mirror of https://github.com/istio/istio.io.git
250 lines
91 KiB
HTML
250 lines
91 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Shared control plane (single-network)"><meta name=description content="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters."><meta name=keywords content=microservices,services,mesh,kubernetes,multicluster,federation,vpn><meta property=og:title content="Shared control plane (single-network)"><meta property=og:type content=website><meta property=og:description content="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters."><meta property=og:url content=/v1.2/docs/setup/kubernetes/install/multicluster/shared-vpn/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Shared control plane (single-network)</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Shared control plane (single-network)";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
|
|
<a title="Posts about using Istio." href=/v1.2/blog/2019/announcing-1.2.5/>Blog</a>
|
|
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
|
|
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/setup\/kubernetes\/install\/multicluster\/shared-vpn\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/setup\/kubernetes\/install\/multicluster\/shared-vpn\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.2/search.html>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card24 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card24-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card24 role=region id=card24-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card24><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.2/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.2/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.2/docs/concepts/security/>Policies and Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.2/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.2/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.2/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card46 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card46-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#setup"/></svg>Setup</button><div class="body default" aria-labelledby=card46 role=region id=card46-body><ul role=tree aria-expanded=true aria-labelledby=card46><li role=treeitem aria-label=Kubernetes><button class=show aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.2/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Download, install, and try out Istio." href=/v1.2/docs/setup/kubernetes/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for use with Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for use with Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button class=show aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.2/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster for evaluation." href=/v1.2/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.2/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button class=show aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.2/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with individually deployed control planes." href=/v1.2/docs/setup/kubernetes/install/multicluster/gateways/>Multiple control planes</a></li><li role=none><span role=treeitem class=current title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters.">Shared control plane (single-network)</span></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for diconnected cluster networks." href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation instructions for supported Kubernetes platforms." href=/v1.2/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.2/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.2/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.2/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.2/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.2." href=/v1.2/docs/setup/kubernetes/upgrade/notice/>1.2 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.2/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.2/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.2/docs/setup/kubernetes/additional-setup/requirements/>Pods and Services</a></li><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.2/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.2/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.2/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.2/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad & Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.2/docs/setup/consul/>Nomad & Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.2/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.2/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card69 title="How to do single specific targeted activities with the Istio system." aria-controls=card69-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card69 role=region id=card69-body><ul role=tree aria-expanded=true aria-labelledby=card69><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.2/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.2/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.2/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.2/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.2/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.2/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.2/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.2/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.2/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.2/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.2/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.2/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.2/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.2/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.2/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.2/docs/tasks/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.2/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.2/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.2/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.2/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.2/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.2/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.2/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.2/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.2/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.2/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.2/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.2/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.2/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.2/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.2/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.2/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.2/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.2/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.2/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.2/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.2/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.2/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.2/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.2/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.2/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.2/docs/tasks/telemetry/logs/access-log/>Getting Envoy's Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.2/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.2/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.2/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.2/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.2/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.2/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.2/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.2/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card83 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card83-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card83 role=region id=card83-body><ul role=tree aria-expanded=true aria-labelledby=card83><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.2/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.2/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.2/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="Multicluster service mesh examples for Istio that you can experiment with." href=/v1.2/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.2/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.2/docs/examples/multicluster/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card100 title="Hints, tips, tricks about running an Istio