Sail operator 1.0.0 has been released: manage Istio with an operator

Sail Operator 1.0.0 released, a project part of the istio-ecosystem organization. Let's dive in into the basics of the Sail Operator and let's run an example to show how easy it is to manage Istio with it.

Mar 19, 2025 | By Francisco Herrera - Red Hat

The Sail operator is GA with a clear mission: to simplify and streamline Istio management in your cluster. By using the Kubernetes operator pattern, Sail operator aims to add new value to istio by improving the upgrade process.

Simplified Deployment & Management

The Sail operator is engineered to cut down the complexity of installing and running Istio. It automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio versions in your cluster. Besides this, the Sail operator APIs are built around Istio’s Helm chart APIs, which means that all the istio configurations are available through the Sail Operator CRDs’ values.

We encourage users to go through our live documentation to learn more about this new way to manage your istio control plane.

The main resources that are part of the Sail operator are:

Istio: manages your istio control plane.
IstioRevision: it represents a revision of the control plane.
IstioRevisionTag: resource represents a stable revision tag, which functions as an alias for Istio control plane revisions.
IstioCNI: Istio’s CNI plugin resource.
ZTunnel: ambient mode ztunnel DaemonSet (alpha feature).

Note that if you are migrating from the (now deprecated and deleted) In-Cluster Istio operator, you can check this section in our documentation where we explain the equivalence of resources, or you can also try our resource converter to easily convert your IstioOperator resource to an Istio resource.

Main Features and support

Each component of the Istio control plane is managed independently by the Sail Operator through dedicated Kubernetes Custom Resources (CRs). The Sail Operator provides separate CRDs for components such as Istio, IstioCNI, and ZTunnel, allowing you to configure, manage, and upgrade them individually. Additionally, there are CRDs for IstioRevision and IstioRevisionTag to manage Istio control plane revisions.
Support for multiple Istio versions. Currently the 1.0.0 version supports: 1.24.3, 1.24.2, 1.24.1, 1.23.5, 1.23.4, 1.23.3, 1.23.0.
Two update strategies are supported: InPlace and RevisionBased. Check our documentation for more information about the update types supported.
Support for multicluster Istio deployment models: multi-primary, primary-remote, external control plane. More information and examples in our documentation.
Ambient is alpha: check our specific documentation.
Addons are managed separately from the Sail Operator. They can be easily integrated with the Sail operator, you can check this section for the documentation for examples and more information.

Why Now?

As cloud-native architectures continue to evolve, a robust and user-friendly operator for Istio is more essential than ever. The Sail Operator offers developers and operations teams a consistent, secure, and efficient solution that feels familiar to those used to working with operators. Its GA release signals a mature solution, ready to support even the most demanding production environments.

Try it out

Do you want to try our operator? Going over this example will show you how to safely do an update of your istio control plane by using the revision-based upgrade strategy, this means you will have two Istio control planes running at the same time, allowing you to migrate workloads easily, minimizing the risk of traffic disruptions.

Prerequisites:

Running cluster
Helm
Kubectl
Istioctl

Install the operator from the sail operator helm repository

$ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator
$ helm repo update
$ kubectl create namespace sail-operator
$ helm install sail-operator sail-operator/sail-operator --version 1.0.0 -n sail-operator

The operator is now installed in your cluster:

NAME: sail-operator
LAST DEPLOYED: Tue Mar 18 12:00:46 2025
NAMESPACE: sail-operator
STATUS: deployed
REVISION: 1
TEST SUITE: None

Ensure the operator pod is running

$ kubectl get pods -n sail-operator

NAME                             READY   STATUS    RESTARTS   AGE
sail-operator-56bf994f49-j67ft   1/1     Running   0          87s

Create an Istio resource with istio version 1.24.2 and a Istio revision tag

$ kubectl create ns istio-system
$ cat <<EOF | kubectl apply -f-
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  updateStrategy:
    type: RevisionBased
    inactiveRevisionDeletionGracePeriodSeconds: 30
  version: v1.24.2
---
apiVersion: sailoperator.io/v1
kind: IstioRevisionTag
metadata:
  name: default
spec:
  targetRef:
    kind: Istio
    name: default
EOF

Note that the IstioRevisionTag has a target reference to the Istio resource with the name default.

Check the state of the resources created:

istiod pods are running

$ kubectl get pods -n istio-system

NAME                                    READY   STATUS    RESTARTS   AGE
istiod-default-v1-24-2-bd8458c4-jl8zm   1/1     Running   0          3m45s

Istio resource created

$ kubectl get istio

NAME      REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
default   1           1       1        default-v1-24-2   Healthy   v1.24.2   4m27s

IstioRevisionTag resource created

$ kubectl get istiorevisiontag

NAME      STATUS                    IN USE   REVISION          AGE
default   NotReferencedByAnything   False    default-v1-24-2   4m43s

Note that the IstioRevisionTag status is NotReferencedByAnything, this is because there are currently no resources using the revision default-v1-24-2.

