left-icon

Istio Succinctly®
by Rahul Rai and Tarun Pabbi

download-button

Previous
Chapter

of

Next
Chapter

A
A
A

CHAPTER 3

Installation

Installation

In the previous chapter, we learned the architecture of Istio in detail. Now it’s time to get our hands dirty and set up Istio on a Kubernetes cluster. As we said earlier, we will deploy Istio to a Kubernetes cluster for working through the exercises in this book. However, you can also deploy Istio on Nomad or Consul clusters, which would require using a different set of commands to configure Istio and manipulate objects on them. The core components of Istio remain the same regardless of the host. Istio setup and installation is quite straightforward, and you can do it multiple ways. However, there are a few prerequisites that you must validate before installing Istio. In this chapter, we will discuss the process of installing Istio on a Kubernetes cluster using several different approaches.

Prerequisites

Before installing Istio on a Kubernetes cluster, we must make sure the services that you want to bring on the mesh satisfy the following conditions.:

  • Names of the ports of services should follow the syntax <protocol>-<name>, such as http-serviceA, https-serviceB, and grpc-serviceC. This convention helps Istio detect the target ports on which it can enforce traffic routing policies.

Note: The convention-based naming strategy is getting replaced with intelligent protocol detection strategy (an experimental feature in release 1.3) that will automatically determine the protocol of outbound traffic as HTTP or TCP, with other protocols and port detection for inbound traffic to follow in the future.

  • Container ports used inside a pod should be explicitly specified in the specification.
  • Each deployment (known as a workload in Istio) should be part of at least one service so that the pods of the deployment can receive request traffic.
  • All deployments should have app and version labels for configuring features such as canary deployments.
  • The pod must also allow NET_Admin capability since the Envoy proxy diverts the incoming and outgoing traffic by manipulating iptables rules, which require this capability.
  • Pods should not run applications with universally unique identifier (UUID) 1337, as this user ID is reserved for use by Istio.
  • The following table lists the ports used by the Istio services. Don’t use these ports within the service mesh for individual services.

Table 1: Ports used by Istio

Port

Protocol

8060, 8080, 9090, 9091, 9876, 15004, 15010,15014,15020, 15029, 15031, 15032, 15090

HTTP

15000, 15001, 15006, 15011, 42422

TCP

9901

gRPC

15443

TLS

To ensure that Istio runs smoothly on your Kubernetes cluster, allocate at least four cores and 5–8 GB of RAM to your cluster for running Istio services. This number may vary based on the number of components of Istio that you provision during setup. For local development, Docker Desktop for Mac or Windows is the easiest and fastest way to get up and running.

Tip: You can refer to this link for detailed instructions on installation and  troubleshooting.

There are many approaches to installing Istio on the Kubernetes cluster, but the simplest and most popular one is to use Helm. Let’s begin with downloading the latest version of Istio by following these steps:

  1. Navigate to the Istio releases webpage.
  2. Select the appropriate release package based on your platform, such as *.zip for Windows or *.tar.gz for Linux.
  3. Download the latest release version and navigate to the downloaded folder. The folder contains the following artifacts:
  • Platform-specific installation YAML files in the install folder.
  • Samples in the samples folder.
  • istioctl client binary, which is the Istio CLI tool in the bin folder. You can use this tool for validating setup, debugging, manual proxy injection, and a host of other activities.
  • The helm folder inside the Kubernetes installation contains several files named values-*.yaml, which help you select a particular type of installation, such as minimal or full.
  1. Based on the version of Istio that you downloaded, add the location of the Istio Helm repository using the following command. Remember to substitute the version number 1.3.2 in the following command with the version that you downloaded.

Code Listing 1: Adding Helm repo

$ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.3.2/charts/

"istio.io" has been added to your repositories

After adding the repo to your Helm repository, you can proceed to the next step of installing a Helm client. Download and install the appropriate Helm client from the official Helm repository based on your OS/platform. Make sure the Helm client version that you install is greater than or equal to 2.10.

Tip: You should add the full path of the istioctl executable to the Path environment variable. This will help you invoke the command from any location.

We will now proceed to install the various components of Istio to our Kubernetes cluster.

Installation

There are two ways of installing Istio on a Kubernetes cluster using the Helm chart. One of the methods involves using the Helm template, and the other method uses the Tiller server for installation.

For now, the recommended method for installing Istio is to use Helm and Tiller so that a Tiller pod in your cluster can manage the deployments and upgrades of Istio objects. You can refer to this link for guidance on installing Istio with Tiller. However, if you don’t want to install Tiller on your cluster, you can choose the other method of using Helm templates for installation, which is the approach that we will use to customize installation of Istio.

Installing Istio with Helm

The Istio objects are just native Kubernetes objects, such as services and endpoints, that require a custom definition to set up. To install such objects, Kubernetes supports custom resource definitions (CRD), which are definitions of objects that are not part of default Kubernetes installation. Istio installs CRDs on Kubernetes to bring up objects such as gateways, virtual services, and destination rules. For certain use cases, you can create your own custom resources in Kubernetes. You can refer to this link for further details on CRDs.