mesh." aria-controls=card100-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card100 role=region id=card100-body><ul role=tree aria-expanded=true aria-labelledby=card100><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.2/docs/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.2/docs/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.2/docs/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.2/docs/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.2/docs/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.2/docs/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.2/docs/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.2/docs/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.2/docs/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.2/docs/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Demonstrates how to debug authorization." href=/v1.2/docs/ops/security/debugging-authorization/>Debugging Authorization</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.2/docs/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.2/docs/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.2/docs/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.2/docs/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.2/docs/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.2/docs/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.2/docs/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.2/docs/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.2/docs/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.2/docs/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.2/docs/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.2/docs/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.2/docs/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.2/docs/ops/setup/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.2/docs/ops/setup/istioctl/>Using the istioctl command-line tool</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.2/docs/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.2/docs/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.2/docs/ops/setup/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.2/docs/ops/misc/>Miscellaneous</a></li></ul></div></div><div class=card><button class="header dynamic" id=card130 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card130-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card130 role=region id=card130-body><ul role=tree aria-expanded=true aria-labelledby=card130><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.2/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.2/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.2/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.2/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.2/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.2/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.2/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.2/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.2/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.2/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.2/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.2/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.1 and release-1.2." href=/v1.2/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.2/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.2/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.2/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.2/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.2/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.2/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.2/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.2/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.2/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.2/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.2/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.2/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.2/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.2/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.2/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.2/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.2/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.2/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.2/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.2/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.2/docs/setup/ title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul.">Setup</a></li><li><a href=/v1.2/docs/setup/kubernetes/ title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh.">Kubernetes</a></li><li><a href=/v1.2/docs/setup/kubernetes/install/ title="Choose the guide that best suits your needs and platform.">Install</a></li><li><a href=/v1.2/docs/setup/kubernetes/install/multicluster/ title="Configure an Istio mesh spanning multiple Kubernetes clusters.">Multicluster Installation</a></li><li>Shared control plane (single-network)</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Shared control plane (single-network)</h1><p class=byline><span title="2761 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span> </span>13 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Prerequisites><a href=#prerequisites>Prerequisites</a><li role=none aria-label="Deploy the local control plane"><a href=#deploy-the-local-control-plane>Deploy the local control plane</a><li role=none aria-label="Install the Istio remote"><a href=#install-the-istio-remote>Install the Istio remote</a><ol><li role=none aria-label="Set environment variables"><a href=#environment-var>Set environment variables</a><li role=none aria-label="Helm chart configuration parameters"><a href=#helm-chart-configuration-parameters>Helm chart configuration parameters</a></ol></li><li role=none aria-label="Generate configuration files for remote clusters"><a href=#kubeconfig>Generate configuration files for remote clusters</a><li role=none aria-label="Instantiate the credentials"><a href=#credentials>Instantiate the credentials</a><li role=none aria-label="Uninstalling the remote cluster"><a href=#uninstalling-the-remote-cluster>Uninstalling the remote cluster</a><li role=none aria-label="Manual sidecar injection example"><a href=#manual-sidecar>Manual sidecar injection example</a><ol><li role=none aria-label="Manually inject the sidecars into the application manifests"><a href=#manually-inject-the-sidecars-into-the-application-manifests>Manually inject the sidecars into the application manifests</a></ol></li><li role=none aria-label="Access services from different clusters"><a href=#access-services-from-different-clusters>Access services from different clusters</a><li role=none aria-label="Deployment considerations"><a href=#deployment-considerations>Deployment considerations</a><ol><li role=none aria-label="Update the DNS entries"><a href=#update-the-dns-entries>Update the DNS entries</a><li role=none aria-label="Use load balance service type"><a href=#use-load-balance-service-type>Use load balance service type</a><li role=none aria-label="Expose the Istio services via a gateway"><a href=#expose-the-istio-services-via-a-gateway>Expose the Istio services via a gateway</a></ol></li><li role=none aria-label=Security><a href=#security>Security</a><ol><li role=none aria-label="Control plane security"><a href=#control-plane-security>Control plane security</a><li role=none aria-label="Mutual TLS between application pods"><a href=#mutual-tls-between-application-pods>Mutual TLS between application pods</a><li role=none aria-label="Example deployment"><a href=#example-deployment>Example deployment</a><ol><li role=none aria-label="Primary Cluster: Deploy the control plane cluster"><a href=#primary-cluster-deploy-the-control-plane-cluster>Primary Cluster: Deploy the control plane cluster</a><li role=none aria-label="Remote Cluster: Deploy Istio components"><a href=#remote-cluster-deploy-istio-components>Remote Cluster: Deploy Istio components</a></ol></li><li role=none aria-label="Primary Cluster: Instantiate credentials"><a href=#primary-cluster-instantiate-credentials>Primary Cluster: Instantiate credentials</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Follow this guide to install an Istio <a href=/v1.2/docs/concepts/multicluster-deployments/>multicluster service mesh</a>
|
|
where the Kubernetes cluster services and the applications in each cluster
|
|
have the capability to expose their internal Kubernetes network to other
|
|
clusters.</p><p>In this configuration, multiple Kubernetes control planes running
|
|
a remote configuration connect to a <strong>single</strong> Istio control plane.
