Marcelo Carmona
Published on

Setting up Istio

Authors
Istio and Kubernetes logo

Istio is an open-source service mesh that layers transparently onto existing distributed applications. Istio's powerful features provide a uniform and more efficient way to secure, connect, and monitor services. https://istio.io

Install Istio (macOS)

Check Kubernetes namespaces with kubectl get ns.

check Kubernetes namespaces

Install istioctl.

brew install istioctl
istioctl install
istioctl install

With kubectl get ns, you will see the new namespace created by istioctl.

check Kubernetes namespaces after installing istioctl

With kubectl get pod -n istio-system, you will see the new pods created by Istio.

check Kubernetes namespaces after installing istioctl Istio mesh diagram

Istio is a very feature-rich service mesh that includes the following capabilities.

  • Traffic Management: This is the most basic feature of Istio.
  • Policy Control: Enables access control systems, telemetry capture, quota management, billing, etc.
  • Observability: Implemented in the sidecar proxy.
  • Security and Authentication: The Citadel component does key and certificate management.

Run an example in Kubernetes

I'm going to use this example: microservices-demo.

git clone https://github.com/GoogleCloudPlatform/microservices-demo.git
# or download https://github.com/GoogleCloudPlatform/microservices-demo/blob/master/release/kubernetes-manifests.yaml
cd microservices-demo/release

Run the demo manifest: kubectl apply -f kubernetes-manifests.yaml.

run the demo manifest

Run kubectl get pod and wait until the status is Running.

wait until the status is running the demo is running

To configure Envoy proxy injection, we need to label the default namespace with istio-injection=enabled.

Let's see the current labels with kubectl get ns default --show-labels.

show Kubernetes labels

Run kubectl label namespace default istio-injection=enabled.

show kubernetes labels with istio-injection=enabled

So now we can shut down all the pods and recreate them to see the proxies being injected.

Run kubectl delete -f kubernetes-manifests.yaml.

delete pods

Run kubectl get pod.

check that we don't have pods

Run kubectl apply -f kubernetes-manifests.yaml.

Run kubectl get pod.

check the new pods

You can now see the proxy inside any pod with kubectl describe pod <a-pod-name>.

see the Istio container inside the pod

Install Istio integrations for visualization and monitoring (Kiali, Grafana, Prometheus, and Jaeger)

We are going to use these add-ons.

git clone https://github.com/istio/istio.git
cd istio
# To quickly deploy all addons:
kubectl apply -f samples/addons
install Istio integrations

You can see the new pods running with kubectl get pod -n istio-system.

show addons

To see the services, run kubectl get svc -n istio-system.

show services

Port-forward to access the frontend and Kiali.

Run kubectl port-forward svc/kiali -n istio-system 8081:80.

port-forward frontend

Run kubectl port-forward svc/kiali -n istio-system 20001.

port-forward Kiali

Go to http://localhost:20001/ and you will see the Kiali dashboard.

Kiali screenshot
View on GitHub