istio control plane only installs in istio-system namespace using istio-operator

[adabuleanu]

Bug description
When trying to create the IstioOperator CR in a different namespace than istio-system, the operator does not create the control plane resources. Neither creating a component in a specific namespace described here https://istio.io/docs/setup/install/istioctl/#configure-component-settings does not work.

Expected behavior
Istio control plane or components should install in any system using the IstioOperator CRD.

Steps to reproduce the bug

[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ istioctl version
no running Istio pods in "istio-system"
1.6.0
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get ns
NAME              STATUS   AGE
default           Active   10d
kube-node-lease   Active   10d
kube-public       Active   10d
kube-system       Active   10d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ istioctl operator init
Using operator Deployment image: docker.io/istio/operator:1.6.0
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator. Waiting for Deployment/istio-operator/istio-operator
- Processing resources for Istio operator. Waiting for Deployment/istio-operator/istio-operator
- Processing resources for Istio operator. Waiting for Deployment/istio-operator/istio-operator
✔ Istio operator installed

✔ Installation complete
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get ns
NAME              STATUS   AGE
default           Active   10d
istio-operator    Active   11s
kube-node-lease   Active   10d
kube-public       Active   10d
kube-system       Active   10d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pod -n istio-operator
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-58f98cd489-29clx   1/1     Running   0          24s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ cat istiooperator1.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
spec:
  profile: default
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl create ns test
namespace/test created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator1.yaml -n test
istiooperator.install.istio.io/istiocontrolplane created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                AGE
test        istiocontrolplane   6s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"test"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-22T12:11:31Z"
    generation: 1
    name: istiocontrolplane
    namespace: test
    resourceVersion: "1045202"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/test/istiooperators/istiocontrolplane
    uid: 9a28cdb1-677a-4edc-a265-bda0be6d6d60
  spec:
    profile: default
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n test -w
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                AGE
test        istiocontrolplane   2m43s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"test"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-22T12:11:31Z"
    generation: 1
    name: istiocontrolplane
    namespace: test
    resourceVersion: "1045202"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/test/istiooperators/istiocontrolplane
    uid: 9a28cdb1-677a-4edc-a265-bda0be6d6d60
  spec:
    profile: default
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n test -w
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl create ns istio-system
namespace/istio-system created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator1.yaml -n istio-system
istiooperator.install.istio.io/istiocontrolplane created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE      NAME                AGE
istio-system   istiocontrolplane   5s
test           istiocontrolplane   3m9s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 1
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1045523"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  profile: default
status:
  status: RECONCILING
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio-system -w
NAME                      READY   STATUS    RESTARTS   AGE
istiod-788cf6c878-ggj57   0/1     Running   0          5s
istiod-788cf6c878-ggj57   1/1     Running   0          5s
istio-ingressgateway-569669bb67-th45v   0/1     Pending   0          0s
istio-ingressgateway-569669bb67-th45v   0/1     Pending   0          0s
istio-ingressgateway-569669bb67-th45v   0/1     ContainerCreating   0          0s
prometheus-79878ff5fd-4bkhl             0/2     Pending             0          0s
prometheus-79878ff5fd-4bkhl             0/2     Pending             0          0s
prometheus-79878ff5fd-4bkhl             0/2     ContainerCreating   0          0s
istio-ingressgateway-569669bb67-th45v   0/1     Running             0          8s
istio-ingressgateway-569669bb67-th45v   1/1     Running             0          11s
prometheus-79878ff5fd-4bkhl             0/2     Running             0          11s
prometheus-79878ff5fd-4bkhl             1/2     Running             0          13s
prometheus-79878ff5fd-4bkhl             2/2     Running             0          13s
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 1
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1045824"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  profile: default
status:
  componentStatus:
    AddonComponents:
      status: HEALTHY
    Base:
      status: HEALTHY
    IngressGateways:
      status: HEALTHY
    Pilot:
      status: HEALTHY
  status: HEALTHY
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ cat istiooperator2.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
spec:
  profile: default
  components:
    citadel:
      enabled: true
      namespace: test-citadel
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl create ns test-citadel
namespace/test-citadel created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator2.yaml -n istio-system
istiooperator.install.istio.io/istiocontrolplane configured
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE      NAME                REVISION   AGE
istio-system   istiocontrolplane              97s
test           istiocontrolplane              4m41s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"components":{"citadel":{"enabled":true,"namespace":"test-citadel"}},"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 2
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1045952"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  components:
    citadel:
      enabled: true
      namespace: test-citadel
  profile: default
status:
  componentStatus:
    AddonComponents:
      status: RECONCILING
    Base:
      status: RECONCILING
    IngressGateways:
      status: RECONCILING
    Pilot:
      status: RECONCILING
  status: RECONCILING
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n test-citadel -w
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE      NAME                REVISION   AGE
istio-system   istiocontrolplane              2m40s
test           istiocontrolplane              5m44s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"components":{"citadel":{"enabled":true,"namespace":"test-citadel"}},"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 2
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1046011"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  components:
    citadel:
      enabled: true
      namespace: test-citadel
  profile: default
status:
  componentStatus:
    Pilot:
      status: HEALTHY
  status: HEALTHY
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE      NAME                REVISION   AGE
istio-system   istiocontrolplane              2m44s
test           istiocontrolplane              5m48s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n test-citadel -w
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ cat istiooperator3.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
spec:
  profile: default
  components:
    citadel:
      enabled: true
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator3.yaml -n istio-system
istiooperator.install.istio.io/istiocontrolplane configured
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"components":{"citadel":{"enabled":true}},"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 3
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1046160"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  components:
    citadel:
      enabled: true
  profile: default
status:
  componentStatus:
    Pilot:
      status: RECONCILING
  status: RECONCILING
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio-system -w
NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-569669bb67-th45v   1/1     Running   0          3m8s
istiod-788cf6c878-ggj57                 1/1     Running   0          3m14s
prometheus-79878ff5fd-4bkhl             2/2     Running   0          3m8s

╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator istiocontrolplane -n istio-system -o yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio-system"},"spec":{"components":{"citadel":{"enabled":true}},"profile":"default"}}
  creationTimestamp: "2020-05-22T12:14:35Z"
  finalizers:
  - istio-finalizer.install.istio.io
  generation: 3
  name: istiocontrolplane
  namespace: istio-system
  resourceVersion: "1046225"
  selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istiocontrolplane
  uid: e95e203f-7abe-417d-ae45-1928f56a2e46
spec:
  components:
    citadel:
      enabled: true
  profile: default
status:
  componentStatus:
    Pilot:
      status: HEALTHY
  status: HEALTHY
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio-system -w
NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-569669bb67-th45v   1/1     Running   0          3m45s
istiod-788cf6c878-ggj57                 1/1     Running   0          3m51s
prometheus-79878ff5fd-4bkhl             2/2     Running   0          3m45s

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)

[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ istioctl version --remote
no running Istio pods in "istio-system"
1.6.0
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.6", GitCommit:"72c30166b2105cd7d3350f2c28a219e6abcd79eb", GitTreeState:"clean", BuildDate:"2020-01-18T23:31:31Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.6", GitCommit:"72c30166b2105cd7d3350f2c28a219e6abcd79eb", GitTreeState:"clean", BuildDate:"2020-01-18T23:23:21Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}

How was Istio installed?
IstioOperator

Environment where bug was observed (cloud vendor, OS, etc)
vanilla Kubernetes 1.16.6, Rhel 7.8, Openstack VM

[erdun]

The operator can only watch one namespace if you want to watch other namespaces set set --istioNamespace=${namespace}

[adabuleanu]

Where do you apply this option? During istio operator init? I have tried this during istio Operator init and the operator still looks for istio-system namespace. Please see below.

[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$kubectl create ns istio
namespace/istio created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$kubectl get ns
NAME              STATUS   AGE
default           Active   12d
istio             Active   6s
kube-node-lease   Active   12d
kube-public       Active   12d
kube-system       Active   12d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$istioctl operator init --operatorNamespace=istio --istioNamespace=istio
Using operator Deployment image: docker.io/istio/operator:1.6.0
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator. Waiting for Deployment/istio/istio-operator
- Processing resources for Istio operator. Waiting for Deployment/istio/istio-operator
- Processing resources for Istio operator. Waiting for Deployment/istio/istio-operator
✔ Istio operator installed