|
|
Once one or more remote Kubernetes clusters are connected to the
|
|
Istio control plane, Envoy can then communicate with the <strong>single</strong>
|
|
control plane and form a mesh network across multiple clusters.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:60.01468418364452%><a data-skipendnotes=true href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-vpn/./multicluster-with-vpn.svg title="Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN"><img class=element-to-stretch src=/v1.2/docs/setup/kubernetes/install/multicluster/shared-vpn/./multicluster-with-vpn.svg alt="Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN"></a></div><figcaption>Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN</figcaption></figure><h2 id=prerequisites>Prerequisites</h2><ul><li><p>Two or more clusters running a supported Kubernetes version (1.12, 1.13, 1.14).</p></li><li><p>The ability to deploy the <a href=/v1.2/docs/setup/kubernetes/install/kubernetes/>Istio control plane</a>
|
|
on <strong>one</strong> of the clusters.</p></li><li><p>A RFC1918 network, VPN, or an alternative more advanced network technique
|
|
meeting the following requirements:</p><ul><li><p>Individual cluster Pod CIDR ranges and service CIDR ranges must be unique
|
|
across the multicluster environment and may not overlap.</p></li><li><p>All pod CIDRs in every cluster must be routable to each other.</p></li><li><p>All Kubernetes control plane API servers must be routable to each other.</p></li></ul></li><li><p>Helm <strong>2.10 or newer</strong>. The use of Tiller is optional.</p></li></ul><p>This guide describes how to install a multicluster Istio topology using the
|
|
manifests and Helm charts provided within the Istio repository.</p><h2 id=deploy-the-local-control-plane>Deploy the local control plane</h2><p>Install the <a href=/v1.2/docs/setup/kubernetes/install/kubernetes/#installation-steps>Istio control plane</a>
|
|
on <strong>one</strong> Kubernetes cluster.</p><h2 id=install-the-istio-remote>Install the Istio remote</h2><p>You must deploy the <code>istio-remote</code> component to each remote Kubernetes
|
|
cluster. You can install the component in one of two ways:</p><div id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1 role=tablist class=tabset><div class=tab-strip data-cookie-name=install-istio-remote><button aria-selected=true data-cookie-value=Helm+kubectl aria-controls=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-0-panel id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-0-tab role=tab><span>Helm+kubectl</span>
|
|
</button><button tabindex=-1 data-cookie-value=Helm+Tiller aria-controls=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-1-panel id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-1-tab role=tab><span>Helm+Tiller</span></button></div><div class=tab-content><div id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-0-tab><ol><li><p>Use the following <code>helm template</code> command on the remote cluster to specify
|
|
the Istio control plane service endpoints:</p><pre><code class=language-bash data-expandlinks=true>$ helm template install/kubernetes/helm/istio --namespace istio-system \
|
|
--name istio-remote \
|
|
--values install/kubernetes/helm/istio/values-istio-remote.yaml \
|
|
--set global.remotePilotAddress=${PILOT_POD_IP} \
|
|
--set global.remotePolicyAddress=${POLICY_POD_IP} \
|
|
--set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} > $HOME/istio-remote.yaml
|
|
</code></pre></li><li><p>Create an <code>istio-system</code> namespace for remote Istio with the following
|
|
command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns istio-system
|
|
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>All clusters must have the same namespace for the Istio
|
|
components. It is possible to override the <code>istio-system</code> name on the main
|
|
cluster as long as the namespace is the same for all Istio components in
|
|
all clusters.</div></aside></div></li><li><p>Instantiate the remote cluster’s connection to the Istio control plane with
|
|
the following command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f $HOME/istio-remote.yaml
|
|
</code></pre></li><li><p>The following command example labels the <code>default</code> namespace. Use similar
|
|
commands to label all the remote cluster’s namespaces requiring automatic
|
|
sidecar injection.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl label namespace default istio-injection=enabled
|
|
</code></pre><p>Repeat for all Kubernetes namespaces that need to setup automatic sidecar
|
|
injection.</p></li></ol></div><div hidden id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-1-1-tab><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-warning"/></svg></div><div class=content>The instructions for using Helm with Tiller do not use secure defaults.
|
|
See the <a href=https://helm.sh/docs/securing_installation/>Securing your Helm Installation</a>
|
|
for further steps to secure a Tiller-based installation.</div></aside></div><ol><li><p>If you haven’t installed a service account for Helm, install one with the
|
|
following command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
|
|
</code></pre></li><li><p>Initialize Helm with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ helm init --service-account tiller
|
|
</code></pre></li><li><p>Install the Helm chart for the <code>istio-remote</code> with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ helm install install/kubernetes/helm/istio \
