How to migrate from vanilla Kubernetes to Istio service mesh?
The goal of this guide is to give the reader the most concise and non-intimidating introduction to istio while simultaneously providing further reading material if it piques his interest.
Before we start with the installation, let us compare it with vanilla Kubernetes.
Template flow vanilla vs istio
Instead of ingress, we have gateways which connect to virtual services. Everything else downstream remains the same.
Why virtual services?
Out to in
Whenever a new deployment is created in an istio-injected namespace an envoy container is inserted into the pod. It is widely referred to as sidecar. It automatically intercepts all incoming and outgoing requests. The application does not need to worry about this abstraction.
TIP: Reading the logs of the envoy is useful for debugging
This guide was written during istio 1.3.x, if things have changed too much in the future, consider consulting the official documentation.
We will be installing istio for Kubernetes cluster using helm charts.
You can find the detailed process in istio official website, but here is a quick version.
First, make sure helm and helm tiler is installed. For more details on helm, refer to the official guide.
brew install helm
In case you are unable to install helm tiler for some reason, you can just export the helm charts as k8s templates.
Next, we install istio
# First we create the namespace for istio
kubectl create namespace istio-system# Add the helm repo
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.3.1/charts/# Istio bootstrapper
# (make sure this process finishes, the pods should be in "finished" state)
helm install istio.io/istio-init --name istio-init --namespace istio-system# Should be 23 (at time of writing this guide)
# kubectl get crds | grep 'istio.io' | wc -l# Actual istio
# You can read about SDS over here (https://preliminary.istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/)
helm install istio.io/istio --name istio --set gateways.istio-ingressgateway.sds.enabled=true --set sds.enabled=true --namespace istio-system# Verify the installation
# kubectl get svc -n istio-system
# kubectl get deployment -n istio-system
In order for deployments in your namespace to use istio, we need to enable istio injection.
IMPORTANT: You have to delete and recreate your existing deployments.
IMPORTANT: You don’t have to inject
# The following command enables injection in the potato namespace
kubectl label namespace potato istio-injection=enabled# To verify
kubectl get namespace -L istio-injection
Next, you need to create a gateway. Use this one as a sample.
istio: ingressgateway # use Istio default gateway implementation
# - yourdomain.com
- '*' # Allow everything
# Uncomment next two lines if you dont want any insecure connections
# to your website
# httpsRedirect: true # sends 301 redirect for http requests # Uncomment next block if you want HTTPS
# - port:
# number: 443
# name: https
# protocol: HTTPS
# - yourdomain.com
# mode: SIMPLE
# credentialName: your.secret
You would also need virtual services to bridge gateways to services. Use this one as a sample.
- istio-system/my-gateway # namespace-where-gateway-is/gateway-name
# - mydomain.com
- '*' # Allow everything
# Name of the service we want to connect to
host: tomato.potato.svc.cluster.local # service-name.namespace.svc.cluster.local
number: 8080 # Port forwarded by the service
Everything from service and below is the same as vanilla Kubernetes.
istio-systempod is the load balancer. If you are unable to find the external IP of the cluster, try the external IP of the node running this pod. You can read more here.
Installing istioctl (optional)
curl -L https://git.io/getLatestIstio
export PATH="$PATH:~/istio-1.3.0-rc.3/bin" # Assuming the version is 1.3.0
- Read the pod logs (Start with ingress-gateway, pilot, envoys). Further reading.
- Kill all the pods in istio-system
- Delete and create the gateway again
- Install kiali
bash <(curl -L https://git.io/getLatestKialiOperator) --accessible-namespaces '**'
- Run this to get a dump of all routes connected to the gateway. (requires istioctl)
- Watch these two videos. #1 #2
If all fails you can helm delete — purge istio, then
kubectl delete namespace istio-system and start over again.
- Envoy — Proxy inside your pods which intercepts all network traffic
- Sidecar — The injected envoy container in your pods
- Mixer — Collects telemetry and enforces usage policies.
- Pilot — Service discovery service
- Citadel — Key management service
- Galley — Configuration validation
To join our community Slack 🗣️ and read our weekly Faun topics 🗞️, click here⬇