☁️Istio Installation on Huawei Cloud CCE Service
Introduction
Istio is a service gateway for Kubernetes clusters. It is used to manage, scale, and secure traffic within and between clusters. Istio offers a wide range of features for Kubernetes clusters.
The Huawei Cloud CCE service makes creating a Kubernetes cluster that supports Istio easy. This article will explain how to install Istio on Huawei Cloud CCE service.
What is Istio?
Istio is an open-source service mesh that helps enterprises run distributed, microservices-based applications anywhere. It provides a uniform way to secure, connect, and monitor microservices, regardless of the underlying infrastructure or cloud provider.
Istio does this by sitting as a layer on top of your existing Kubernetes or other container orchestration platform. It injects a sidecar proxy envoy into each of your application’s pods. This proxy intercepts all network traffic between your microservices and enforces the policies you define in Istio’s control plane.
What can you do with Istio?
With Istio, you can tackle some of the biggest challenges of managing complex, distributed microservices architectures.
Traffic Management:
- Fine-grained routing: Direct traffic to specific versions of services, specific data centers, or even subsets of services based on custom criteria.
- Load balancing: Spread traffic evenly across healthy instances of a service to optimize performance and resource utilization.
- Canary deployments and A/B testing: Gradually roll out new versions of services or test different configurations without impacting production traffic.
- Circuit breaking: Automatically failover to healthy instances or backends when encountering errors, preventing cascading failures.
Security:
- Mutual TLS authentication: Secure communication between services with mutual TLS encryption, ensuring only authorized services can talk to each other.
- Authorization: Enforce access control policies to restrict which services can call each other and which resources they can access.
- Rate limiting: Prevent service overload by limiting the number of requests a service can receive.
- Auditing and monitoring: Track all service interactions and network traffic for security and compliance purposes.
Observability:
- Distributed tracing: Gain insights into the entire request flow across multiple services, pinpointing performance bottlenecks and errors.
- Metrics and telemetry: Collect and analyze detailed metrics about service health, performance, and resource utilization.
- Logging aggregation: Centralize logs from all services for easier troubleshooting and analysis.
- Visualization tools: Integrate with dashboards and Grafana to visualize your service mesh data and gain actionable insights.
Resilience:
- Service health checks: Continuously monitor service health and automatically switch to healthy instances for improved uptime.
- Retry logic: Automatically retry failed requests, mitigating transient errors and improving service availability.
- Timeouts: Configure timeouts for requests to prevent hanging connections and improve overall system responsiveness.
Istio empowers you to manage the complexity of your microservices ecosystem with granular control, robust security, and comprehensive observability, paving the way for smoother operations, faster development, and increased reliability for your applications.
Kubernetes Traffic Infrastructure
Kubernetes, the container orchestration platform, excels at managing and deploying containerized applications. But with complex microservices architectures, efficient traffic routing becomes crucial. Enter the Kubernetes traffic infrastructure, a robust ecosystem of tools and techniques that guide application traffic seamlessly.
Imagine your Kubernetes cluster as a bustling port:
- Containerized applications: Ships carrying valuable cargo (functionality)
- Services: Lighthouses guiding ships to their destinations (desired pods)
- Traffic: The ocean itself, carrying data packets like ships navigating their routes
Here’s how Kubernetes traffic infrastructure orchestrates this digital voyage:
1. Services: Act as abstract entities representing a set of pods. They provide a stable endpoint for external and internal traffic, decoupling consumers from the underlying pods’ specifics.
2. Service Types: Different service types cater to diverse routing needs:
- ClusterIP: Internal service, accessible only within the cluster.
- NodePort: Exposes the service on a dedicated port on each node, reachable from outside the cluster using the node IP and port.
- LoadBalancer: Creates a cloud load balancer automatically, distributing traffic across healthy pods.
- ExternalName: Maps the service to an external DNS name.
3. Ingress: Acts as a single entry point for routing external HTTP/HTTPS traffic to internal services based on rules defined in an Ingress resource. It simplifies managing external access and eliminates needing individual Service Load Balancers.
4. Network Policies: Enforce fine-grained access control by specifying which pods can communicate with each other and with the external network. Think of them as maritime traffic regulations, ensuring safe and authorized passage.