|
|
--name istio-remote --namespace istio-system \
|
|
--values install/kubernetes/helm/istio/values-istio-remote.yaml \
|
|
--set global.remotePilotAddress=${PILOT_POD_IP} \
|
|
--set global.remotePolicyAddress=${POLICY_POD_IP} \
|
|
--set global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
|
|
</code></pre></li></ol></div></div></div><h3 id=environment-var>Set environment variables</h3><p>Wait for the Istio control plane to finish initializing before following the
|
|
steps in this section.</p><p>You must run these operations on the Istio control plane cluster to capture the
|
|
Istio control plane service endpoints, for example, the Pilot and Policy Pod IP
|
|
endpoints.</p><p>If you use Helm with Tiller on each remote, you must copy the environment
|
|
variables to each node before using Helm to connect the remote
|
|
cluster to the Istio control plane.</p><p>Set the environment variables with the following commands:</p><pre><code class=language-bash data-expandlinks=true>$ export PILOT_POD_IP=$(kubectl -n istio-system get pod -l istio=pilot -o jsonpath='{.items[0].status.podIP}')
|
|
$ export POLICY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=policy -o jsonpath='{.items[0].status.podIP}')
|
|
$ export TELEMETRY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=telemetry -o jsonpath='{.items[0].status.podIP}')
|
|
</code></pre><p>Normally, automatic sidecar injection on the remote clusters is enabled. To
|
|
perform a manual sidecar injection refer to the <a href=#manual-sidecar>manual sidecar example</a></p><h3 id=helm-chart-configuration-parameters>Helm chart configuration parameters</h3><p>You must configure the remote cluster’s sidecars interaction with the Istio
|
|
control plane including the following endpoints in the <code>istio-remote</code> Helm
|
|
chart: <code>pilot</code>, <code>policy</code>, <code>telemetry</code> and tracing service. The chart
|
|
enables automatic sidecar injection in the remote cluster by default. You can
|
|
disable the automatic sidecar injection via a chart variable.</p><p>The following table shows the accepted <code>istio-remote</code> Helm chart’s
|
|
configuration values:</p><table><thead><tr><th>Helm Variable</th><th>Accepted Values</th><th>Default</th><th>Purpose of Value</th></tr></thead><tbody><tr><td><code>global.remotePilotAddress</code></td><td>A valid IP address or hostname</td><td>None</td><td>Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname</td></tr><tr><td><code>global.remotePolicyAddress</code></td><td>A valid IP address or hostname</td><td>None</td><td>Specifies the Istio control plane’s policy Pod IP address or remote cluster DNS resolvable hostname</td></tr><tr><td><code>global.remoteTelemetryAddress</code></td><td>A valid IP address or hostname</td><td>None</td><td>Specifies the Istio control plane’s telemetry Pod IP address or remote cluster DNS resolvable hostname</td></tr><tr><td><code>sidecarInjectorWebhook.enabled</code></td><td>true, false</td><td>true</td><td>Specifies whether to enable automatic sidecar injection on the remote cluster</td></tr><tr><td><code>global.remotePilotCreateSvcEndpoint</code></td><td>true, false</td><td>false</td><td>If set, a selector-less service and endpoint for <code>istio-pilot</code> are created with the <code>remotePilotAddress</code> IP, which ensures the <code>istio-pilot.<namespace></code> is DNS resolvable in the remote cluster.</td></tr></tbody></table><h2 id=kubeconfig>Generate configuration files for remote clusters</h2><p>The Istio control plane requires access to all clusters in the mesh to
|
|
discover services, endpoints, and pod attributes. The following steps
|
|
describe how to generate a <code>kubeconfig</code> configuration file for the Istio control plane to use a remote cluster.</p><p>The <code>istio-remote</code> Helm chart creates a Kubernetes service account named
|
|
<code>istio-multi</code> in the remote cluster with the minimal required RBAC access. This
|
|
procedure generates the remote cluster’s <code>kubeconfig</code> file using
|
|
the credentials of said <code>istio-multi</code> service account.</p><p>Perform this procedure on each remote cluster to add the cluster to the service
|
|
mesh. This procedure requires the <code>cluster-admin</code> user access permission to
|
|
the remote cluster.</p><ol><li><p>Set the environment variables needed to build the <code>kubeconfig</code> file for the
|
|
<code>istio-multi</code> service account with the following commands:</p><pre><code class=language-bash data-expandlinks=true>$ export WORK_DIR=$(pwd)
|
|
$ CLUSTER_NAME=$(kubectl config view --minify=true -o jsonpath='{.clusters[].name}')
|
|
$ export KUBECFG_FILE=${WORK_DIR}/${CLUSTER_NAME}
|
|
$ SERVER=$(kubectl config view --minify=true -o jsonpath='{.clusters[].cluster.server}')
|
|
$ NAMESPACE=istio-system
|
|
$ SERVICE_ACCOUNT=istio-multi
|
|
$ SECRET_NAME=$(kubectl get sa ${SERVICE_ACCOUNT} -n ${NAMESPACE} -o jsonpath='{.secrets[].name}')
|
|
$ CA_DATA=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE} -o jsonpath="{.data['ca\.crt']}")
|
|
$ TOKEN=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE} -o jsonpath="{.data['token']}" | base64 --decode)
|
|
</code></pre><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>An alternative to <code>base64 --decode</code> is <code>openssl enc -d -base64 -A</code> on many systems.</div></aside></div></li><li><p>Create a <code>kubeconfig</code> file in the working directory for the
