Istio is an open-source service mesh platform that provides a way to control how microservices share data with one another. It acts as a very good ingress controller to serve traffic and similar stuff. If you are looking to use Kubernetes in a production setup then any Ingress controller is a must and Istio is very good in this.
Download and extract the Istio package.
root@kub-master:~# wget https://github.com/istio/istio/releases/download/1.2.5/istio-1.2.5-linux.tar.gz
--2020-01-27 17:17:22-- https://github.com/istio/istio/releases/download/1.2.5/istio-1.2.5-linux.tar.gz
Resolving github.com (github.com)... 13.250.177.223
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/74175805/97273080-c5f8-11e9-8c14-48c4704e1ec9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200127T091723Z&X-Amz-Expires=300&X-Amz-Signature=8f66d7e0cb13d5b4d4542c22d512a0deb419f94f88476bb82a1e3ab2f88a605e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Distio-1.2.5-linux.tar.gz&response-content-type=application%2Foctet-stream [following]
--2020-01-27 17:17:23-- https://github-production-release-asset-2e65be.s3.amazonaws.com/74175805/97273080-c5f8-11e9-8c14-48c4704e1ec9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200127T091723Z&X-Amz-Expires=300&X-Amz-Signature=8f66d7e0cb13d5b4d4542c22d512a0deb419f94f88476bb82a1e3ab2f88a605e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Distio-1.2.5-linux.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.140.68
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.140.68|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32445384 (31M) [application/octet-stream]
Saving to: ‘istio-1.2.5-linux.tar.gz’
istio-1.2.5-linux.tar.gz 100%[================================================================================================================>] 30.94M 7.07MB/s in 4.4s
2020-01-27 17:17:28 (7.07 MB/s) - ‘istio-1.2.5-linux.tar.gz’ saved [32445384/32445384]
root@kub-master:~# tar -xvzf istio-1.2.5-linux.tar.gz
Copy the istioctl binary in the executable path.
root@kub-master:~# cp istio-1.2.5/bin/istioctl /usr/bin/
root@kub-master:~# istioctl version
1.2.5
Check the prerequisite to install Istio.
root@kub-master:~# istioctl verify-install
Checking the cluster to make sure it is ready for Istio installation...
Kubernetes-api
-----------------------
Can initialize the Kubernetes client.
Can query the Kubernetes API Server.
Kubernetes-version
-----------------------
Istio is compatible with Kubernetes: v1.15.9.
Istio-existence
-----------------------
Istio will be installed in the istio-system namespace.
Kubernetes-setup
-----------------------
Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap.
SideCar-Injector
-----------------------
This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#deploying-an-app
-----------------------
Install Pre-Check passed! The cluster is ready for Istio installation.
Create a namespace for Istio.
root@kub-master:~# kubectl create ns istio-system
namespace/istio-system created
root@kub-master:~# cd istio-1.2.5/
You should have Helm installed in your cluster to install Istio so make sure you have it configured. If you don't have Helm installed follow the following link to set it up.
root@kub-master:~# helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
configmap/istio-crd-10 created
configmap/istio-crd-11 created
configmap/istio-crd-12 created
serviceaccount/istio-init-service-account created
clusterrole.rbac.authorization.k8s.io/istio-init-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-init-admin-role-binding-istio-system created
job.batch/istio-init-crd-10 created
job.batch/istio-init-crd-11 created
job.batch/istio-init-crd-12 created
Check Istio certificates that have been installed.
root@kub-master:~# kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l
23
root@kub-master:~/istio-1.2.5# kubectl get crds | grep 'istio.io\|certmanager.k8s.io'
adapters.config.istio.io 2020-01-27T09:59:26Z
attributemanifests.config.istio.io 2020-01-27T09:59:26Z
authorizationpolicies.rbac.istio.io 2020-01-27T09:59:27Z
clusterrbacconfigs.rbac.istio.io 2020-01-27T09:59:26Z
destinationrules.networking.istio.io 2020-01-27T09:59:26Z
envoyfilters.networking.istio.io 2020-01-27T09:59:26Z
gateways.networking.istio.io 2020-01-27T09:59:26Z
handlers.config.istio.io 2020-01-27T09:59:26Z
httpapispecbindings.config.istio.io 2020-01-27T09:59:26Z
httpapispecs.config.istio.io 2020-01-27T09:59:26Z
instances.config.istio.io 2020-01-27T09:59:26Z
meshpolicies.authentication.istio.io 2020-01-27T09:59:26Z
policies.authentication.istio.io 2020-01-27T09:59:26Z
quotaspecbindings.config.istio.io 2020-01-27T09:59:26Z
quotaspecs.config.istio.io 2020-01-27T09:59:26Z
rbacconfigs.rbac.istio.io 2020-01-27T09:59:26Z
rules.config.istio.io 2020-01-27T09:59:26Z
serviceentries.networking.istio.io 2020-01-27T09:59:26Z
servicerolebindings.rbac.istio.io 2020-01-27T09:59:26Z
serviceroles.rbac.istio.io 2020-01-27T09:59:26Z
sidecars.networking.istio.io 2020-01-27T09:59:26Z
templates.config.istio.io 2020-01-27T09:59:26Z
virtualservices.networking.istio.io 2020-01-27T09:59:26Z
Install the Istio template.
