
Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition.

  1. install-cni [flags]
—chained-cni-pluginWhether to install CNI plugin as a chained or standalone
—cni-conf-name <string>Name of the CNI configuration file (default )</td></tr><tr><td><code>--cni-enable-reinstall</code></td><td>Whether to reinstall CNI configuration and binary files</td></tr><tr><td><code>--cni-net-dir &lt;string&gt;</code></td><td>Directory on the host where CNI network plugins are installed (default `/etc/cni/net.d`)</td></tr><tr><td><code>--cni-network-config &lt;string&gt;</code></td><td>CNI configuration template as a string (default)
—cni-network-config-file <string>CNI config template as a file (default )</td></tr><tr><td><code>--ctrlz_address &lt;string&gt;</code></td><td>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)</td></tr><tr><td><code>--ctrlz_port &lt;uint16&gt;</code></td><td>The IP port to use for the ControlZ introspection facility (default `9876`)</td></tr><tr><td><code>--kube-ca-file &lt;string&gt;</code></td><td>CA file for kubeconfig. Defaults to the same as install-cni pod (default)
—kubecfg-file-name <string>Name of the kubeconfig file which CNI plugin will use when interacting with API server (default ZZZ-istio-cni-kubeconfig)
—kubeconfig-mode <int>File mode of the kubeconfig file (default 384)
—log-level <string>Fallback value for log level in CNI config file, if not specified in helm template (default warn)
—log-uds-address <string>The UDS server address which CNI plugin will copy log ouptut to (default /var/run/istio-cni/log.sock)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—monitoring-port <int>HTTP port to serve prometheus metrics (default 15014)
—mounted-cni-net-dir <string>Directory on the container where CNI networks are installed (default /host/etc/cni/net.d)
—repair-broken-pod-label-key <string>The key portion of the label which will be set by the ace repair if label pods is true (default
—repair-broken-pod-label-value <string>The value portion of the label which will be set by the race repair if label pods is true (default true)
—repair-delete-podsController will delete pods when detecting pod broken by race condition
—repair-enabledWhether to enable race condition repair or not
—repair-field-selectors <string>A set of field selectors in label=value format that will be added to the pod list filters (default )</td></tr><tr><td><code>--repair-init-container-exit-code &lt;int&gt;</code></td><td>Expected exit code for the init container when crash-looping because of CNI misconfiguration (default `126`)</td></tr><tr><td><code>--repair-init-container-name &lt;string&gt;</code></td><td>The name of the istio init container (will crash-loop if CNI is not configured for the pod) (default `istio-validation`)</td></tr><tr><td><code>--repair-init-container-termination-message &lt;string&gt;</code></td><td>The expected termination message for the init container when crash-looping because of CNI misconfiguration (default)
—repair-label-podsController will label pods when detecting pod broken by race condition
—repair-label-selectors <string>A set of label selectors in label=value format that will be added to the pod list filters (default )</td></tr><tr><td><code>--repair-node-name &lt;string&gt;</code></td><td>The name of the managed node (will manage all nodes if unset) (default)
—repair-run-as-daemonController will run in a loop
—repair-sidecar-annotation <string>An annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored. (default
—skip-cni-binaries <istio-cni>Binaries that should not be installed. Currently Istio only installs one binary istio-cni (default [])
—skip-tls-verifyWhether to use insecure TLS in kubeconfig file
—update-cni-binariesWhether to refresh existing binaries when installing CNI

install-cni completion

Generate the autocompletion script for install-cni for the specified shell. See each sub-command’s help for details on how to use the generated script.

—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])

install-cni completion bash

Generate the autocompletion script for the bash shell.

This script depends on the ‘bash-completion’ package. If it is not installed already, you can install it via your OS’s package manager.

To load completions in your current shell session: $ source <(install-cni completion bash)

To load completions for every new session, execute once: Linux: $ install-cni completion bash > /etc/bash_completion.d/install-cni MacOS: $ install-cni completion bash > /usr/local/etc/bash_completion.d/install-cni

You will need to start a new shell for this setup to take effect.

  1. install-cni completion bash
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—no-descriptionsdisable completion descriptions

install-cni completion fish

Generate the autocompletion script for the fish shell.

To load completions in your current shell session: $ install-cni completion fish | source

To load completions for every new session, execute once: $ install-cni completion fish > ~/.config/fish/completions/

You will need to start a new shell for this setup to take effect.