|
|
<code>istio-multi</code> service account with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF > ${KUBECFG_FILE}
|
|
apiVersion: v1
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: ${CA_DATA}
|
|
server: ${SERVER}
|
|
name: ${CLUSTER_NAME}
|
|
contexts:
|
|
- context:
|
|
cluster: ${CLUSTER_NAME}
|
|
user: ${CLUSTER_NAME}
|
|
name: ${CLUSTER_NAME}
|
|
current-context: ${CLUSTER_NAME}
|
|
kind: Config
|
|
preferences: {}
|
|
users:
|
|
- name: ${CLUSTER_NAME}
|
|
user:
|
|
token: ${TOKEN}
|
|
EOF
|
|
</code></pre></li><li><p><em>(Optional)</em> Create file with environment variables to create the remote cluster’s secret:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF > remote_cluster_env_vars
|
|
export CLUSTER_NAME=${CLUSTER_NAME}
|
|
export KUBECFG_FILE=${KUBECFG_FILE}
|
|
export NAMESPACE=${NAMESPACE}
|
|
EOF
|
|
</code></pre></li></ol><p>At this point, you created the remote clusters’ <code>kubeconfig</code> files in the
|
|
current directory. The filename of the <code>kubeconfig</code> file is the same as the
|
|
original cluster name.</p><h2 id=credentials>Instantiate the credentials</h2><p>Perform this procedure on the cluster running the Istio control plane. This
|
|
procedure uses the <code>WORK_DIR</code>, <code>CLUSTER_NAME</code>, and <code>NAMESPACE</code> environment
|
|
values set and the file created for the remote cluster’s secret from the
|
|
<a href=#kubeconfig>previous section</a>.</p><p>If you created the environment variables file for the remote cluster’s
|
|
secret, source the file with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ source remote_cluster_env_vars
|
|
</code></pre><p>You can install Istio in a different namespace. This procedure uses the
|
|
<code>istio-system</code> namespace.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-warning"/></svg></div><div class=content>Do not store and label the secrets for the local cluster
|
|
running the Istio control plane. Istio is always aware of the local cluster’s
|
|
Kubernetes credentials.</div></aside></div><p>Create a secret and label it properly for each remote cluster:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl create secret generic ${CLUSTER_NAME} --from-file ${KUBECFG_FILE} -n ${NAMESPACE}
|
|
$ kubectl label secret ${CLUSTER_NAME} istio/multiCluster=true -n ${NAMESPACE}
|
|
</code></pre><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-warning"/></svg></div><div class=content>The Kubernetes secret data keys must conform with the
|
|
<code>DNS-1123 subdomain</code> <a href=https://tools.ietf.org/html/rfc1123#page-13>format</a>. For
|
|
example, the filename can’t have underscores. Resolve any issue with the
|
|
filename simply by changing the filename to conform with the format.</div></aside></div><h2 id=uninstalling-the-remote-cluster>Uninstalling the remote cluster</h2><p>You must uninstall remote clusters using the same method you used to install
|
|
them. Use either <code>kubectl and Helm</code> or <code>Tiller and Helm</code> as appropriate.</p><div id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2 role=tablist class=tabset><div class=tab-strip data-cookie-name=install-istio-remote><button aria-selected=true data-cookie-value=Helm+kubectl aria-controls=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-0-panel id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-0-tab role=tab><span>kubectl</span>
|
|
</button><button tabindex=-1 data-cookie-value=Helm+Tiller aria-controls=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-1-panel id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-1-tab role=tab><span>Tiller</span></button></div><div class=tab-content><div id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-0-tab><p>To uninstall the cluster, you must remove the configuration made with the
|
|
<code>istio-remote</code> .YAML file. To uninstall the cluster run the following command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f $HOME/istio-remote.yaml
|
|
</code></pre></div><div hidden id=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-docs-setup-kubernetes-install-multicluster-shared-vpn-2-1-tab><p>To uninstall the cluster, you must remove the configuration made with the
|
|
<code>istio-remote</code> .YAML file. To uninstall the cluster run the following command:</p><pre><code class=language-bash data-expandlinks=true>$ helm delete --purge istio-remote
|
|
</code></pre></div></div></div><h2 id=manual-sidecar>Manual sidecar injection example</h2><p>The following example shows how to use the <code>helm template</code> command to generate
|
|
the manifest for a remote cluster with the automatic sidecar injection
|
|
disabled. Additionally, the example shows how to use the <code>configmaps</code> of the
|
|
remote cluster with the <code>istioctl kube-inject</code> command to generate any
|
|
application manifests for the remote cluster.</p><p>Perform the following procedure against the remote cluster.</p><p>Before you begin, set the endpoint IP environment variables as described in the
|
|
<a href=#environment-var>set the environment variables section</a></p><ol><li><p>Use the <code>helm template</code> command on the remote cluster to specify the Istio
|
|
control plane service endpoints:</p><pre><code class=language-bash data-expandlinks=true>$ helm template install/kubernetes/helm/istio \
