istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/docs/setup/kubernetes/quick-start/index.md

176 lines
7.1 KiB
Markdown
Raw Blame History

---
title: Quick Start with Kubernetes
description: Instructions to setup the Istio service mesh in a Kubernetes cluster.
weight: 5
keywords: [kubernetes]
---
{{< info_icon >}} Istio {{< istio_version >}} has been tested with these Kubernetes releases: {{< supported_kubernetes_versions >}}.
To install and configure Istio in a Kubernetes cluster, follow these instructions:
## Prerequisites
1. [Download the Istio release](/docs/setup/kubernetes/download-release/).
1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/):
* [Minikube](/docs/setup/kubernetes/platform-setup/minikube/)
* [Google Container Engine (GKE)](/docs/setup/kubernetes/platform-setup/gke/)
* [IBM Cloud](/docs/setup/kubernetes/platform-setup/ibm/)
* [OpenShift Origin](/docs/setup/kubernetes/platform-setup/openshift/)
* [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/platform-setup/aws/)
* [Azure](/docs/setup/kubernetes/platform-setup/azure/)
* [Alibaba Cloud](/docs/setup/kubernetes/platform-setup/alicloud/)
* [Docker For Desktop](/docs/setup/kubernetes/platform-setup/docker-for-desktop/)
1. Check the [Requirements for Pods and Services](/docs/setup/kubernetes/spec-requirements/).
## Installation steps
1. Install Istio's [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver:
{{< text bash >}}
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
{{< /text >}}
1. To install Istio's core components you can choose any of the following four
**mutually exclusive** options described below. However, for a production setup of Istio,
we recommend installing with the
[Helm Chart](/docs/setup/kubernetes/helm-install/), to use all the
configuration options. This permits customization of Istio to operator specific requirements.
### Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
Visit our
[mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
for more information.
Choose this option for:
* Clusters with existing applications,
* Applications where services with an Istio sidecar need to be able to
communicate with other non-Istio Kubernetes services,
* Applications that use
[liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/),
* Headless services, or
* `StatefulSets`
To install Istio with mutual TLS enabled and set to use permissive mode
between sidecars:
{{< text bash >}}
$ kubectl apply -f install/kubernetes/istio-demo.yaml
{{< /text >}}
In this option, all services, as servers, can accept both plain text and
mutual TLS traffic. However, all services, as clients, will send plain
text traffic.
Visit [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic)
for how to configure clients behavior.
### Option 2: Install Istio with default mutual TLS authentication
Use this option only on a fresh Kubernetes cluster where newly deployed
workloads are guaranteed to have Istio sidecars installed.
To Install Istio and enforce [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication)
between sidecars by default:
{{< text bash >}}
$ kubectl apply -f install/kubernetes/istio-demo-auth.yaml
{{< /text >}}
### Option 3: Render Kubernetes manifest with Helm and deploy with `kubectl`
Follow our setup instructions to
[render the Kubernetes manifest with Helm and deploy with `kubectl`](/docs/setup/kubernetes/helm-install/#option-1-install-with-helm-via-helm-template).
### Option 4: Use Helm and Tiller to manage the Istio deployment
Follow our instructions on how to
[use Helm and Tiller to manage the Istio deployment](/docs/setup/kubernetes/helm-install/#option-2-install-with-helm-and-tiller-via-helm-install).
## Verifying the installation
1. To ensure the following Kubernetes services are deployed: `istio-citadel`,
`istio-engressgateway`, `istio-galley`, `istio-ingress`, `istio-ingressgateway`,
`istio-pilot`, `istio-policy`, `istio-statsd-prom-bridge`, `istio-telemetry`,
`prometheus`, and optionally, `istio-sidecar-injector`, verify they all have
an appropriate `CLUSTER-IP`:
{{< text bash >}}
$ kubectl get svc -n istio-system
{{< /text >}}
> If your cluster is running in an environment that does not
> support an external load balancer (e.g., minikube), the
> `EXTERNAL-IP` of `istio-ingress` and `istio-ingressgateway` will
> say `<pending>`. You will need to access it using the service
> NodePort, or use port-forwarding instead.
1. Ensure the corresponding Kubernetes pods are deployed and all containers: `istio-citadel-*`,
`istio-engressgateway-*`, `istio-galley-*`, `istio-ingress-*`, `istio-ingressgateway-*`,
`istio-pilot-*`, `istio-policy-*`, `istio-statsd-prom-bridge-*`, `istio-telemetry-*`,
`prometheus-*`, and, optionally, `istio-sidecar-injector-*`, have a `STATUS` of `Running`:
{{< text bash >}}
$ kubectl get pods -n istio-system
{{< /text >}}
## Deploy your application
You can now deploy your own application or one of the sample applications
provided with the installation like [Bookinfo](/docs/examples/bookinfo/).
> {{< warning_icon >}} The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTP
> traffic; HTTP/1.0 is not supported.
If you started the
[Istio-sidecar-injector](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection),
you can deploy the application directly using `kubectl apply`.
The Istio-Sidecar-injector will automatically inject Envoy containers into your
application pods. The injector assumes the application pods are running in
namespaces labeled with `istio-injection=enabled`
{{< text bash >}}
$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml
{{< /text >}}
If you don't have the Istio-sidecar-injector installed, you must use
[`istioctl kube-inject`](/docs/reference/commands/istioctl/#istioctl-kube-inject)
to manually inject Envoy containers in your application pods before deploying
them:
{{< text bash >}}
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
{{< /text >}}
## Uninstall Istio core components
The uninstall deletes the RBAC permissions, the `istio-system` namespace, and
all resources hierarchically under it. It is safe to ignore errors for
non-existent resources because they may have been deleted hierarchically.
* If you installed Istio with `istio-demo.yaml`:
{{< text bash >}}
$ kubectl delete -f install/kubernetes/istio-demo.yaml
{{< /text >}}
* If you installed Istio with `istio-demo-auth.yaml`:
{{< text bash >}}
$ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
{{< /text >}}
* If you installed Istio with Helm, follow the [uninstall Istio with Helm](/docs/setup/kubernetes/helm-install/#uninstall) steps.
* If desired, delete the CRDs:
{{< text bash >}}
$ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml
{{< /text >}}
Reference in New Issue View Git Blame Copy Permalink