A Helm chart for deploying a diagnostic pod that scans Kubernetes clusters for existing Istio installations and generates a comprehensive pre-check report.
- 🔍 Scans for Istio installations across the cluster
- 📊 Generates detailed diagnostic reports
- 🔄 Updatable script via ConfigMap (no image rebuild needed)
- ☁️ Compatible with major cloud Kubernetes services (EKS, GKE, AKS)
- 📝 Easy log retrieval to local machine
- Kubernetes cluster (1.20+)
- Helm 3.x
- kubectl configured to access your cluster
tetrate-pre-check-tool/
├── Chart.yaml
├── values.yaml
├── README.md
└── templates/
├── _helpers.tpl
├── configmap.yaml
├── deployment.yaml
├── rbac.yaml
└── serviceaccount.yaml
git clone https://github.com/tetratecx/tetrate-pre-check-tool.git
cd tetrate-pre-check-toolhelm install tetrate-pre-check . -n istio-system --create-namespacekubectl get pods -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-toolWait until the pod status shows "Running".
Once the pod is running, download the diagnostic log to your local machine:
kubectl cp istio-system/$(kubectl get pod -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-tool -o jsonpath='{.items[0].metadata.name}'):/output/tetrate-pre-check-tool.log ./tetrate-pre-check-tool.logAlternatively, if you know the pod name:
kubectl cp istio-system/tetrate-pre-check-tool:/output/tetrate-pre-check-tool.log ./tetrate-pre-check-tool.logcat tetrate-pre-check-tool.logOr follow logs in real-time:
kubectl logs -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-tool -fThe diagnostic script is stored in a ConfigMap, allowing you to update it without rebuilding any images:
- Edit the ConfigMap:
kubectl edit configmap -n istio-system tetrate-pre-check-tool-scripts- Or update the
templates/configmap.yamlfile and upgrade the Helm release:
helm upgrade tetrate-pre-check . -n istio-system- Delete and recreate the pod to run the updated script:
kubectl delete pod -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-tool
helm upgrade tetrate-pre-check . -n istio-systemEdit values.yaml or provide overrides during installation:
# Change namespace (default: istio-system)
namespace: my-namespace
# Change istioctl version
istioctlVersion: "1.23.2"
# Adjust resource limits
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 200m
memory: 256MiApply custom values:
helm install tetrate-pre-check . -n istio-system --set istioctlVersion=1.22.0The pre-check tool scans for:
- ✅ Istio version (local and remote)
- ✅ Control plane components (pods, deployments, services)
- ✅ Istiod revisions and namespace labels
- ✅ Sidecar injection verification
- ✅ Control plane health validation
- ✅ Proxy status and configuration analysis
- ✅ Webhook configurations
- ✅ Gateway deployments
- ✅ Istio CRDs and custom resources
- ✅ Cluster-wide Istio context
helm uninstall tetrate-pre-check -n istio-systemTo also remove the namespace (if no other resources exist):
kubectl delete namespace istio-systemCheck pod events:
kubectl describe pod -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-toolThe chart creates a ClusterRole with comprehensive read access and specific permissions required by istioctl commands:
- Read access to pods, services, deployments, and other core resources
- Access to secrets (required by
istioctl analyze) - Port-forward permissions (required by
istioctl version --remoteandistioctl proxy-status) - ServiceAccount token creation (required by
istioctl proxy-status)
If you see permission errors, verify the ClusterRoleBinding is properly created:
kubectl get clusterrolebinding tetrate-pre-check-toolVerify the pod is running:
kubectl get pods -n istio-systemCheck if the log file exists:
kubectl exec -n istio-system <pod-name> -- ls -la /output/After updating the ConfigMap, you must delete and recreate the pod:
kubectl delete pod -n istio-system -l app.kubernetes.io/name=tetrate-pre-check-toolApache 2.0
For issues and questions, please open an issue on the GitHub repository.