root@kub-master:~/istio-1.2.5# helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f -
configmap/istio-galley-configuration created
configmap/prometheus created
configmap/istio-security-custom-resources created
configmap/istio created
configmap/istio-sidecar-injector created
serviceaccount/istio-galley-service-account created
serviceaccount/istio-ingressgateway-service-account created
serviceaccount/istio-mixer-service-account created
serviceaccount/istio-pilot-service-account created
serviceaccount/prometheus created
serviceaccount/istio-cleanup-secrets-service-account created
clusterrole.rbac.authorization.k8s.io/istio-cleanup-secrets-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-cleanup-secrets-istio-system created
job.batch/istio-cleanup-secrets-1.2.5 created
serviceaccount/istio-security-post-install-account created
clusterrole.rbac.authorization.k8s.io/istio-security-post-install-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-security-post-install-role-binding-istio-system created
job.batch/istio-security-post-install-1.2.5 created
serviceaccount/istio-citadel-service-account created
serviceaccount/istio-sidecar-injector-service-account created
serviceaccount/istio-multi created
clusterrole.rbac.authorization.k8s.io/istio-galley-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-mixer-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-pilot-istio-system created
clusterrole.rbac.authorization.k8s.io/prometheus-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-citadel-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-sidecar-injector-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-reader created
clusterrolebinding.rbac.authorization.k8s.io/istio-galley-admin-role-binding-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-mixer-admin-role-binding-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-pilot-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/prometheus-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-citadel-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-sidecar-injector-admin-role-binding-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-multi created
role.rbac.authorization.k8s.io/istio-ingressgateway-sds created
rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds created
service/istio-galley created
service/istio-ingressgateway created
service/istio-policy created
service/istio-telemetry created
service/istio-pilot created
service/prometheus created
service/istio-citadel created
service/istio-sidecar-injector created
deployment.apps/istio-galley created
deployment.apps/istio-ingressgateway created
deployment.apps/istio-policy created
deployment.apps/istio-telemetry created
deployment.apps/istio-pilot created
deployment.apps/prometheus created
deployment.apps/istio-citadel created
deployment.apps/istio-sidecar-injector created
horizontalpodautoscaler.autoscaling/istio-ingressgateway created
horizontalpodautoscaler.autoscaling/istio-policy created
horizontalpodautoscaler.autoscaling/istio-telemetry created
horizontalpodautoscaler.autoscaling/istio-pilot created
mutatingwebhookconfiguration.admissionregistration.k8s.io/istio-sidecar-injector created
poddisruptionbudget.policy/istio-galley created
poddisruptionbudget.policy/istio-ingressgateway created
poddisruptionbudget.policy/istio-policy created
poddisruptionbudget.policy/istio-telemetry created
poddisruptionbudget.policy/istio-pilot created
poddisruptionbudget.policy/istio-sidecar-injector created
attributemanifest.config.istio.io/istioproxy created
attributemanifest.config.istio.io/kubernetes created
instance.config.istio.io/requestcount created
instance.config.istio.io/requestduration created
instance.config.istio.io/requestsize created
instance.config.istio.io/responsesize created
instance.config.istio.io/tcpbytesent created
instance.config.istio.io/tcpbytereceived created
instance.config.istio.io/tcpconnectionsopened created
instance.config.istio.io/tcpconnectionsclosed created
handler.config.istio.io/prometheus created
rule.config.istio.io/promhttp created
rule.config.istio.io/promtcp created
rule.config.istio.io/promtcpconnectionopen created
rule.config.istio.io/promtcpconnectionclosed created
handler.config.istio.io/kubernetesenv created
rule.config.istio.io/kubeattrgenrulerule created
rule.config.istio.io/tcpkubeattrgenrulerule created
instance.config.istio.io/attributes created
destinationrule.networking.istio.io/istio-policy created
destinationrule.networking.istio.io/istio-telemetry created
Check if Istio is being installed successfully or not.
