Installation of Istio in a Kubernetes Cluster

Filed Under: Random
Installation Of Istio In A Kubernetes Cluster

Hello, readers! This article talks about the Installation of Istio in a Kubernetes Cluster with a practical demonstration.

So, let us begin!! 🙂

Also read: Introduction to Istio: Service Mesh


Istio – Quick Recap

In the world of distributed networking and microservice architecture, traffic distribution and routing play an important role. Every microservice enables the performance of a particular service or function that sums up the entire model.

Having said that, this microservice distributed infrastructure leads to the expanding model of the application. This also means that the traffic needs to be monitored for secured system management.

This is when Istio stepped into the security world.

Istio is a service mesh product that enables us to have a distributed and monitored control over the traffic management, certificate of the websites, observability, monitoring, etc. Thus, it adds an extra layer of security to the entire microservice model.

The entire control plane model of Istio runs on a Kubernetes setup, which gives us the feasibility to add applications in the monitored service mesh cluster.


Step 01- Download the Istio release

To have the Istio setup in the Kubernetes cluster, we need to download the latest or desired version of the Istio release through the below command for Linux, macOS-

curl -L https://istio.io/downloadIstio | sh -

Once downloaded, move to the Istio package directory and add the istioctl client to the PATH environment variable-

export PATH=$PWD/bin:$PATH

Step 02- Install the default profile

In this step, we install the default configuration of Istio within the cluster using the below command-

istioctl install --set profile=demo -y
Image 12
Istio Installation

Step 03 – Validate the Istio deployment within the cluster

Once the above installation is complete, it deploys a namespace within the cluster with the name Istio-system.

Image 13
Istio resources

Installation of Istio using a Private Load balancer IP

To deploy Istio in a private cluster, we will need Istio to have a service endpoint from within the Virtual Private Network.

For the same, we can make use of the Istio Operator method to deploy Istio within a private cluster using the below YAML-

Istio_Operator.YAML

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
    - name: istio-ingressgateway
      k8s:
        serviceAnnotations:
          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
          service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "subnet-name"
        nodeSelector:
          ingress: istio-pods
        service:
          type: LoadBalancer
          loadBalancerIP: a.b.c.d
        tolerations:
        - key: "istiodeploy"
          operator: "Equal"
          value: "enable"
          effect: "NoSchedule"
    pilot:
      k8s:
        nodeSelector:
          ingress: istio-pods
        tolerations:
        - key: "istiodeploy"
          operator: "Equal"
          value: "enable"
          effect: "NoSchedule"
        overlays:
          - kind: Deployment
            name: istiod

In the above YAML, we need to place the private IP as the value for the loadBalancerIP key also the subnet value for it.


Validation of requirements for Istio in a private multi-tenant cluster

In order to deploy Istio in a managed private cluster, we need to have some configurations customized based on the type of the underlying public cloud.

Once the node pool is created, we need to taint the nodes with a key-value pair for it to schedule only Istio related pods.

kubectl taint nodes nodename key=value:effect

Apart from taint, it requires us to label the nodes within the node pool as shown below:

kubectl label node nodename key=value

As an example, we need to consider the below configurations to install Istio in a Google Kubernetes Engine cluster-

  • To install Istio in GKE, we will need nodes with at least 1 vCPU to be running as an instance.
  • Also, it requires to create firewall for port 15017 using the below command-
gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250, tcp:443, tcp:15017

Using the above configurations, we can install and set up Istio in a multi-tenant private Kubernetes cluster.


Conclusion

By this, we have reached the end of this topic. Feel free to comment below, in case you come across any questions.

For more such posts related to Kubernetes and Istio Service Mesh, Stay tuned with us.

Till then, Happy Learning!! 😊

close
Generic selectors
Exact matches only
Search in title
Search in content