In this article, I will show you how to run Istio on Kubernetes. Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. Istio supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code
Original resource: https://istio.io/docs/examples/bookinfo/#if-you-are-running-on-kubernetes
Make sure you have Kubernetes in your machine. If you are running Kubernetes in your laptop, you can Install Minikube https://kubernetes.io/docs/tasks/tools/install-minikube/
Following are Istio components:
- Pilot — Responsible for configuring the Envoy and Mixer at runtime:
- Proxy / Envoy — Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from service to external services. The proxies form a secure microservice mesh providing a rich set of functions like discovery, rich layer-7 routing, circuit breakers, policy enforcement, and telemetry recording/reporting functions.
- Mixer — Create a portability layer on top of infrastructure backends. Enforce policies such as ACLs, rate limits, quotas, authentication, request tracing and telemetry collection at an infrastructure level.
- Citadel / Istio CA — Secures service to service communication over TLS. Providing a key management system to automate key and certificate generation, distribution, rotation, and revocation.
- Ingress/Egress — Configure path based routing for inbound and outbound external traffic.
- Control Plane API — Underlying Orchestrator such as Kubernetes or Hashicorp Nomad.
The overall architecture is shown below.
Step 1 — Launch Kubernetes Cluster
To start, launch the Kubernetes cluster. If you’re usingMinikube, you can start Kubernetes cluster by typing
You can get the status of the cluster with
Step 2 — Deploy Istio
Istio is installed in two parts. The first part involves the CLI tooling that will be used to deploy and manage Istio backed services. The second part configures the Kubernetes cluster to support Istio.
Install CLI tooling
The following command will install the Istio 1.0.0 release.
curl -L https://git.io/getLatestIstio | sh -
After it has successfully run, add the bin folder to your path.
export PATH="$PATH:~/istio-1.0.5/bin"cd ~/istio-1.0.5
istio-1.0.5 > 1.0.5 is the latest version when I write this document, and I put the Istio folder in my home directory/
~ please adjust the Istio directory and version based on your configuration.
Configure Istio CRD
Istio has extended Kubernetes via Custom Resource Definitions (CRD). Deploy the extensions by applying crds.yaml.
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
Install Istio with default mutual TLS authentication
To Install Istio and enforce mutual TLS authentication by default, use the yaml istio-demo-auth.yaml:
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
This will deploy Pilot, Mixer, Ingress-Controller, and Egress-Controller, and the Istio CA (Certificate Authority). These are explained in the next step.
All the services are deployed as Pods.
kubectl get pods -n istio-system
Wait until they are all running or have completed. Once they’re running, Istio has correctly been deployed.
Step — 3 Istio Sample Application
To showcase Istio, a BookInfo web application has been created. This sample deploys a simple application composed of four separate microservices which will be used to demonstrate various features of the Istio service mesh.
When deploying an application that will be extended via Istio, the Kubernetes YAML definitions are extended via kube-inject. This will configure the services proxy sidecar (Envoy), Mixers, Certificates, and Init Containers.
First, go to your Istio directory. In my case I g to:
If you are using manual sidecar injection, use the following command
kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)
istioctl kube-inject command is used to manually modify the
bookinfo.yaml file before creating the deployments as documented here.
If you are using a cluster with automatic sidecar injection enabled, label the
default namespace with
kubectl label namespace default istio-injection=enabled
Then simply deploy the services using
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
Confirm the gateway has been created:
kubectl get gateway
Get Gateway IP
kubectl get svc istio-ingressgateway -n istio-system
kubectl get pods
When the Pods are starting, you may see initiation steps happening as the container is created. This is configuring the Envoy sidecar for handling the traffic management and authentication for the application within the Istio service mesh.
Once running the application can be accessed via the path /productpage
The architecture of the application is described in the next step.
Apply default destination rules
Before you can use Istio to control the Bookinfo version routing, you need to define the available versions, called subsets, in destination rules.
kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml
The BookInfo sample application deployed is composed of four microservices:
- The productpage microservice is the homepage, populated using the details and reviews microservices.
- The details microservice contains the book information.
- The reviews microservice contains the book reviews. It uses the ratings microservice for the star rating.
- The ratings microservice contains the book rating for a book review.
The deployment included three versions of the reviewsmicroservice to showcase different behaviour and routing:
- Version v1 doesn’t call the ratings service.
- Version v2 calls the ratings service and displays each rating as 1 to 5 black stars.
- Version v3 calls the ratings service and displays each rating as 1 to 5 red stars.
The services communicate over HTTP using DNS for service discovery. An overview of the architecture is shown below.
Join our community Slack and read our weekly Faun topics ⬇