istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/docs/setup/kubernetes/quick-start/index.md

7.1 KiB
Raw Blame History

title description weight keywords
Quick Start with Kubernetes Instructions to setup the Istio service mesh in a Kubernetes cluster. 5
kubernetes

{{< info_icon >}} Istio {{< istio_version >}} has been tested with these Kubernetes releases: {{< supported_kubernetes_versions >}}.

To install and configure Istio in a Kubernetes cluster, follow these instructions:

Prerequisites

  1. Download the Istio release.

  2. Kubernetes platform setup:

  1. Check the Requirements for Pods and Services.

Installation steps

  1. Install Istio's Custom Resource Definitions via kubectl apply, and wait a few seconds for the CRDs to be committed in the kube-apiserver:

    {{< text bash >}} $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml {{< /text >}}

  2. To install Istio's core components you can choose any of the following four mutually exclusive options described below. However, for a production setup of Istio, we recommend installing with the Helm Chart, to use all the configuration options. This permits customization of Istio to operator specific requirements.

Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars

Visit our mutual TLS permissive mode page for more information.

Choose this option for:

  • Clusters with existing applications,
  • Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services,
  • Applications that use liveness and readiness probes,
  • Headless services, or
  • StatefulSets

To install Istio with mutual TLS enabled and set to use permissive mode between sidecars:

{{< text bash >}} $ kubectl apply -f install/kubernetes/istio-demo.yaml {{< /text >}}

In this option, all services, as servers, can accept both plain text and mutual TLS traffic. However, all services, as clients, will send plain text traffic. Visit mutual migration for how to configure clients behavior.

Option 2: Install Istio with default mutual TLS authentication

Use this option only on a fresh Kubernetes cluster where newly deployed workloads are guaranteed to have Istio sidecars installed.

To Install Istio and enforce mutual TLS authentication between sidecars by default:

{{< text bash >}} $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml {{< /text >}}

Option 3: Render Kubernetes manifest with Helm and deploy with kubectl

Follow our setup instructions to render the Kubernetes manifest with Helm and deploy with kubectl.

Option 4: Use Helm and Tiller to manage the Istio deployment

Follow our instructions on how to use Helm and Tiller to manage the Istio deployment.

Verifying the installation

  1. To ensure the following Kubernetes services are deployed: istio-citadel, istio-engressgateway, istio-galley, istio-ingress, istio-ingressgateway, istio-pilot, istio-policy, istio-statsd-prom-bridge, istio-telemetry, prometheus, and optionally, istio-sidecar-injector, verify they all have an appropriate CLUSTER-IP:

    {{< text bash >}} $ kubectl get svc -n istio-system {{< /text >}}

    If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP of istio-ingress and istio-ingressgateway will say <pending>. You will need to access it using the service NodePort, or use port-forwarding instead.

  2. Ensure the corresponding Kubernetes pods are deployed and all containers: istio-citadel-*, istio-engressgateway-*, istio-galley-*, istio-ingress-*, istio-ingressgateway-*, istio-pilot-*, istio-policy-*, istio-statsd-prom-bridge-*, istio-telemetry-*, prometheus-*, and, optionally, istio-sidecar-injector-*, have a STATUS of Running:

    {{< text bash >}} $ kubectl get pods -n istio-system {{< /text >}}

Deploy your application

You can now deploy your own application or one of the sample applications provided with the installation like Bookinfo.

{{< warning_icon >}} The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTP traffic; HTTP/1.0 is not supported.

If you started the Istio-sidecar-injector, you can deploy the application directly using kubectl apply.

The Istio-Sidecar-injector will automatically inject Envoy containers into your application pods. The injector assumes the application pods are running in namespaces labeled with istio-injection=enabled

{{< text bash >}} $ kubectl label namespace istio-injection=enabled $ kubectl create -n -f .yaml {{< /text >}}

If you don't have the Istio-sidecar-injector installed, you must use istioctl kube-inject to manually inject Envoy containers in your application pods before deploying them:

{{< text bash >}} $ istioctl kube-inject -f .yaml | kubectl apply -f - {{< /text >}}

Uninstall Istio core components

The uninstall deletes the RBAC permissions, the istio-system namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

  • If you installed Istio with istio-demo.yaml:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo.yaml {{< /text >}}

  • If you installed Istio with istio-demo-auth.yaml:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml {{< /text >}}

  • If you installed Istio with Helm, follow the uninstall Istio with Helm steps.

  • If desired, delete the CRDs:

    {{< text bash >}} $ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml {{< /text >}}