Istio: Understanding and Installation

Istio: Understanding and Installation

Abhishek Singh's photo
Abhishek Singh
·

4 min read

Table of contents

In this article we will understand what Istio is and how to set it up in our kubernetes cluster. In this article we will cover only how we can use Istio as an ingress gateway.

What is Istio?

Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.

Prerequisite -

  • Running kubernetes cluster

  • Load Balancer CSI driver installed (Metallb if cluster is self hosted)

Installation -

We can install istio using helm chat or we can install it using istio-operator. In this article we will use istio-operator to install istio in our cluster.

First install istioctl command utility in your system and export the path using following command - 

 curl -L https://istio.io/downloadIstio | sh -

Once command is installed then export the path - 

 export PATH=$PWD/bin:$PATH

Now istioctl command utility is configured in your shell now run following command to install istio-operator.

 istioctl operator init

Above command will install istio-operator in istio-operator namespace and by default it will watch istio-system namespace, but you can use any other namespace also as per your requirement.

Optional -

istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2

Once operator installation is done lets install basic istio service which we can use to access our application using domain name.

Install - 

Istioctl install

Follow the instruction it will we installed and you can check if pods are running using following command - 

kubectl get pods -n istio-system

Once all pods are running check the service status if that got LB assigned successfully using following command - 

kubectl get svc -n istio-system -o wide

Let’s setup gateway -

In Istio, gateways play a crucial role in managing traffic flow both entering and exiting the service mesh. They act as entry and exit points, providing various functionalities:

1. Ingress Gateways:

  • Expose services to the outside world: They allow external clients to access services within the mesh by translating external traffic (typically HTTP/HTTPS) to internal service addresses.

  • Traffic routing: You can define rules to route incoming traffic to specific services based on various criteria like URL path, headers, or service version.

  • Security enforcement: Gateways can apply authentication, authorization, and encryption policies to secure access to your services.

2. Egress Gateways:

  • Control traffic exiting the mesh: They manage outbound communication from services within the mesh to external destinations like databases or third-party APIs.

  • Policy enforcement: Like ingress, you can apply policies to restrict or monitor outbound traffic based on various factors.

  • Service discovery: Gateways can help services within the mesh discover external services by resolving DNS names or other service discovery mechanisms.

Benefits of using gateways in Istio:

  • Centralised control: Gateways provide a single point to manage traffic flow and security policies for all external and internal communication.

  • Improved visibility and monitoring: You can gain insights into traffic patterns and service health through monitoring data collected at gateways.

  • Enhanced security: Gateways enforce security policies consistently across all services, providing a robust defence against threats.

  • Flexibility and scalability: Gateways are easy to configure and scale to accommodate growing traffic and service needs.

Install istio gateway using following manifest - 

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: http-gateway
spec:
  selector:
    istio: istio-ingressgateway  # use istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - *

Once Gateway deployed, we can create virtualservice which will expose service via gateway.

Here is the sample virtual service for sample nginx service.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nginx-vs
  namespace: default
spec:
  gateways:
  - istio-system/http-gateway
  hosts:
  - nginx.opscribe.site
  http:
  - name: public
    route:
    - destination:
        host: nginx.default.svc.cluster.local
        port:
          number: 80

Once a virtual service is created point the domain to istio loadbalancer IP and access it in the browser.

You can find loadbalancer IP using following command - 

kubectl get svc istio-ingressgateway -n istio-system

If you find this article useful please leave a like or comment. If you find any mistake then please drop a comment. I will give credit as well.

Thanks

Did you find this article valuable?

Support Abhishek Singh by becoming a sponsor. Any amount is appreciated!

#istioistio service meshKubernetesDevopsReverse Proxygatewayendpoints