✔ Installation complete
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$kubectl get ns
NAME              STATUS   AGE
default           Active   12d
istio             Active   2m2s
istio-operator    Active   12s
kube-node-lease   Active   12d
kube-public       Active   12d
kube-system       Active   12d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$kubectl get pods -n istio
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-5fd6d8f4ff-bgnv8   1/1     Running   0          13s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$kubectl get pods -n istio-operator
No resources found in istio-operator namespace.
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ cat istiooperator1.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
spec:
  profile: default
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator1.yaml  -n istio

istiooperator.install.istio.io/istiocontrolplane created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                AGE
istio       istiocontrolplane   5s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-25T09:37:12Z"
    finalizers:
    - istio-finalizer.install.istio.io
    generation: 1
    name: istiocontrolplane
    namespace: istio
    resourceVersion: "1472607"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio/istiooperators/istiocontrolplane
    uid: a6b80a00-d997-49e5-84f0-f1d9b60b6260
  spec:
    profile: default
  status:
    status: RECONCILING
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio -w
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-5fd6d8f4ff-bgnv8   1/1     Running   0          2m14s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                REVISION   AGE
istio       istiocontrolplane              2m4s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-25T09:37:12Z"
    finalizers:
    - istio-finalizer.install.istio.io
    generation: 1
    name: istiocontrolplane
    namespace: istio
    resourceVersion: "1472766"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio/istiooperators/istiocontrolplane
    uid: a6b80a00-d997-49e5-84f0-f1d9b60b6260
  spec:
    profile: default
  status:
    componentStatus:
      AddonComponents:
        error: 'failed to create "ServiceAccount/istio-system/prometheus": namespaces
          "istio-system" not found, failed to create "ConfigMap/istio-system/prometheus":
          namespaces "istio-system" not found, failed to create "Deployment/istio-system/prometheus":
          namespaces "istio-system" not found, failed to create "Service/istio-system/prometheus":
          namespaces "istio-system" not found'
        status: ERROR
      Base:
        error: 'failed to create "ServiceAccount/istio-system/istio-reader-service-account":
          namespaces "istio-system" not found, failed to create "ServiceAccount/istio-system/istiod-service-account":
          namespaces "istio-system" not found'
        status: ERROR
      IngressGateways:
        error: 'failed to create "ServiceAccount/istio-system/istio-ingressgateway-service-account":
          namespaces "istio-system" not found, failed to create "Deployment/istio-system/istio-ingressgateway":
          namespaces "istio-system" not found, failed to create "PodDisruptionBudget/istio-system/istio-ingressgateway":
          namespaces "istio-system" not found, failed to create "Role/istio-system/istio-ingressgateway-sds":
          namespaces "istio-system" not found, failed to create "RoleBinding/istio-system/istio-ingressgateway-sds":
          namespaces "istio-system" not found, failed to create "HorizontalPodAutoscaler/istio-system/istio-ingressgateway":
          namespaces "istio-system" not found, failed to create "Service/istio-system/istio-ingressgateway":
          namespaces "istio-system" not found'
        status: ERROR
      Pilot:
        error: 'failed to create "EnvoyFilter/istio-system/metadata-exchange-1.4":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/metadata-exchange-1.5":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/metadata-exchange-1.6":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/stats-filter-1.4":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/stats-filter-1.5":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/stats-filter-1.6":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-metadata-exchange-1.5":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-metadata-exchange-1.6":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-stats-filter-1.5":
          namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-stats-filter-1.6":
          namespaces "istio-system" not found, failed to create "ConfigMap/istio-system/istio":
          namespaces "istio-system" not found, failed to create "ConfigMap/istio-system/istio-sidecar-injector":
          namespaces "istio-system" not found, failed to create "Deployment/istio-system/istiod":
          namespaces "istio-system" not found, failed to create "PodDisruptionBudget/istio-system/istiod":
          namespaces "istio-system" not found, failed to create "HorizontalPodAutoscaler/istio-system/istiod":
          namespaces "istio-system" not found, failed to create "Service/istio-system/istiod":
          namespaces "istio-system" not found'
        status: ERROR
    status: ERROR
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio -w
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-5fd6d8f4ff-bgnv8   1/1     Running   0          4m36s

[erdun]

Hi, you should create namespaces istio-system first and everything runs fine

[adabuleanu]

If you crate the istio-system namespace it will create the istio control plane resources in that namespace. It looks like there is no way to configure istio control plane in another namespace.