Deploy sample application

Create a namespace and label it to enable istio injection

$ kubectl create namespace sample
$ kubectl label namespace sample istio-injection=enabled

After labeling the namespace you will see that the IstioRevisionTag resource status will change to In Use true, this is because there is now a resource using the revision default-v1-24-2.

$ kubectl get istiorevisiontag

NAME      STATUS    IN USE   REVISION          AGE
default   Healthy   True     default-v1-24-2   6m24s

Deploy the sample application

$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml -n sample

Confirm istio proxy version of the sample app match the control plane version

$ istioctl proxy-status

NAME                              CLUSTER        CDS              LDS              EDS              RDS              ECDS        ISTIOD                                    VERSION
sleep-5fcd8fd6c8-q4c9x.sample     Kubernetes     SYNCED (78s)     SYNCED (78s)     SYNCED (78s)     SYNCED (78s)     IGNORED     istiod-default-v1-24-2-bd8458c4-jl8zm     1.24.2

Upgrade the Istio control plane to version 1.24.3

Update the Istio resource with the new version

$ kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.24.3"}}'

Check the Istio resource, you will see that there are two revisions and there are two Istio ready

$ kubectl get istio

NAME      REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
default   2           2       2        default-v1-24-3   Healthy   v1.24.3   10m

The IstioRevisiontag now references the new revision

$ kubectl get istiorevisiontag

NAME      STATUS    IN USE   REVISION          AGE
default   Healthy   True     default-v1-24-3   11m

There are two IstioRevisions, one for each istio version

$ kubectl get istiorevision

NAME              TYPE   READY   STATUS    IN USE   VERSION   AGE
default-v1-24-2          True    Healthy   True     v1.24.2   11m
default-v1-24-3          True    Healthy   True     v1.24.3   92s

The Sail Operator automatically detects whether a given Istio control plane is being used and writes this information in the “In Use” status condition that you see above. Right now, all IstioRevisions and our IstioRevisionTag are considered “In Use”:

The old revision default-v1-24-2 is considered in use because it is referenced by the sample application’s sidecar.
The new revision default-v1-24-3 is considered in use because it is referenced by the tag.
The tag is considered in use because it is referenced by the sample namespace.

Confirm there are two control plane pods running, one for each revision

$ kubectl get pods -n istio-system

NAME                                      READY   STATUS    RESTARTS   AGE
istiod-default-v1-24-2-bd8458c4-jl8zm     1/1     Running   0          16m
istiod-default-v1-24-3-68df97dfbb-v7ndm   1/1     Running   0          6m32s

Confirm the proxy sidecar version remains the same

$ istioctl proxy-status

NAME                              CLUSTER        CDS                LDS                EDS                RDS                ECDS        ISTIOD                                    VERSION
sleep-5fcd8fd6c8-q4c9x.sample     Kubernetes     SYNCED (6m40s)     SYNCED (6m40s)     SYNCED (6m40s)     SYNCED (6m40s)     IGNORED     istiod-default-v1-24-2-bd8458c4-jl8zm     1.24.2

Restart the sample pod

$ kubectl rollout restart deployment -n sample

Confirm the proxy sidecar version is updated

$ istioctl proxy-status

NAME                              CLUSTER        CDS              LDS              EDS              RDS              ECDS        ISTIOD                                      VERSION
sleep-6f87fcf556-k9nh9.sample     Kubernetes     SYNCED (29s)     SYNCED (29s)     SYNCED (29s)     SYNCED (29s)     IGNORED     istiod-default-v1-24-3-68df97dfbb-v7ndm     1.24.3

When an IstioRevision is no longer in use and is not the active revision of an Istio resource (for example, when it is not the version that is set in the spec.version field), the Sail Operator will delete it after a grace period, which defaults to 30 seconds. Confirm the deletion of the old control plane and IstioRevision:

$ kubectl get pods -n istio-system

NAME                                      READY   STATUS    RESTARTS   AGE
istiod-default-v1-24-3-68df97dfbb-v7ndm   1/1     Running   0          10m

$ kubectl get istiorevision

NAME              TYPE   READY   STATUS    IN USE   VERSION   AGE
default-v1-24-3          True    Healthy   True     v1.24.3   13m

$ kubectl get istio

NAME      REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
default   1           1       1        default-v1-24-3   Healthy   v1.24.3   24m

Conclusion

The Sail Operator automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio in your cluster. The Sail Operator is an istio-ecosystem project, and we encourage you to try it out and provide feedback to help us improve it, you can check our contribution guide here for more information about how to contribute to the project.