged
            value: true
  values:
    cni:
      cniBinDir: /opt/cni/bin
      cniConfDir: /etc/cni/net.d

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      k8s:
        overlays:
        - apiVersion: "apps/v1"
          kind: "DaemonSet"
          name: "istio-cni-node"
          patches:
          - path: spec.template.spec.containers.[name:install-cni].securityContext.privileged
            value: true
  values:
    cni:
      cniBinDir: /var/lib/rancher/k3s/data/current/bin
      cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d

Result: Now you should be able to utilize Istio as desired, including sidecar injection and monitoring via Kiali.