|
|
--namespace istio-system --name istio-remote \
|
|
--values install/kubernetes/helm/istio/values-istio-remote.yaml \
|
|
--set global.remotePilotAddress=${PILOT_POD_IP} \
|
|
--set global.remotePolicyAddress=${POLICY_POD_IP} \
|
|
--set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
|
|
--set sidecarInjectorWebhook.enabled=false > $HOME/istio-remote_noautoinj.yaml
|
|
</code></pre></li><li><p>Create the <code>istio-system</code> namespace for remote Istio:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns istio-system
|
|
</code></pre></li><li><p>Instantiate the remote cluster’s connection to the Istio control plane:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f $HOME/istio-remote_noautoinj.yaml
|
|
</code></pre></li><li><p><a href=#kubeconfig>Generate</a> the <code>kubeconfig</code> configuration file for each remote
|
|
cluster.</p></li><li><p><a href=#credentials>Instantiate the credentials</a> for each remote cluster.</p></li></ol><h3 id=manually-inject-the-sidecars-into-the-application-manifests>Manually inject the sidecars into the application manifests</h3><p>The following example <code>istioctl</code> command injects the sidecars into the
|
|
application manifests. Run the following commands in a shell with the
|
|
<code>kubeconfig</code> context set up for the remote cluster.</p><pre><code class=language-bash data-expandlinks=true>$ ORIGINAL_SVC_MANIFEST=mysvc-v1.yaml
|
|
$ istioctl kube-inject --injectConfigMapName istio-sidecar-injector --meshConfigMapName istio -f ${ORIGINAL_SVC_MANIFEST} | kubectl apply -f -
|
|
</code></pre><h2 id=access-services-from-different-clusters>Access services from different clusters</h2><p>Kubernetes resolves DNS on a cluster basis. Because the DNS resolution is tied
|
|
to the cluster, you must define the service object in every cluster where a
|
|
client runs, regardless of the location of the service’s endpoints. To ensure
|
|
this is the case, duplicate the service object to every cluster using
|
|
<code>kubectl</code>. Duplication ensures Kubernetes can resolve the service name in any
|
|
cluster. Since the service objects are defined in a namespace, you must define
|
|
the namespace if it doesn’t exist, and include it in the service definitions in
|
|
all clusters.</p><h2 id=deployment-considerations>Deployment considerations</h2><p>The previous procedures provide a simple and step-by-step guide to deploy a
|
|
multicluster environment. A production environment might require additional
|
|
steps or more complex deployment options. The procedures gather the endpoint
|
|
IPs of the Istio services and use them to invoke Helm. This process creates
|
|
Istio services on the remote clusters. As part of creating those services and
|
|
endpoints in the remote cluster, Kubernetes adds DNS entries to the <code>kube-dns</code>
|
|
configuration object.</p><p>This allows the <code>kube-dns</code> configuration object in the remote clusters to
|
|
resolve the Istio service names for all Envoy sidecars in those remote
|
|
clusters. Since Kubernetes pods don’t have stable IPs, restart of any Istio
|
|
service pod in the control plane cluster causes its endpoint to change.
|
|
Therefore, any connection made from remote clusters to that endpoint are
|
|
broken. This behavior is documented in <a href=https://github.com/istio/istio/issues/4822>Istio issue #4822</a></p><p>To either avoid or resolve this scenario several options are available. This
|
|
section provides a high level overview of these options:</p><ul><li>Update the DNS entries</li><li>Use a load balancer service type</li><li>Expose the Istio services via a gateway</li></ul><h3 id=update-the-dns-entries>Update the DNS entries</h3><p>Upon any failure or restart of the local Istio control plane, <code>kube-dns</code> on the remote clusters must be
|
|
updated with the correct endpoint mappings for the Istio services. There
|
|
are a number of ways this can be done. The most obvious is to rerun the Helm
|
|
install in the remote cluster after the Istio services on the control plane
|
|
cluster have restarted.</p><h3 id=use-load-balance-service-type>Use load balance service type</h3><p>In Kubernetes, you can declare a service with a service type of <code>LoadBalancer</code>.
|
|
See the Kubernetes documentation on <a href=https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types>service types</a>
|
|
for more information.</p><p>A simple solution to the pod restart issue is to use load balancers for the
|
|
Istio services. Then, you can use the load balancers’ IPs as the Istio
|
|
services’ endpoint IPs to configure the remote clusters. You may need load
|
|
balancer IPs for these Istio services:</p><ul><li><code>istio-pilot</code></li><li><code>istio-telemetry</code></li><li><code>istio-policy</code></li></ul><p>Currently, the Istio installation doesn’t provide an option to specify service
|
|
types for the Istio services. You can manually specify the service types in the
|
|
Istio Helm charts or the Istio manifests.</p><h3 id=expose-the-istio-services-via-a-gateway>Expose the Istio services via a gateway</h3><p>This method uses the Istio ingress gateway functionality. The remote clusters
|
|
have the <code>istio-pilot</code>, <code>istio-telemetry</code> and <code>istio-policy</code> services
|
|
pointing to the load balanced IP of the Istio ingress gateway. Then, all the
|
|
services point to the same IP.
