[Istio Service Mesh] Istio - Getting Started

Getting Started

Istio is the simplify observability, traffic management, security, and policy with the leading service mesh

Istio addresses the challenges developers and operators face with a distributed or microservices architecture. Whether you’re building from scratch or migrating existing applications to cloud native, Istio can help.

This guide lets you quickly evaluate Istio. If you are already familiar with Istio or interested in installing other configuration profiles or advanced deployment models, refer to our which Istio installation method should I use? FAQ page.

Prerequisites

  • Kubernetes (K8S)

    Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

    For more information about installing and using Kubernetes (K8s), see the Kubernetes (K8s) Docs.

Download Istio

    1. Go to the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ curl -L https://istio.io/downloadIstio | sh -
Downloading istio-1.12.1 from https://github.com/istio/istio/releases/download/1.12.1/istio-1.12.1-linux-amd64.tar.gz ...

Istio 1.12.1 Download Complete!

Istio has been successfully downloaded into the istio-1.12.1 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /root/istio-1.12.1/bin directory to your environment path variable with:
export PATH="$PATH:/root/istio-1.12.1/bin"

Begin the Istio pre-installation check by running:
istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/
    1. Move to the Istio package directory. For example, if the package is istio-1.12.1:
1
$ cd istio-1.12.1

-3 . Add the istioctl client to your path (Linux or macOS):

1
$ export PATH=$PWD/bin:$PATH

Install Istio

    1. For this installation, we use the demo configuration profile. It’s selected to have a good set of defaults for testing, but there are other profiles for production or performance testing.
1
2
3
4
5
6
$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
    1. Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:
1
2
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled

Deploy the sample application

    1. Deploy the Bookinfo sample application:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
    1. The application will start. As each pod becomes ready, the Istio sidecar will be deployed along with it.
1
2
3
4
5
6
7
$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.0.0.212 <none> 9080/TCP 29s
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 25m
productpage ClusterIP 10.0.0.57 <none> 9080/TCP 28s
ratings ClusterIP 10.0.0.33 <none> 9080/TCP 29s
reviews ClusterIP 10.0.0.28 <none> 9080/TCP 29s

and

1
2
3
4
5
6
7
8
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-558b8b4b76-2llld 2/2 Running 0 2m41s
productpage-v1-6987489c74-lpkgl 2/2 Running 0 2m40s
ratings-v1-7dc98c7588-vzftc 2/2 Running 0 2m41s
reviews-v1-7f99cc4496-gdxfn 2/2 Running 0 2m41s
reviews-v2-7d79d5bd5d-8zzqd 2/2 Running 0 2m41s
reviews-v3-7dbcdcbc56-m8dph 2/2 Running 0 2m41s
    1. Verify everything is working correctly up to this point. Run this command to see if the app is running inside the cluster and serving HTML pages by checking for the page title in the response:
1
2
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>

Open the application to outside traffic

The Bookinfo application is deployed but not accessible from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh.

Associate this application with the Istio gateway:

1
2
3
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created

Ensure that there are no issues with the configuration:

1
2
$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.

Determining the ingress IP and ports

Follow these instructions to set the INGRESS_HOST and INGRESS_PORT variables for accessing the gateway. Use the tabs to choose the instructions for your chosen platform:

Follow these instructions if you have determined that your environment has an external load balancer.

Set the ingress IP and ports:

1
2
3
4
5
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
    1. Set GATEWAY_URL:
1
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
    1. Ensure an IP address and port were successfully assigned to the environment variable:
1
2
$ echo "$GATEWAY_URL"
192.168.99.100:32194

See Determining the ingress IP and ports | Istio / Getting Started - https://istio.io/latest/docs/setup/getting-started/#determining-the-ingress-ip-and-ports to learn more.

Verify external access

Confirm that the Bookinfo application is accessible from outside by viewing the Bookinfo product page using a browser.

    1. Run the following command to retrieve the external address of the Bookinfo application.
1
$ echo "http://$GATEWAY_URL/productpage"
    1. Paste the output from the previous command into your web browser and confirm that the Bookinfo product page is displayed.

FAQs

iptables-restore: unable to initialize table ‘nat’ where restart pods on CentOS 8

1
2
2021-12-13T06:11:25.560082Z	info	Running command: iptables-restore --noflush /tmp/iptables-rules-1639375885559926391.txt1504799395
2021-12-13T06:11:25.561518Z error Command error output: xtables parameter problem: iptables-restore: unable to initialize table 'nat'

Install Istio with components.cni.enabled=true to resolved it by replacing iptables with IPVS.

1
2
3
4
5
6
7
8
9
$ istioctl install --set components.cni.enabled=true
This will install the Istio 1.12.1 default profile with ["Istio core" "Istiod" "CNI" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete Making this installation the default for injection and validation.

Thank you for installing Istio 1.12. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/FegQbc9UvePd4Z9z7

See iptables-restore v1.6.1: iptables-restore: unable to initialize table ‘nat’ · Issue #23009 · istio/istio - https://github.com/istio/istio/issues/23009 to learn more.

IST0145: ConflictingGateways - Gateway should not have the same selector, port and matched hosts of server

1
2
3
4
$ istioctl analyze
Error [IST0145] (Gateway bookinfo/bookinfo-gateway) Conflict with gateways knative-serving/knative-ingress-gateway (workload selector istio=ingressgateway, port 80, hosts *).
Error: Analyzers found issues when analyzing namespace: bookinfo.
See https://istio.io/v1.12/docs/reference/config/analysis for more information about causes and resolutions.

See Istio / Configuration Analysis Messages - https://istio.io/latest/docs/reference/config/analysis/ to learn more.

References

[1] Istio / Getting Started - https://istio.io/latest/docs/setup/getting-started/

[2] Istio / Install with Istioctl - https://istio.io/latest/docs/setup/install/istioctl/

[3] istio/istio: Connect, secure, control, and observe services. - https://github.com/istio/istio

[4] Istio - https://istio.io/latest/