5. Network Plugins: Provide the underlying network fabric for connecting pods and services. Popular options include Flannel, Calico, and CNI. These act as the invisible infrastructure beneath the ocean waves.
Benefits of a Robust Traffic Infrastructure:
- Scalability: Handle traffic surges as you scale your application.
- Resilience: Route around failures and maintain service availability.
- Security: Enforce access control and protect your applications.
- Observability: Monitor and troubleshoot traffic flow effectively.
- Agility: Adapt your routing rules dynamically to meet changing needs.
Kubernetes traffic infrastructure empowers you to build and manage complex microservices deployments with confidence. By harnessing the right tools and techniques, you can guide your application traffic efficiently, ensuring a smooth and reliable digital voyage for your users.
Remember, choosing the optimal setup depends on your specific needs and environment. Explore the diverse options available and chart your course toward a thriving microservices architecture!
Pre-Requirements
- Huawei Cloud Account
- A CCE Cluster
- The CCE connection
- K9s and kubectl
How to install Istio on your Kubernetes env.
Download Istio
Go to the link for another OS. If you need to use a different version, please visit this site.
curl -L https://istio.io/downloadIstio | sh -
Install Istio
We need to install the package we downloaded. And we have to add the Istio to the PATH environment. For this, you can use the commands below.
cd istio-1.20.2
export PATH=$PWD/bin:$PATH
You can tell if the commands are not working by doing version control. Type in “istioctl version” and get an output similar to the one below.
After Istioctl is installed, we can install the structures required for our Kubernetes environment by using the command below.
istioctl install
The expected output should be as below. In the event of a deficiency, incorrect installation may occur.
Normally, if you do not see the Egress gateway in the output below, you will also run the command below and install the egress gateway without any problems.
istioctl install <flags-you-used-to-install-Istio> \
--set components.egressGateways[0].name=istio-egressgateway \
--set components.egressGateways[0].enabled=true
To check the services, please perform your checks using the command below.
We need to add a label to the namespace where the traffic we want to check with Istio to indicate that Istio can control this namespace. If you are working in different namespaces, you need to change the default value to your namespace.
kubectl label namespace default istio-injection=enabled
For Istio to be an example in our environment, you can create an instance running on the system by applying the bookinfo.yaml file in the istio file. If you need a different example, you can copy the manifest.yaml file from the link here. An example with more confusion.
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
When we apply the bookinfo.yaml file, we can see which workloads are installed in the CLI. The expected output should be in this box.
Check the services in the Default Namespace. We will see that the product page is created for the book info site.
kubectl get services
We can also use the following command to check the pods in the Istio-system.
kubectl get pods -A | grep istio
Output must be like the below image.
The Bookinfo application is deployed but not accessible from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh.
# Associate this application with the Istio gateway:
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
# Ensure that there are no issues with the configuration:
istioctl analyze
Output:
Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:
If you encounter any problems, please visit this page.
kubectl get svc istio-ingressgateway -n istio-system
We see that the status is pending. In this case, you need to set a public EIP over the CCE console. Follow the steps below.
On the CCE homepage, we select the service & ingress tab from the left and update it.
Let’s do the EIP settings as below.
Use the addon file to remove the addon file. This file is in the file we downloaded during the installation. Use “kubectl apply -f samples/addons” to install all addons.
Kiali Dashboard
To see the Kiali dashboard, you can run the “istioctl dashboard kiali” command and access the Kiali dashboard with the given URL.
When you want to go through the browser, the page you will see will be like this.
Kiali application page.
Kiali traffic policies page like this.
Grafana Dashboard
To access the Garafana dashboard, you can use “istioctl dashboard grafana” as follows.
When you go to the Grafana URL, you will see a page like this. If you want, you can use the ready-made dashboards that come with Istio. Or you can use a ready-made dashboard in the structure you want from the Grafana dashboard library.
Example dashboard.
Jaeger Dashboard
You can access the jaeger page with the output of the “istioctl dashboard jaeger” command.
With Jaeger, we can view system architecture.
Here you can see all the options that we can display as a dashboard.
Conclusion
As a result, installing Istio on Huawei Cloud is a critical step for the security, stability, and scalability of your microservice-based applications. By following the steps described in this article, you can take advantage of the benefits of Istio and make your applications more secure and efficient.