|
|
You must then create the destination rules to reach the proper Istio service in
|
|
the main cluster in the ingress gateway.</p><p>This method provides two alternatives:</p><ul><li><p>Re-use the default Istio ingress gateway installed with the provided
|
|
manifests or Helm charts. You only need to add the correct destination rules.</p></li><li><p>Create another Istio ingress gateway specifically for the multicluster.</p></li></ul><h2 id=security>Security</h2><p>Istio supports deployment of mutual TLS between the control plane components as
|
|
well as between sidecar injected application pods.</p><h3 id=control-plane-security>Control plane security</h3><p>To enable control plane security follow these general steps:</p><ol><li><p>Deploy the Istio control plane cluster with:</p><ul><li><p>The control plane security enabled.</p></li><li><p>The <code>citadel</code> certificate self signing disabled.</p></li><li><p>A secret named <code>cacerts</code> in the Istio control plane namespace with the
|
|
<a href=/v1.2/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key>Certificate Authority (CA) certificates</a>.</p></li></ul></li><li><p>Deploy the Istio remote clusters with:</p><ul><li><p>The control plane security enabled.</p></li><li><p>The <code>citadel</code> certificate self signing disabled.</p></li><li><p>A secret named <code>cacerts</code> in the Istio control plane namespace with the
|
|
<a href=/v1.2/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key>CA certificates</a>.
|
|
The Certificate Authority (CA) of the main cluster or a root CA must sign
|
|
the CA certificate for the remote clusters too.</p></li><li><p>The Istio pilot service hostname must be resolvable via DNS. DNS
|
|
resolution is required because Istio configures the sidecar to verify the
|
|
certificate subject names using the <code>istio-pilot.<namespace></code> subject
|
|
name format.</p></li><li><p>Set control plane IPs or resolvable host names.</p></li></ul></li></ol><h3 id=mutual-tls-between-application-pods>Mutual TLS between application pods</h3><p>To enable mutual TLS for all application pods, follow these general steps:</p><ol><li><p>Deploy the Istio control plane cluster with:</p><ul><li><p>Mutual TLS globally enabled.</p></li><li><p>The Citadel certificate self-signing disabled.</p></li><li><p>A secret named <code>cacerts</code> in the Istio control plane namespace with the
|
|
<a href=/v1.2/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key>CA certificates</a></p></li></ul></li><li><p>Deploy the Istio remote clusters with:</p><ul><li><p>Mutual TLS globally enabled.</p></li><li><p>The Citadel certificate self-signing disabled.</p></li><li><p>A secret named <code>cacerts</code> in the Istio control plane namespace with the
|
|
<a href=/v1.2/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key>CA certificates</a>
|
|
The CA of the main cluster or a root CA must sign the CA certificate for
|
|
the remote clusters too.</p></li></ul></li></ol><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>The CA certificate steps are identical for both control plane security and
|
|
application pod security steps.</div></aside></div><h3 id=example-deployment>Example deployment</h3><p>This example procedure installs Istio with both the control plane mutual TLS
|
|
and the application pod mutual TLS enabled. The procedure sets up a remote
|
|
cluster with a selector-less service and endpoint. Istio Pilot uses the service
|
|
and endpoint to allow the remote sidecars to resolve the
|
|
<code>istio-pilot.istio-system</code> hostname via Istio’s local Kubernetes DNS.</p><h4 id=primary-cluster-deploy-the-control-plane-cluster>Primary Cluster: Deploy the control plane cluster</h4><ol><li><p>Create the <code>cacerts</code> secret using the Istio certificate samples in the
|
|
<code>istio-system</code> namespace:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns istio-system
|
|
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem --from-file=samples/certs/cert-chain.pem
|
|
</code></pre></li><li><p>Deploy the Istio control plane with security enabled for the control plane
|
|
and the application pod:</p><pre><code class=language-bash data-expandlinks=true>$ helm template --namespace=istio-system \
|
|
--values install/kubernetes/helm/istio/values.yaml \
|
|
--set global.mtls.enabled=true \
|
|
--set security.selfSigned=false \
|
|
--set global.controlPlaneSecurityEnabled=true \
|
|
install/kubernetes/helm/istio > ${HOME}/istio-auth.yaml
|
|
$ kubectl apply -f ${HOME}/istio-auth.yaml
|
|
</code></pre></li></ol><h4 id=remote-cluster-deploy-istio-components>Remote Cluster: Deploy Istio components</h4><ol><li><p>Create the <code>cacerts</code> secret using the Istio certificate samples in the
|
|
<code>istio-system</code> namespace:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns istio-system
|
|
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem --from-file=samples/certs/cert-chain.pem
|
|
</code></pre></li><li><p>Set the environment variables for the IP addresses of the pods as described
|
|
in the <a href=#environment-var>setting environment variables section</a>.</p></li><li><p>The following command deploys the remote cluster’s components with security
|
|
enabled for the control plane and the application pod and enables the
|
|
creation of the an Istio Pilot selector-less service and endpoint to get a
|
|
DNS entry in the remote cluster.</p><pre><code class=language-bash data-expandlinks=true>$ helm template install/kubernetes/helm/istio \
|
|
--name istio-remote \
|
|
--namespace istio-system \
|
|
--values install/kubernetes/helm/istio/values-istio-remote.yaml \
|
|
--set global.mtls.enabled=true \
|
|
--set security.selfSigned=false \