[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl create ns istio
namespace/istio created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get ns
NAME              STATUS   AGE
default           Active   15d
istio             Active   5s
kube-node-lease   Active   15d
kube-public       Active   15d
kube-system       Active   15d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ istioctl operator init --operatorNamespace=istio --istioNamespace=istio
Using operator Deployment image: docker.io/istio/operator:1.6.0
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
- Processing resources for Istio operator.
  Processing resources for Istio operator. Waiting for Deployment/istio/istio-operator
- Processing resources for Istio operator. Waiting for Deployment/istio/istio-operator
✔ Istio operator installed

✔ Installation complete
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get ns
NAME              STATUS   AGE
default           Active   15d
istio             Active   37s
istio-operator    Active   11s
kube-node-lease   Active   15d
kube-public       Active   15d
kube-system       Active   15d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-5fd6d8f4ff-4smxs   1/1     Running   0          16s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio-operator
No resources found in istio-operator namespace.
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ cat istiooperator1.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiocontrolplane
spec:
  profile: default
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl create ns istio-system
namespace/istio-system created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get ns
NAME              STATUS   AGE
default           Active   15d
istio             Active   70s
istio-operator    Active   44s
istio-system      Active   3s
kube-node-lease   Active   15d
kube-public       Active   15d
kube-system       Active   15d
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl apply -f istiooperator1.yaml  -n istio
istiooperator.install.istio.io/istiocontrolplane created
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                AGE
istio       istiocontrolplane   6s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-28T08:51:18Z"
    finalizers:
    - istio-finalizer.install.istio.io
    generation: 1
    name: istiocontrolplane
    namespace: istio
    resourceVersion: "2027956"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio/istiooperators/istiocontrolplane
    uid: fddf544d-a7ed-4892-85d8-d59213956059
  spec:
    profile: default
  status:
    status: RECONCILING
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio -w
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-5fd6d8f4ff-4smxs   1/1     Running   0          81s
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get pods -n istio-system -w
NAME                                    READY   STATUS             RESTARTS   AGE
istio-ingressgateway-569669bb67-vpcsl   1/1     Running            0          100s
istiod-788cf6c878-pvkrh                 1/1     Running            0          104s
prometheus-79878ff5fd-25tdv             2/2     Running            0          99s
╚[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A
NAMESPACE   NAME                REVISION   AGE
istio       istiocontrolplane              2m7s
[cloud-user@nci-service-mesh-performance-benchmark-1 ~]$ kubectl get istiooperator -A -o yaml
apiVersion: v1
items:
- apiVersion: install.istio.io/v1alpha1
  kind: IstioOperator
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"install.istio.io/v1alpha1","kind":"IstioOperator","metadata":{"annotations":{},"name":"istiocontrolplane","namespace":"istio"},"spec":{"profile":"default"}}
    creationTimestamp: "2020-05-28T08:51:18Z"
    finalizers:
    - istio-finalizer.install.istio.io
    generation: 1
    name: istiocontrolplane
    namespace: istio
    resourceVersion: "2028271"
    selfLink: /apis/install.istio.io/v1alpha1/namespaces/istio/istiooperators/istiocontrolplane
    uid: fddf544d-a7ed-4892-85d8-d59213956059
  spec:
    profile: default
  status:
    componentStatus:
      AddonComponents:
        status: HEALTHY
      Base:
        status: HEALTHY
      IngressGateways:
        status: HEALTHY
      Pilot:
        status: HEALTHY
    status: HEALTHY
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

[erdun]

Modify IstioOperator's global.istioNamespace

[sb1975]

I also tried all options to modify the istio control plane deployment into different namespace, none of the options are successful.
either you use global, or simple or Istio Operator or helm or istioctl install or create manifest and then do kubectl apply, seems very opinionated and any modifications is not supported.. tried all options below..
istioctl install --set profile=demo --set global.istioNamespace=istio-system1
istioctl install --set profile=demo -i istio-system-mobility
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system1
name: example-istiocontrolplane
spec:
profile: demo
EOF
helm template manifests/charts/istio-operator/ --set hub=docker.io/istio --set tag=1.6.1 --set operatorNamespace=istio-operator --set istioNamespace=istio-system1 | kubectl apply -f -