root@kub-master:~/istio-1.2.5# kubectl get all -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-citadel-555dbdfd6b-ksqzn 1/1 Running 0 25m
pod/istio-cleanup-secrets-1.2.5-fr6tj 0/1 Completed 0 25m
pod/istio-galley-6855ffd77f-5b2nd 1/1 Running 0 25m
pod/istio-ingressgateway-7cfcbf4fb8-ntmr5 1/1 Running 0 25m
pod/istio-init-crd-10-f4xjf 0/1 Completed 0 25m
pod/istio-init-crd-11-ct2t7 0/1 Completed 0 25m
pod/istio-init-crd-12-nwgp8 0/1 Completed 0 25m
pod/istio-pilot-9589bcff5-lt85f 2/2 Running 0 25m
pod/istio-policy-9dbbb8ccd-s5lpc 2/2 Running 2 25m
pod/istio-security-post-install-1.2.5-l8cw2 0/1 Completed 0 25m
pod/istio-sidecar-injector-74f597fb84-kv2tn 1/1 Running 0 25m
pod/istio-telemetry-5d95788576-sr5nr 2/2 Running 1 25m
pod/prometheus-7d7b9f7844-bsh42 1/1 Running 0 25m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-citadel ClusterIP 10.108.238.135 <none> 8060/TCP,15014/TCP 25m
service/istio-galley ClusterIP 10.103.63.106 <none> 443/TCP,15014/TCP,9901/TCP 25m
service/istio-ingressgateway LoadBalancer 10.99.247.174 <pending> 15020:31884/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31236/TCP,15030:30003/TCP,15031:32047/TCP,15032:30130/TCP,15443:32711/TCP 25m
service/istio-pilot ClusterIP 10.98.94.187 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 25m
service/istio-policy ClusterIP 10.98.153.137 <none> 9091/TCP,15004/TCP,15014/TCP 25m
service/istio-sidecar-injector ClusterIP 10.102.180.126 <none> 443/TCP 25m
service/istio-telemetry ClusterIP 10.104.132.38 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 25m
service/prometheus ClusterIP 10.96.51.228 <none> 9090/TCP 25m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-citadel 1/1 1 1 25m
deployment.apps/istio-galley 1/1 1 1 25m
deployment.apps/istio-ingressgateway 1/1 1 1 25m
deployment.apps/istio-pilot 1/1 1 1 25m
deployment.apps/istio-policy 1/1 1 1 25m
deployment.apps/istio-sidecar-injector 1/1 1 1 25m
deployment.apps/istio-telemetry 1/1 1 1 25m
deployment.apps/prometheus 1/1 1 1 25m
NAME DESIRED CURRENT READY AGE
replicaset.apps/istio-citadel-555dbdfd6b 1 1 1 25m
replicaset.apps/istio-galley-6855ffd77f 1 1 1 25m
replicaset.apps/istio-ingressgateway-7cfcbf4fb8 1 1 1 25m
replicaset.apps/istio-pilot-9589bcff5 1 1 1 25m
replicaset.apps/istio-policy-9dbbb8ccd 1 1 1 25m
replicaset.apps/istio-sidecar-injector-74f597fb84 1 1 1 25m
replicaset.apps/istio-telemetry-5d95788576 1 1 1 25m
replicaset.apps/prometheus-7d7b9f7844 1 1 1 25m
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
horizontalpodautoscaler.autoscaling/istio-ingressgateway Deployment/istio-ingressgateway <unknown>/80% 1 5 1 25m
horizontalpodautoscaler.autoscaling/istio-pilot Deployment/istio-pilot <unknown>/80% 1 5 1 25m
horizontalpodautoscaler.autoscaling/istio-policy Deployment/istio-policy <unknown>/80% 1 5 1 25m
horizontalpodautoscaler.autoscaling/istio-telemetry Deployment/istio-telemetry <unknown>/80% 1 5 1 25m
NAME COMPLETIONS DURATION AGE
job.batch/istio-cleanup-secrets-1.2.5 1/1 2s 25m
job.batch/istio-init-crd-10 1/1 12s 25m
job.batch/istio-init-crd-11 1/1 11s 25m
job.batch/istio-init-crd-12 1/1 13s 25m
job.batch/istio-security-post-install-1.2.5 1/1 8s 25m
By default, istio-ingressgateway works as a load balancer and it's fine if you're using any cloud provider or any load balancer software but I like to use it as NodePort as I can manage it better in our bare metal set up so if you're looking to do the same edit the service configuration of istio-ingressgateway and replace type LoadBalancer with NodePort and save it.
root@kub-master:~/istio-1.2.5# kubectl edit service/istio-ingressgateway -n istio-system
service/istio-ingressgateway edited
You can see the service istio-ingressgateway now works as NodePort now and we can access Istio on any of the Cluster Node port.
root@kub-master:~/istio-1.2.5# kubectl get services -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-citadel ClusterIP 10.108.238.135 <none> 8060/TCP,15014/TCP 33m
istio-galley ClusterIP 10.103.63.106 <none> 443/TCP,15014/TCP,9901/TCP 33m
istio-ingressgateway NodePort 10.99.247.174 <none> 15020:31884/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31236/TCP,15030:30003/TCP,15031:32047/TCP,15032:30130/TCP,15443:32711/TCP 33m
istio-pilot ClusterIP 10.98.94.187 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 33m
istio-policy ClusterIP 10.98.153.137 <none> 9091/TCP,15004/TCP,15014/TCP 33m
istio-sidecar-injector ClusterIP 10.102.180.126 <none> 443/TCP 33m
istio-telemetry ClusterIP 10.104.132.38 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 33m
prometheus ClusterIP 10.96.51.228 <none> 9090/TCP 33m
Your blog is in a convincing manner, thanks for sharing such an information with lots of your effort and time
ReplyDeleteKubernetes online training
Kubernetes online course
Your blog is in a convincing manner, thanks for sharing such an information with lots of your effort and time
ReplyDeleteKubernetes online training
Kubernetes online course