|
|
--set global.controlPlaneSecurityEnabled=true \
|
|
--set global.remotePilotCreateSvcEndpoint=true \
|
|
--set global.remotePilotAddress=${PILOT_POD_IP} \
|
|
--set global.remotePolicyAddress=${POLICY_POD_IP} \
|
|
--set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} > ${HOME}/istio-remote-auth.yaml
|
|
$ kubectl apply -f ${HOME}/istio-remote-auth.yaml
|
|
</code></pre></li><li><p>To generate the <code>kubeconfig</code> configuration file for the remote cluster,
|
|
follow the steps in the <a href=#kubeconfig>Kubernetes configuration section</a></p></li></ol><h3 id=primary-cluster-instantiate-credentials>Primary Cluster: Instantiate credentials</h3><p>You must instantiate credentials for each remote cluster. Follow the
|
|
<a href=#credentials>instantiate credentials procedure</a>
|
|
to complete the deployment.</p><p><strong>Congratulations!</strong></p><p>You have configured all the Istio components in both clusters to use mutual TLS
|
|
between application sidecars, the control plane components, and other
|
|
application sidecars.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/setup/kubernetes/install/multicluster/gateways/>Multiple control planes</a></p><p class=desc>Install an Istio mesh across multiple Kubernetes clusters with individually deployed control planes.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></p><p class=desc>Set up a multicluster mesh over two GKE clusters.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/examples/multicluster/icp/>IBM Cloud Private</a></p><p class=desc>Example multicluster mesh over two IBM Cloud Private clusters.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></p><p class=desc>Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for diconnected cluster networks.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></p><p class=desc>Configuring Istio route rules in a multicluster service mesh.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></p><p class=desc>De-mystify how Istio manages to plugin its data-plane components into an existing deployment.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Install an Istio mesh across multiple Kubernetes clusters with individually deployed control planes." href=/v1.2/docs/setup/kubernetes/install/multicluster/gateways/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Multiple control planes</a></div><div class=right><a title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for diconnected cluster networks." href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-gateways/>Shared control plane (multi-network)<svg class="icon"><use xlink:href="/v1.2/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Prerequisites><a href=#prerequisites>Prerequisites</a><li role=none aria-label="Deploy the local control plane"><a href=#deploy-the-local-control-plane>Deploy the local control plane</a><li role=none aria-label="Install the Istio remote"><a href=#install-the-istio-remote>Install the Istio remote</a><ol><li role=none aria-label="Set environment variables"><a href=#environment-var>Set environment variables</a><li role=none aria-label="Helm chart configuration parameters"><a href=#helm-chart-configuration-parameters>Helm chart configuration parameters</a></ol></li><li role=none aria-label="Generate configuration files for remote clusters"><a href=#kubeconfig>Generate configuration files for remote clusters</a><li role=none aria-label="Instantiate the credentials"><a href=#credentials>Instantiate the credentials</a><li role=none aria-label="Uninstalling the remote cluster"><a href=#uninstalling-the-remote-cluster>Uninstalling the remote cluster</a><li role=none aria-label="Manual sidecar injection example"><a href=#manual-sidecar>Manual sidecar injection example</a><ol><li role=none aria-label="Manually inject the sidecars into the application manifests"><a href=#manually-inject-the-sidecars-into-the-application-manifests>Manually inject the sidecars into the application manifests</a></ol></li><li role=none aria-label="Access services from different clusters"><a href=#access-services-from-different-clusters>Access services from different clusters</a><li role=none aria-label="Deployment considerations"><a href=#deployment-considerations>Deployment considerations</a><ol><li role=none aria-label="Update the DNS entries"><a href=#update-the-dns-entries>Update the DNS entries</a><li role=none aria-label="Use load balance service type"><a href=#use-load-balance-service-type>Use load balance service type</a><li role=none aria-label="Expose the Istio services via a gateway"><a href=#expose-the-istio-services-via-a-gateway>Expose the Istio services via a gateway</a></ol></li><li role=none aria-label=Security><a href=#security>Security</a><ol><li role=none aria-label="Control plane security"><a href=#control-plane-security>Control plane security</a><li role=none aria-label="Mutual TLS between application pods"><a href=#mutual-tls-between-application-pods>Mutual TLS between application pods</a><li role=none aria-label="Example deployment"><a href=#example-deployment>Example deployment</a><ol><li role=none aria-label="Primary Cluster: Deploy the control plane cluster"><a href=#primary-cluster-deploy-the-control-plane-cluster>Primary Cluster: Deploy the control plane cluster</a><li role=none aria-label="Remote Cluster: Deploy Istio components"><a href=#remote-cluster-deploy-istio-components>Remote Cluster: Deploy Istio components</a></ol></li><li role=none aria-label="Primary Cluster: Instantiate credentials"><a href=#primary-cluster-instantiate-credentials>Primary Cluster: Instantiate credentials</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.2.5<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html> |