[ahuffman]

I'm also hitting this problem. In the istio-operator deployment the following env var is set to ensure we are watching for policies in the correct (non-default) namespace:

env:
  - name: WATCH_NAMESPACE
    value: "my-istio-system"

On my policy I have tried @erdun 's suggestion by making my policy as such:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: my-istio-system
  name: example-istiocontrolplane
spec:
  profile: demo
  values:
    global:
      istioNamespace: my-istio-system

I've also tried the following policy per the API documentation found here. <- I'm on 1.7 by the way.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: my-istio-system
  name: example-istiocontrolplane
spec:
  profile: demo
  namespace: my-istio-system

as well as:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: my-istio-system
  name: example-istiocontrolplane
spec:
  profile: demo
  components:
    pilot:
      namespace: my-istio-system

I receive the same status error on all of these configurations as follows:

$ kc describe istiooperator example-istiocontrolplane -n my-istio-system
Name:         example-istiocontrolplane
Namespace:    my-istio-system
Labels:       <none>
Annotations:  API Version:  install.istio.io/v1alpha1
Kind:         IstioOperator
Metadata:
  Creation Timestamp:             2020-09-08T14:48:10Z
  Deletion Grace Period Seconds:  0
  Deletion Timestamp:             2020-09-08T21:56:05Z
  Finalizers:
    istio-finalizer.install.istio.io
  Generation:  5
  Managed Fields:
    API Version:  install.istio.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"istio-finalizer.install.istio.io":
      f:status:
        .:
        f:componentStatus:
        f:status:
    Manager:      operator
    Operation:    Update
    Time:         2020-09-08T21:50:45Z
    API Version:  install.istio.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:profile:
        f:values:
    Manager:         kubectl
    Operation:       Update
    Time:            2020-09-08T23:26:41Z
  Resource Version:  2521875
  Self Link:         /apis/install.istio.io/v1alpha1/namespaces/my-istio-system/istiooperators/example-istiocontrolplane
  UID:               84492797-4531-4e2a-b8cd-421ad924e8d8
Spec:
  Profile:  demo
  Values:
    Global:
      Istio Namespace:  my-istio-system
Status:
  Component Status:
    Base:
      Error:   failed to create "ServiceAccount/istio-system/istio-reader-service-account": namespaces "istio-system" not found, failed to create "ServiceAccount/istio-system/istiod-service-account": namespaces "istio-system" not found, failed to create "Role/istio-system/istiod-istio-system": namespaces "istio-system" not found, failed to create "RoleBinding/istio-system/istiod-istio-system": namespaces "istio-system" not found
      Status:  ERROR
    Egress Gateways:
      Status:  HEALTHY
    Ingress Gateways:
      Status:  HEALTHY
    Pilot:
      Error:   failed to create "EnvoyFilter/istio-system/metadata-exchange-1.6": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/metadata-exchange-1.7": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/stats-filter-1.6": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/stats-filter-1.7": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-metadata-exchange-1.6": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-metadata-exchange-1.7": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-stats-filter-1.6": namespaces "istio-system" not found, failed to create "EnvoyFilter/istio-system/tcp-stats-filter-1.7": namespaces "istio-system" not found
      Status:  ERROR
  Status:      ERROR
Events:        <none>

Is there something I'm missing, or is the documentation not correct on the ability to choose an alternative namespace than istio-system?

[ahuffman]

After some further debugging it seems that it's the pilot component specifically (at least in 1.7.0) that is not receiving any of the namespace updates on manifest generation. I was attempting to patch with an overlay configuration on the pilot component and apparently not doing it right, however I was seeing all objects update when there was a namespace change with exception to pilot (istio-operator logs):

