Before you begin

Before you begin a multicluster installation, review the deployment models guide which describes the foundational concepts used throughout this guide.

In addition, review the requirements and perform the initial steps below.

Requirements

Cluster

This guide requires that you have two Kubernetes clusters with support for LoadBalancer Services on any of the supported Kubernetes versions: 1.29, 1.30, 1.31, 1.32, 1.33.

API Server Access

The API Server in each cluster must be accessible to the other clusters in the mesh. Many cloud providers make API Servers publicly accessible via network load balancers (NLB). The ambient east-west gateway cannot be used to expose the API server as it only supports double HBONE traffic. A non-ambient east-west gateway could be used to enable access to the API Server.

Environment Variables

This guide will refer to two clusters: cluster1 and cluster2. The following environment variables will be used throughout to simplify the instructions:

Set the two variables before proceeding:

$ export CTX_CLUSTER1=<your cluster1 context>
$ export CTX_CLUSTER2=<your cluster2 context>

Configure Trust

A multicluster service mesh deployment requires that you establish trust between all clusters in the mesh. Depending on the requirements for your system, there may be multiple options available for establishing trust. See certificate management for detailed descriptions and instructions for all available options. Depending on which option you choose, the installation instructions for Istio may change slightly.

This guide will assume that you use a common root to generate intermediate certificates for each primary cluster. Follow the instructions to generate and push a CA certificate secret to both the cluster1 and cluster2 clusters.

Next steps

You’re now ready to install an Istio ambient mesh across multiple clusters.

• Install Multi-Primary on Different Networks