istio.io/content/docs/setup/kubernetes/quick-start/index.md

9.5 KiB

title description weight keywords
Quick Start with Kubernetes Instructions to setup the Istio service mesh in a Kubernetes cluster. 5
kubernetes

To install and configure Istio in a Kubernetes cluster, follow these instructions:

Prerequisites

  1. Download the Istio release.

  2. Kubernetes platform setup:

  1. Check the Requirements for Pods and Services.

Installation steps

  1. Install Istio's Custom Resource Definitions via kubectl apply, and wait a few seconds for the CRDs to be committed in the kube-apiserver:

    {{< text bash >}} $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml {{< /text >}}

  2. To install Istio's core components you can choose any of the following four mutually exclusive options described below. However, for a production setup of Istio, we recommend installing with the Helm Chart, to use all the configuration options. This permits customization of Istio to operator specific requirements.

Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars

Visit our mutual TLS permissive mode page for more information.

Choose this option for:

  • Clusters with existing applications,
  • Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services,
  • Applications that use liveness and readiness probes,
  • Headless services, or
  • StatefulSets

To install Istio with mutual TLS enabled and set to use permissive mode between sidecars:

{{< text bash >}} $ kubectl apply -f install/kubernetes/istio-demo.yaml {{< /text >}}

In this option, all services, as servers, can accept both plain text and mutual TLS traffic. However, all services, as clients, will send plain text traffic. Visit mutual migration for how to configure clients behavior.

Option 2: Install Istio with default mutual TLS authentication

Use this option only on a fresh Kubernetes cluster where newly deployed workloads are guaranteed to have Istio sidecars installed.

To Install Istio and enforce mutual TLS authentication between sidecars by default:

{{< text bash >}} $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml {{< /text >}}

Option 3: Render Kubernetes manifest with Helm and deploy with kubectl

Follow our setup instructions to render the Kubernetes manifest with Helm and deploy with kubectl.

Option 4: Use Helm and Tiller to manage the Istio deployment

Follow our instructions on how to use Helm and Tiller to manage the Istio deployment.

Verifying the installation

  1. Ensure the following Kubernetes services are deployed: istio-pilot, istio-ingressgateway, istio-policy, istio-telemetry, prometheus, istio-galley, and, optionally, istio-sidecar-injector.

    {{< text bash >}} $ kubectl get svc -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-citadel ClusterIP 10.47.247.12 8060/TCP,9093/TCP 7m istio-egressgateway ClusterIP 10.47.243.117 80/TCP,443/TCP 7m istio-galley ClusterIP 10.47.254.90 443/TCP 7m istio-ingress LoadBalancer 10.47.244.111 35.194.55.10 80:32000/TCP,443:30814/TCP 7m istio-ingressgateway LoadBalancer 10.47.241.20 130.211.167.230 80:31380/TCP,443:31390/TCP,31400:31400/TCP 7m istio-pilot ClusterIP 10.47.250.56 15003/TCP,15005/TCP,15007/TCP,15010/TCP,15011/TCP,8080/TCP,9093/TCP 7m istio-policy ClusterIP 10.47.245.228 9091/TCP,15004/TCP,9093/TCP 7m istio-sidecar-injector ClusterIP 10.47.245.22 443/TCP 7m istio-statsd-prom-bridge ClusterIP 10.47.252.184 9102/TCP,9125/UDP 7m istio-telemetry ClusterIP 10.47.250.107 9091/TCP,15004/TCP,9093/TCP,42422/TCP 7m prometheus ClusterIP 10.47.253.148 9090/TCP 7m {{< /text >}}

    If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP of istio-ingress and istio-ingressgateway will say <pending>. You will need to access it using the service NodePort, or use port-forwarding instead.

  2. Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-ingressgateway-*, istio-egressgateway-*, istio-policy-*, istio-telemetry-*, istio-citadel-*, prometheus-*, istio-galley-*, and, optionally, istio-sidecar-injector-*.

    {{< text bash >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-citadel-75c88f897f-zfw8b 1/1 Running 0 1m istio-egressgateway-7d8479c7-khjvk 1/1 Running 0 1m istio-galley-6c749ff56d-k97n2 1/1 Running 0 1m istio-ingress-7f5898d74d-t8wrr 1/1 Running 0 1m istio-ingressgateway-7754ff47dc-qkrch 1/1 Running 0 1m istio-policy-74df458f5b-jrz9q 2/2 Running 0 1m istio-sidecar-injector-645c89bc64-v5n4l 1/1 Running 0 1m istio-statsd-prom-bridge-949999c4c-xjz25 1/1 Running 0 1m istio-telemetry-676f9b55b-k9nkl 2/2 Running 0 1m prometheus-86cb6dd77c-hwvqd 1/1 Running 0 1m {{< /text >}}

Deploy your application

You can now deploy your own application or one of the sample applications provided with the installation like Bookinfo.

Note: The application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.

If you started the Istio-sidecar-injector, you can deploy the application directly using kubectl apply.

The Istio-Sidecar-injector will automatically inject Envoy containers into your application pods. The injector assumes the application pods are running in namespaces labeled with istio-injection=enabled

{{< text bash >}} $ kubectl label namespace istio-injection=enabled $ kubectl create -n -f .yaml {{< /text >}}

If you don't have the Istio-sidecar-injector installed, you must use istioctl kube-inject to manually inject Envoy containers in your application pods before deploying them:

{{< text bash >}} $ istioctl kube-inject -f .yaml | kubectl apply -f - {{< /text >}}

Uninstall Istio core components

The uninstall deletes the RBAC permissions, the istio-system namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

  • If you installed Istio with istio-demo.yaml:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo.yaml {{< /text >}}

  • If you installed Istio with istio-demo-auth.yaml:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml {{< /text >}}

  • If you installed Istio with Helm, follow the uninstall Istio with Helm steps.

  • If desired, delete the CRDs:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system {{< /text >}}