2020-09-09T01:33:18.772037Z	error	installer	Error during reconcile: overlay for : does not match any object in output manifest. Available objects are:
HorizontalPodAutoscaler:my-istio-system:istiod
ConfigMap:my-istio-system:istio
Deployment:my-istio-system:istiod
ConfigMap:my-istio-system:istio-sidecar-injector
MutatingWebhookConfiguration::istio-sidecar-injector-my-istio-system
PodDisruptionBudget:my-istio-system:istiod
Service:my-istio-system:istiod
EnvoyFilter:istio-system:metadata-exchange-1.6
EnvoyFilter:istio-system:tcp-metadata-exchange-1.6
EnvoyFilter:istio-system:stats-filter-1.6
EnvoyFilter:istio-system:tcp-stats-filter-1.6
EnvoyFilter:istio-system:metadata-exchange-1.7
EnvoyFilter:istio-system:tcp-metadata-exchange-1.7
EnvoyFilter:istio-system:stats-filter-1.7
EnvoyFilter:istio-system:tcp-stats-filter-1.7
EnvoyFilter:istio-system:metadata-exchange-1.8
EnvoyFilter:istio-system:tcp-metadata-exchange-1.8
EnvoyFilter:istio-system:stats-filter-1.8
EnvoyFilter:istio-system:tcp-stats-filter-1.8

Notice specifically all of the EnvoyFilter objects.

Finally I decided to take a look into what's actually causing this in the source code. I hunted it down to the Helm charts here

It seems that the only charts that are inconsistent with the namespace being set to the value of .Release.Namespace are the telemetryv2_1.6.yaml and telemetryv2_1.7.yaml which have a conditional looking for .Values.meshConfig.rootNamespace which (you'll never guess it) are set to istio-system here.

And without further ado, here's a work-around configuration until the charts are fixed:

1.) Make sure you have your watch namespace configured properly on your istio-operator deployment
2.) Create the following IstioOperator in your custom namespace:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: example-istiocontrolplane
  namespace: my-istio-system
spec:
  profile: demo
  values:
    global:
      istioNamespace: my-istio-system
    meshConfig:
      rootNamespace: my-istio-system

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-05-22. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

[ahuffman]

This should not be closed.

[RangelReale]

After some further debugging it seems that it's the pilot component specifically (at least in 1.7.0) that is not receiving any of the namespace updates on manifest generation. I was attempting to patch with an overlay configuration on the pilot component and apparently not doing it right, however I was seeing all objects update when there was a namespace change with exception to pilot (istio-operator logs):

2020-09-09T01:33:18.772037Z	error	installer	Error during reconcile: overlay for : does not match any object in output manifest. Available objects are:
HorizontalPodAutoscaler:my-istio-system:istiod
ConfigMap:my-istio-system:istio
Deployment:my-istio-system:istiod
ConfigMap:my-istio-system:istio-sidecar-injector
MutatingWebhookConfiguration::istio-sidecar-injector-my-istio-system
PodDisruptionBudget:my-istio-system:istiod
Service:my-istio-system:istiod
EnvoyFilter:istio-system:metadata-exchange-1.6
EnvoyFilter:istio-system:tcp-metadata-exchange-1.6
EnvoyFilter:istio-system:stats-filter-1.6
EnvoyFilter:istio-system:tcp-stats-filter-1.6
EnvoyFilter:istio-system:metadata-exchange-1.7
EnvoyFilter:istio-system:tcp-metadata-exchange-1.7
EnvoyFilter:istio-system:stats-filter-1.7
EnvoyFilter:istio-system:tcp-stats-filter-1.7
EnvoyFilter:istio-system:metadata-exchange-1.8
EnvoyFilter:istio-system:tcp-metadata-exchange-1.8
EnvoyFilter:istio-system:stats-filter-1.8
EnvoyFilter:istio-system:tcp-stats-filter-1.8

Notice specifically all of the EnvoyFilter objects.

Finally I decided to take a look into what's actually causing this in the source code. I hunted it down to the Helm charts here

It seems that the only charts that are inconsistent with the namespace being set to the value of .Release.Namespace are the telemetryv2_1.6.yaml and telemetryv2_1.7.yaml which have a conditional looking for .Values.meshConfig.rootNamespace which (you'll never guess it) are set to istio-system here.

And without further ado, here's a work-around configuration until the charts are fixed:

1.) Make sure you have your watch namespace configured properly on your istio-operator deployment
2.) Create the following IstioOperator in your custom namespace:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: example-istiocontrolplane
  namespace: my-istio-system
spec:
  profile: demo
  values:
    global:
      istioNamespace: my-istio-system
    meshConfig:
      rootNamespace: my-istio-system

This worked for me.

[nick4fake]

I agree @ahuffman, there is an obvious issue with docs not specifying how to use different namespace. Could we please reopen this one?