How to deploy Istio as a Service Mesh for your Kubernetes Cluster

In this tutorial, you will learn step by step instructions to set up Istio as a service mesh for your Kubernetes cluster.

Overview

One of the challenges with a highly dynamic microservices architecture is creating and maintaining connections. As pods are updated, added, and removed, you need a mechanism to identify each pod and enable communication between them and other pods in the cluster. A service mesh is one way of managing the communications within your cluster. Network proxies are attached to each application container using the Sidecar pattern. Together these proxies operate and monitor communication within the Kubernetes cluster, and this is the service mesh. The service mesh manages security, works to optimize network performance within the cluster, and reports on the state of networking within the Kubernetes cluster.

Prerequisites

• A valid Kubernetes cluster running a supported Kubernetes version (1.19, 1.20, 1.21, 1.22+). You can create one quickly for free using Platform9 Managed Kubernetes. Signup for a Free PMK Account Here and create your Kubernetes cluster using PMK. You can also use this guide on any other Kubernetes cluster you may have.
• A Kubectl installation with your Kubernetes cluster from the step above configured as the primary cluster.
• A single node master + worker cluster would be sufficient for this tutorial. We suggest a minimum of 4 VCPUS, 16 GB of RAM, and 30GB of HDD for each node of your Kubernetes cluster.

Step 1 - Install Istio

The first step is to log into the node and download Istio. We do that with the following command.

xxxxxxxxxx

curl -L https://istio.io/downloadIstio | sh -

The command above will download the latest version of Istio to the current directory. At the time of writing, the newest version was 1.8.1. Navigate into the newly-created directory.

xxxxxxxxxx

cd istio-1.8.1

You’ll see the following content in this directory:

• A LICENSE file
• Sample applications in samples/ directory.
• The istioctl client binary in the bin/ directory. istioctl is a helpful command line tool that enables you to install istio on your Kubernetes cluster node along with a set of other operations.

We need to add the bin directory to our path, so that we can invoke the istioctl CLI tool from anywhere on this node.

xxxxxxxxxx

$ export PATH=$PWD/bin:$PATH

When you install Istio, you are able to choose from several configuration profiles. We will use the demo profile for this guide because it showcases the abilities of Istio with moderate resource usage. Other profiles are more appropriate for production deployments and custom configurations.

We will use istioctl to specify the demo profile and install the istio service.

xxxxxxxxxx

istioctl install --set profile=demo -y

The installation may take a few minutes to complete, but ultimately you’ll see output similar to that shown below.

xxxxxxxxxx

✔ Istio core installed 

✔ Istiod installed 

✔ Egress gateways installed 

✔ Ingress gateways installed 

✔ Installation complete

The final step is to add a namespace label to enable Istio to automatically inject Envoy sidecar proxies when you deploy your application pods later.

xxxxxxxxxx

kubectl label namespace default istio-injection=enabled

Istio is now deployed and configured on your Kubernetes cluster node. We are now ready to deploy a sample application and see Istio in action.

Step 2 - Deploy the BookInfo Application

Istio comes packaged with several sample applications in the sample directory under the installation folder. In this guide we will deploy the bookinfo application using kubectl. Run the following command from the root directory for the Istio installation.

xxxxxxxxxx

kubectl apply -f sample/bookinfo/platform/kube/bookinfo.yaml

The YAML configuration file creates several services for us. You can see a summary of all the installed services by running the following.

xxxxxxxxxx

kubectl get services

xxxxxxxxxx

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE details ClusterIP 10.21.2.22 < none > 9080/TCP 39s kubernetes ClusterIP 10.21.0.1 < none > 443/TCP 48m productpage ClusterIP 10.21.0.74 < none > 9080/TCP 38s ratings ClusterIP 10.21.1.6 < none > 9080/TCP 39s reviews ClusterIP 10.21.3.241 < none > 9080/TCP 39s

We also need to ensure that all of the pods are ready to go, as this may take a little more time. We can see this on our node directly by executing kubectl get pods, or we can view their status on the Platform9 dashboard.

xxxxxxxxxx

kubectl get pods

We need two (2) of each pod to have a status of running.

xxxxxxxxxx

NAME READY STATUS RESTARTS AGE details-v1-558b8b4b76-ck1g5 2/2 Running 0 10m productpage-v1-6987489c74-b64sn 2/2 Running 0 10m ratings-v1-7dc98c7588-qb4ng 2/2 Running 0 10m reviews-v17f99cc4496-7cd47 2/2 Running 0 10m reviews-v2-7d79d5bd5d-5gz7j 2/2 Running 0 10m reviews-v3-7dbcdcbc56-k7wh1 2/2 Running 0 10m

Step 3 - Manage Istio Ingress

This configuration creates two resources in the cluster:

• gateway.networking.istio.io/bookinfo-gateway
• virtualservice.networking.istio.io/bookinfo

Istio includes an analysis tool that validates your istio installation. Now with everything we’ve completed deploying our application, we can use this tool to validate our namespace.

xxxxxxxxxx

istioctl analyze

xxxxxxxxxx

✔ No validation issues found when analyzing namespace: default

For the next step, we need to determine if the environment has an internal or external load balancer. Execute the following command.

xxxxxxxxxx

kubectl get svc instio-ingressgateway -n istio-system

In the output, look for the EXTERNAL-IP. If the results show an IP Address or a Host Name, then you have an external load balancer. If the results show either or , you don’t have access to an external load balancer. Export the following Environment Variables (EVs) based on whether you have an external load balancer or not.

External Load Balancer

xxxxxxxxxx

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

No External Load Balancer

xxxxxxxxxx

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}') $ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')

With those EVs set, you can now set your Gateway URL.

xxxxxxxxxx

export GATEWAYURL=$INGRESS HOST:$INGRESS_PORT

Execute the following command to get the external address for the BookInfo application, and paste it into your web browser to access the application.

xxxxxxxxxx

echo “http://$GATEWAY_URL/productpage”

Monitoring Kubernetes and Istio

xxxxxxxxxx

kubectl apply -f samples/addons

And now, let's deploy Kiali to view the dashboard.

xxxxxxxxxx

kubectl rollout status deployment/kiali -n istio-system

We can open the dashboard using:

xxxxxxxxxx

istioctl dashboard kiali

Further Reading

For more information on Istio as a Kubernetes service mesh, the latest documentation is available here If you’re looking for more information about service meshes, including tips on selecting and implementing a service mesh, the following articles have a great deal of helpful information. Comparing Kubernetes service mesh options and how to migrate between them

Next Steps

In this blog, we walked through a tutorial on setting up Istio as a Kubernetes service mesh using a PMK account. We hope you found this blog informative and engaging.