What Is Istio?
Istio is an open-source service mesh that makes it easier for a team to create a network or server cluster of deployed services. Istio provides several vital services consistently across a mesh network such as:
- Traffic Management: Istio simplifies the configuration of service-level properties like circuit breakers, timeouts, and retries.
- Security: Istio provides an underlying secure communication channel between various endpoints.
- Policies: Istio enforces specific policies to dynamically rate-limit the traffic to a service. It also applies whitelists, blacklists, and denials to restrict access to services, header rewrites, and redirects.
- Observability: This includes comprehensive tracking, monitoring, and logging features.
- Platform Support This encompasses support for Kubernetes, Consul, and other services running on individual virtual machines.
- Integration and Customization: This includes solutions for ACLs, logging, monitoring, quotas, etc.
To summarize, Istio helps with the rollout of multi-cloud deployments by letting you deliver, secure, control, and monitor services on your multi-cloud implantation. In this installation scenario, Istio is considered platform independent so no reference point is provided to a specific operating system.
Before you can start the installation of Istio, you need to set up a Kubernetes cluster with a version of K8s that is compatible with Istio. Istio 1.4 works with Kubernetes versions 1.13 - 1.15. Liquid Web offers several types of multi-node server clusters that can be adjusted to fit your needs.
If you are unsure precisely what Kubernetes is, you can read more about it in that link. A containerization system is a fast, secure, and lightweight platform for running microservices. More benefits of containerization can be found in this article.
After we have Kubernetes installed and a server cluster set up, we can begin the installation of Istio.
Download Istio & Prepare the Installation
First, we will download the latest version of Istio.
[root@host /]# curl -L https://istio.io/downloadIstio | sh -
The output should look like this
root@host:~# curl -L https://istio.io/downloadIstio | sh - % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 107 100 107 0 0 312 0 --:--:-- --:--:-- --:--:-- 313 100 2804 100 2804 0 0 6258 0 --:--:-- --:--:-- --:--:-- 35493 Downloading istio-1.4.3 from https://github.com/istio/istio/releases/download/1.4.3/istio-1.4.3-linux.tar.gz ... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 614 0 614 0 0 2951 0 --:--:-- --:--:-- --:--:-- 2951 100 32.7M 100 32.7M 0 0 25.2M 0 0:00:01 0:00:01 --:--:-- 39.8M Istio 1.4.3 Download Complete! Istio has been successfully downloaded into the istio-1.4.3 folder on your system. Next Steps: See https://istio.io/docs/setup/kubernetes/install/ to add Istio to your Kubernetes cluster. To configure the istioctl client tool for your workstation, add the /root/istio-1.4.3/bin directory to your environment path variable with: export PATH="$PATH:/root/istio-1.4.3/bin" Begin the Istio pre-installation verification check by running: istioctl verify-install Need more information? Visit https://istio.io/docs/setup/kubernetes/install/ root@host:~#
Then, cd into the Istio package directory with command below
root@host:~# cd istio-1.4.3/
Your installation directory should contain the following directories and files.
root@host:~/istio-1.4.3# ll total 48 drwxr-x--- 6 root root 4096 Jan 6 14:45 ./ drwx------ 10 root root 4096 Feb 11 12:56 ../ -rw-r--r-- 1 root root 11348 Jan 6 14:45 LICENSE -rw-r--r-- 1 root root 6080 Jan 6 14:45 README.md drwxr-x--- 2 root root 4096 Jan 6 14:45 bin/ drwxr-xr-x 6 root root 4096 Jan 6 14:45 install/ -rw-r----- 1 root root 657 Jan 6 14:45 manifest.yaml drwxr-xr-x 19 root root 4096 Jan 6 14:45 samples/ drwxr-x--- 3 root root 4096 Jan 6 14:45 tools/ root@host:~/istio-1.4.3#
Next, add the istioctl client to your path
[root@host istio-1.4.3]# export PATH=$PWD/bin:$PATH
You are now ready to begin the installation itself. We will demonstrate the installation process using a demo profile. First, we will apply the demo manifest
[root@host istio-1.4.3]# istioctl manifest apply --set profile=demo
After this process has completed, verify the installation, and make sure that Kubernetes services have an appropriate IP address assigned to the cluster (except for the jaeger-agent service) with the following command.
[root@host istio-1.4.3]# kubectl get svc -n istio-system
The output should look like this. (the output has been reformatted for easier viewing)
[root@host kubectl get svc -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE Grafana ClusterIP 172.21.211.123 <none> 3000/TCP 2m Istio-citadel ClusterIP 172.21.177.222 <none> 8060/TCP,15014/TCP 2m Istio-egressgateway ClusterIP 172.21.113.24 <none> 80/TCP,443/TCP,15443/TCP 2m Istio-galley ClusterIP 172.21.132.247 <none> 443/TCP,15014/TCP,9901/TCP 2m Istio-ingressgateway loadBalancer 172.21.144.254 18.104.22.168 15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP 2m Istio-pilot ClusterIP 172.21.105.205 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m Istio-policy ClusterIP 172.21.14.236 <none> 9091/TCP,15004/TCP,15014/TCP 2m Istio-sidecar-injector ClusterIP 172.21.155.47 <none> 443/TCP,15014/TCP 2m Istio-telemetry ClusterIP 172.21.196.79 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m Jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m Jaeger-collector ClusterIP 172.21.135.51 <none> 14267/TCP,14268/TCP 2m Jaeger-query ClusterIP 172.21.26.187 <none> 16686/TCP 2m Kiali ClusterIP 172.21.155.201 <none> 20001/TCP 2m Prometheus ClusterIP 172.21.63.159 <none> 9090/TCP 2m Tracing ClusterIP 172.21.2.245 <none> 80/TCP 2m Zipkin lusterIP 172.21.182.245 <none> 9411/TCP
In addition to this, the following Kubernetes pods should be deployed and have a status of running:
[root@host istio-1.4.3]# kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE Grafana-f8467cc6-rbjlg 1/1 Running 0 1m Istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m Istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m Istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m Istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m Istio-pilot-f479bbf5c-qwr28 1/1 Running 0 1m Istio-policy-6fccc5c868-xhblv 1/1 Running 2 1m Istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m Istio-telemetry-78b96c6cb6-ldm9q 1/1 Running 2 1m Istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m Kiali-99f7467dc-6rvwp 1/1 Running 0 1m Prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m
This completes the installation phase if using the demo profile. Please keep in mind that the demo profile should not be used for performance evaluation. The purpose of the demo profile is to simply show the functionalities of Istio. You can now deploy your application, but keep in mind that that applications must use HTTP/1.1 or HTTP/2.0 since HTTP/1.0 is no longer supported by Istio.
These commands will help you with the deployment of your applications:
root@host istio-1.4.3]# kubectl label namespace <namespace> istio-injection=enabled
[root@host istio-1.4.3]# kubectl create -n <namespace> -f <your-app-spec>.yaml
To uninstall Istio, use the following command.
[root@host istio-1.4.3]# istioctl manifest generate --set profile=demo | kubectl delete -f -
It is usually safe to ignore any non-existent resource errors during the uninstallation process because the resources are removed in a hierarchical manner. The uninstallation process removes all the RBAC permissions, the Istio related namespaces, and all other resources in the hierarchy under it.
We hope that you enjoy using Istio because it is a truly powerful and useful service. For more information, articles, and guides about Istio visit the official page at istio.io/.
Talk To An Expert...
Do you have questions about running Istio, Kubernetes or other modern platforms on a server cluster? Need a small staging cluster to review how you are going to deploy your application?
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.