Istio components should be scoped to a namespace in your cluster. Therefore, create a namespace named istio-system for provisioning Istio components using the following command.

Code Listing 2: Creating a namespace

$ kubectl create namespace stio-system

namespace/stio-system created

To install Istio CRDs, from your terminal, change to the directory within the Istio release package that you downloaded and execute the following command.

Code Listing 3: Installing istio-init CRDs

$ helm template install/stioetes/helm/stio-init --name stio-init --namespace stio-system | kubectl apply -f -

NAME:   istio-init

LAST DEPLOYED: Tue Sep 24 13:22:14 2019

NAMESPACE: istio-system

STATUS: DEPLOYED

The previous command creates bootstrap resources such as cluster roles and config maps, which are required by Istio CRDs using Helm templates. You can also use a predefined Helm profile to install via Helm and Tiller.

There are many predefined configurations available for installing Istio components in the release directory at the path install/Kubernetes/helm/istio. You can choose one of the configurations or create your own configuration based on your requirements. The following is a brief description of the predefined configurations available in the release package.

Table 2: Istio configurations

Configuration File

Description

values.yaml

This configuration installs all components with default settings. It is the default Istio profile, and it is the recommended configuration for the production environment.

values-istio-demo.yaml

This configuration provisions the minimum components used by the sample applications available inside the release package. It enables tracing and logging for almost all components, and it is generally enough for simple scenarios that might require debugging.

values-istio-demo-auth.yaml

This configuration is similar to the istio-demo configuration, but also has authentication enabled.

values-istio-minimal.yaml

This is the minimal Istio configuration required for Istio to run.

values-istio-remote.yaml

This configuration creates the components used for managing Istio in a remote cluster, which is useful in a multi-cluster setup.

values-istio-sds-auth.yaml

This configuration is similar to the default configuration, but also has the Secret Discovery Service (SDS) feature enabled.

Most of the preconfigured templates install several components that we will not use for the exercises in this book. Therefore, we will customize the Istio Helm template to install just the components we need. Execute the following command, which will install the necessary components in the cluster.

Code Listing 4: Installing Istio

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.disablePolicyChecks=false --set gateways.istio-egressgateway.enabled=true --set global.proxy.accessLogFile="/dev/stdout" --set tracing.enabled=true --set kiali.enabled=true --set grafana.enabled=true | kubectl apply -f -

NAME:   istio

LAST DEPLOYED: Tue Sep 24 13:23:36 2019

NAMESPACE: istio-system
NOTES:

Thank you for installing istio.

Your release is named istio.

The output of the previous command will inform you of the status of the installation of Istio components.

Tip: To configure CRDs during setup, instead of creating a new configuration with desired settings, you can add desired configuration options to the helm install command as we did previously. You can refer to this link for a list of available options.

After installing Istio components, you can verify the status of the components created by executing the following command.

Code Listing 5: Verify Istio installation

$ kubectl get pods -n istio-system

NAME                                      READY   STATUS      RESTARTS   AGE

istio-citadel-5cf47dbf7c-hzsst            1/1     Running     2          24h

istio-cleanup-secrets-1.2.5-8xhvp         0/1     Completed   0          24h

istio-egressgateway-7dd48cbd5-gtl4t       1/1     Running     2          24h

istio-galley-7898b587db-69kqr             1/1     Running     3          24h

istio-ingressgateway-7c6f8fd795-fcc5p     1/1     Running     2          24h

istio-init-crd-10-dwgd2                   0/1     Completed   0          24h

istio-init-crd-11-c8p5v                   0/1     Completed   0          24h

istio-init-crd-12-hxjbp                   0/1     Completed   0          24h

istio-pilot-5c4b6f576b-xkk5h              2/2     Running     4          24h

istio-policy-769664fcf7-bmqlx             2/2     Running     9          24h

istio-security-post-install-1.2.5-4b9n9   0/1     Completed   0          24h

istio-sidecar-injector-677bd5ccc5-wwptm   1/1     Running     3          24h

istio-telemetry-577c6f5b8c-4tjsg          2/2     Running     9          24h

prometheus-776fdf7479-d5lrg               1/1     Running     2          24h

In the output generated from the previous command, you should ensure that all pods are in running state except the initialization, cleanup, and post-install security setup pods, which should be in the completed state.

Summary

In this chapter, we went through the steps of setting up Istio on a local cluster, which will act as a debugging environment for us for the subsequent exercises. We also discussed some tips on how you can set up Istio on a multi-node cluster, which will act as staging or production environments for your applications. With Istio up and running on our cluster, we will now proceed to deploy a very simple application to the mesh.

Scroll To Top
Disclaimer

DISCLAIMER: Web reader is currently in beta. Please report any issues through our support system. PDF and Kindle format files are also available for download.

Previous

Next

A
A
A

of



You are one step away from downloading ebooks from the Succinctly® series premier collection!
A confirmation has been sent to your email address. Please check and confirm your email subscription to complete the download.