apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system spec: # default: 最小化配置,需要按需开启功能 profile: default # 镜像配置 hub: docker.io/istio # 镜像仓库地址 tag: 1.28.1 # 生产环境应使用稳定版本 # 组件配置 components: # Istio 基础组件(CRD 等) base: enabled: true # Istiod - 控制平面核心组件 pilot: enabled: true k8s: # 生产环境建议至少 2 个副本确保高可用 replicaCount: 2 # 资源配置建议 resources: requests: cpu: 500m memory: 1024Mi limits: cpu: 1000m memory: 2048Mi # 设置 Pod 反亲和性,避免同一节点故障导致服务中断 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: istio operator: In values: - pilot topologyKey: kubernetes.io/hostname # 配置 HPA 自动伸缩 hpaSpec: minReplicas: 2 maxReplicas: 5 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 # Ingress Gateway - 入口流量网关 ingressGateways: - name: istio-ingressgateway enabled: true k8s: # 生产环境副本数建议 2 以上 replicaCount: 1 # 资源配置建议(根据实际流量调整) resources: requests: cpu: 100m memory: 512Mi limits: cpu: 1000m memory: 1024Mi # 服务配置 service: type: LoadBalancer # 生产环境推荐使用 LoadBalancer ports: - port: 80 targetPort: 8080 name: http2 protocol: TCP - port: 443 targetPort: 8443 name: https protocol: TCP # Egress Gateway - 出口流量网关(生产环境建议启用以控制出口流量) egressGateways: - name: istio-egressgateway enabled: true # 生产环境建议启用以控制出口流量 k8s: replicaCount: 1 resources: requests: cpu: 100m memory: 512Mi limits: cpu: 1000m memory: 1024Mi # 值配置 values: defaultRevision: "" # 控制 sidecar 注入的默认版本 # 全局配置 global: istioNamespace: istio-system # Istio 安装的命名空间 configValidation: true # 启用配置验证 # 网关配置 gateways: istio-ingressgateway: {} istio-egressgateway: {} # Ztunnel 配置(用于 Ambient Mesh) ztunnel: # 资源名称 resourceName: ztunnel