Upgrading Istio

Istio regularly gets security updates (patch version updates) and new features (minor/major version updates). Regarding upgrades, Service Mesh Manager uses the same approach for virtual machines integrated into the mesh as for Kubernetes workloads. For details, see Canary control plane upgrades.

Patch version updates

In case the Kubernetes deployment is upgraded to a new version of Service Mesh Manager that contains a newer (patch) version of Istio, the smm-agent running on the host will:

  • Automatically upgrade the smm-agent and restart it.
  • Automatically upgrade Istio, but does not restart it.

Upgrading the smm-agent and restarting it ensures that Service Mesh Manager configures Istio the best possible way according to the latest tests. Since smm-agent does not serve live traffic, it does not endanger the availability of the production environment.

Restarting Istio would case a service disruption that is not acceptable in production environments. Given that there’s no standard way of determining how to temporarily drain traffic from a VM, or even to check if the VM has a Highly Availability, you must restart Istio when you see fit, for example, during a dedicated maintenance window.

The Service Mesh Manager dashboard shows the virtual machines that you need to restart as a validation error for the given WorkloadEntry.

The old Istio version keeps running until you restart the VM (or Istio itself). The new version start up automatically after the restart.

To restart Istio, run the following command on the virtual machine:

systemctl stop istio

Minor/major version updates

When the namespace hosting the VM is migrated to a new version of the control plane (see Canary control plane upgrades), smm-agent automatically notices that a new version of Istio is available.

At this point it executes the same steps as with patch version updates, but you must restart Istio (or the virtual machine), when traffic characteristics allow for that downtime.