  1. install-cni completion fish [flags]
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—no-descriptionsdisable completion descriptions

install-cni completion powershell

Generate the autocompletion script for powershell.

To load completions in your current shell session: PS C:\> install-cni completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your powershell profile.

  1. install-cni completion powershell [flags]
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—no-descriptionsdisable completion descriptions

install-cni completion zsh

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

$ echo “autoload -U compinit; compinit” >> ~/.zshrc

To load completions for every new session, execute once: # Linux: $ install-cni completion zsh > “${fpath[1]}/_install-cni” # macOS: $ install-cni completion zsh > /usr/local/share/zsh/site-functions/_install-cni

You will need to start a new shell for this setup to take effect.

  1. install-cni completion zsh [flags]
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—no-descriptionsdisable completion descriptions

install-cni version

Prints out build version information

  1. install-cni version [flags]
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—output <string>-oOne of ‘yaml’ or ‘json’. (default ``)
—short-sUse —short=false to generate full version information

Environment variables

These environment variables affect the behavior of the install-cni command. Please use with caution as these environment variables are experimental and can change anytime.

Variable NameTypeDefault ValueDescription
CHAINED_CNI_PLUGINBooleantrueWhether to install CNI plugin as a chained or standalone
CNI_CONF_NAMEStringName of the CNI configuration file
CNI_ENABLE_REINSTALLBooleantrueWhether to reinstall CNI configuration and binary files
CNI_NETWORK_CONFIGStringCNI configuration template as a string
CNI_NETWORK_CONFIG_FILEStringCNI config template as a file
CNI_NET_DIRString/etc/cni/net.dDirectory on the host where CNI network plugins are installed
KUBECFG_FILE_NAMEStringZZZ-istio-cni-kubeconfigName of the kubeconfig file which CNI plugin will use when interacting with API server
KUBECONFIG_MODEInteger384File mode of the kubeconfig file
KUBE_CA_FILEStringCA file for kubeconfig. Defaults to the same as install-cni pod
LOG_LEVELStringwarnFallback value for log level in CNI config file, if not specified in helm template
LOG_UDS_ADDRESSString/var/run/istio-cni/log.sockThe UDS server address which CNI plugin will copy log ouptut to
MONITORING_PORTInteger15014HTTP port to serve prometheus metrics
MOUNTED_CNI_NET_DIRString/host/etc/cni/net.dDirectory on the container where CNI networks are installed key portion of the label which will be set by the ace repair if label pods is true
REPAIR_BROKEN_POD_LABEL_VALUEStringtrueThe value portion of the label which will be set by the race repair if label pods is true
REPAIR_DELETE_PODSBooleanfalseController will delete pods when detecting pod broken by race condition
REPAIR_ENABLEDBooleantrueWhether to enable race condition repair or not
REPAIR_FIELD_SELECTORSStringA set of field selectors in label=value format that will be added to the pod list filters
REPAIR_INIT_CONTAINER_EXIT_CODEInteger126Expected exit code for the init container when crash-looping because of CNI misconfiguration
REPAIR_INIT_CONTAINER_NAMEStringistio-validationThe name of the istio init container (will crash-loop if CNI is not configured for the pod)
REPAIR_INIT_CONTAINER_TERMINATION_MESSAGEStringThe expected termination message for the init container when crash-looping because of CNI misconfiguration
REPAIR_LABEL_PODSBooleanfalseController will label pods when detecting pod broken by race condition
REPAIR_LABEL_SELECTORSStringA set of label selectors in label=value format that will be added to the pod list filters
REPAIR_NODE_NAMEStringThe name of the managed node (will manage all nodes if unset)
REPAIR_RUN_AS_DAEMONBooleanfalseController will run in a loop annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored.
SKIP_CNI_BINARIESStringBinaries that should not be installed. Currently Istio only installs one binary istio-cni
SKIP_TLS_VERIFYBooleanfalseWhether to use insecure TLS in kubeconfig file
UPDATE_CNI_BINARIESBooleantrueWhether to refresh existing binaries when installing CNI

Exported metrics

Metric NameTypeDescription
istio_buildLastValueIstio component build info
istio_cni_install_readyLastValueWhether the CNI plugin installation is ready or not
istio_cni_installs_totalSumTotal number of CNI plugins installed by the Istio CNI installer
istio_cni_repair_pods_repaired_totalSumTotal number of pods repaired by repair controller