Documentation
Setup
Install with Gloo Operator

Install with Gloo Operator

By using the Gloo Operator. you no longer need to manually install and manage the Istio control plane components. Instead, you provide minimal configuration in a ServiceMeshController custom resource, and the operator translates this configuration into a managed Istio experience. The Gloo Operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

The Gloo Operator uses Helm to install Istio, and by default installs the free Solo builds of Istio.

Platform pre-requisites

The operator detects your cloud provider and cluster platform, and configures the necessary settings required for that platform for you. For example, if you create an ambient mesh in an OpenShift cluster, no OpenShift-specific settings are required in the ServiceMeshController, because the operator automatically sets the appropriate settings for OpenShift and your specific cloud provider accordingly.

You may still wish to read the system requirements before proceeding.

Install the Gloo Operator and Istio

Install the Gloo Operator

Install the Gloo Operator into the gloo-operator namespace:

$ helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator -n gloo-operator --create-namespace

Create configuration to install Istio

The ServiceMeshController resource is used to describe the Istio installation that the operator will maintain. The Gateway API CRDs are also managed, and do not have to be installed separately.

$ kubectl apply -f - <<EOF
apiVersion: operator.gloo.solo.io/v1
kind: ServiceMeshController
metadata:
  name: managed-istio
  labels:
    app.kubernetes.io/name: managed-istio
spec:
  dataplaneMode: Ambient
  installNamespace: istio-system
  version: 1.25.2
EOF

For more information on configuring the mesh installed by the Gloo Operator (including changing the installNamespace), refer to the Gloo Mesh documentation.

Verify the installation

The operator installs the Gateway API CRDs, the base Istio components, two replicas of the istiod control plane, and the CNI node agent and ztunnel on each node.

You can check the deployment status of the mesh by querying the status of the ServiceMeshController resource. When the mesh is successfully installed, the Phase will read SUCCEEDED.

$ kubectl describe servicemeshcontroller managed-istio
Status:
  Conditions:
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               Manifests initialized
    Observed Generation:   1
    Reason:                ManifestsInitialized
    Status:                True
    Type:                  Initialized
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               CRDs installed
    Observed Generation:   1
    Reason:                CRDInstalled
    Status:                True
    Type:                  CRDInstalled
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               Deployment succeeded
    Observed Generation:   1
    Reason:                DeploymentSucceeded
    Status:                True
    Type:                  ControlPlaneDeployed
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               Scheduling succeeded
    Observed Generation:   1
    Reason:                SchedulingSucceeded
    Status:                True
    Type:                  CNIDeployed
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               Scheduling succeeded
    Observed Generation:   1
    Reason:                SchedulingSucceeded
    Status:                True
    Type:                  NodeProxyDeployed
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               Deployment succeeded
    Observed Generation:   1
    Reason:                DeploymentSucceeded
    Status:                True
    Type:                  WebhookDeployed
    Last Transition Time:  2025-05-05T23:44:43Z
    Message:               All conditions are met
    Observed Generation:   1
    Reason:                SystemReady
    Status:                True
    Type:                  Ready
  Phase:                   SUCCEEDED

You can check the status of the deployed pods with:

$ kubectl get pods -n istio-system
NAME                           READY   STATUS    RESTARTS   AGE
istio-cni-node-bds5d           1/1     Running   0          5m
istio-cni-node-hld9c           1/1     Running   0          5m
istio-cni-node-p8h25           1/1     Running   0          5m
istiod-gloo-597c5c7bdc-7pgp2   1/1     Running   0          5m
istiod-gloo-597c5c7bdc-p4wjv   1/1     Running   0          5m
ztunnel-4zgm7                  1/1     Running   0          5m
ztunnel-6xkzk                  1/1     Running   0          5m
ztunnel-jmm5x                  1/1     Running   0          5m
ℹ️
The control plane is installed with a revision tag of gloo so that it can be installed side-by-side with an existing Istio installation for migration purposes.

Upgrading using the operator

Upgrading your ambient mesh is as easy as changing the version field on the ServiceMeshController resource. The operator will perform a rolling upgrade of the components. The nature of ambient mesh means that no application restarts are required.

InstallationAdd workloads to the mesh