How to install Istio in a Kubernetes Cluster to use it as a service mesh for a microservices architecture.

What is Istio?

Istio LogoRunning Microservices or any load under a Kubernetes cluster that includes more than one server, under a microservice architecture or even a traditional application that needs to access other resources requires functionality to:

  • Load Balance traffic, external o internal
  • Control failures, retries, routing
  • Apply limits and monitor network traffic between services
  • Secure communication

Developing that functionality by ourselves or integrating different solutions to obtain those capabilities requires an advanced knowledge of networking protocols, and distributed architectures. It is hard to do it right and, in my opinion pointless.

In IT Wonder Lab, I always recommend to be pragmatic, it is of course possible to develop that functionality by our selves, but our effort should be better used in solving business and people problems instead of reinventing the wheel.

Istio for Kubernetes provides a service mesh for microservices that solves all those problems. Istio is an open-source project created by teams from Google, IBM and Lyft.

Istio under VirtualBox

In a previous tutorial, I showed How to Install a Kubernetes Cluster using Vagrant and Ansible, in this tutorial I show how to add Istio as a service mesh for that Kubernetes Cluster.

Installing Istio for Kubernetes under VirtualBox has some peculiarities that need to be addressed to obtain a successful Kubernetes with Istio local development cluster:

  • Resource usage: default CPU and Memory requirements for Istio are too high for most VirtualBox configurations.
  • Lack of external o Cloud Load Balancer: by default, it is not possible to access Istio and Helm (a package manager) in a VirtualBox installation as there is no external or Cloud Load Balancer.

Instructions to install Istio in a VirtualBox Kubernetes Cluster

  • Follow How to Install a Kubernetes Cluster using Vagrant and Ansible tutorial.
  • Make sure the Kubernetes Cluster is running and execute the following instructions on the host running the VirtualBox service (your PC)
  • Download Istio, we will be using Istio release 1.1.3.
  • Download Helm (a package manager for Kubernetes), we will be using Helm release 2.13.1.
  • Install Tiller, the Helm services in Kubernetes.

Click on the play button to see the installation of Istio in Kubernetes using VirtualBox and Vagrant.

 

#Download Istio
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.1.3 sh -
cd istio-1.1.3
export PATH=$PWD/bin:$PATH
cd ..

#Download Helm
wget https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz
tar -zxvf helm-v2.13.1-linux-amd64.tar.gz
sudo mv linux-amd64/helm /usr/local/bin/helm

#Install Tiller in Kubernetes
cd istio-1.1.3
kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
helm init --service-account tiller
cd ..
  • Publish Tiller using a NodePort (This is needed to access the Tillerm, the Helm services, from outside VirtualBox)
    • Create tillerNodePort.yaml file with the following content
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helm
    name: tiller
  name: tiller
  namespace: kube-system
spec:
  ports:
  - name: port-1
    nodePort: 32492 #Tiller Kubernetes "extenal" port
    port: 44134 #Tiller "Internal" port
    protocol: TCP
    targetPort: tiller  
  selector:
    app: helm
    name: tiller
  sessionAffinity: None
  type: NodePort
    • Create the NodePort in Kubernetes
kubectl apply -f tillerNodePort.yaml
  • Define HELM_HOST so that Helm client knows how to access Tiller.
  • Configure and initialize Istio in Kubernetes with limited resources.
  • Install Istio using a NodePort instead of default Load Balancer and configure it to use limited resources.
export HELM_HOST=192.168.50.11:32492
cd istio-1.1.3
helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system --set pilot.resources.requests.memory="512Mi". 
#It the next line fails, wait a few seconds for the previous helm install to finish
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.type=NodePort --set gateways.istio-egressgateway.type=NodePort --values install/kubernetes/helm/istio/values-istio-demo.yaml
kubectl label namespace default istio-injection=enabled

Check Istio Installation

List all Kubernetes resources to check that all pods are  running and replicas ready:

jruiz@XPS13:~$ kubectl get all -A
NAMESPACE      NAME                                           READY   STATUS      RESTARTS   AGE
istio-system   pod/grafana-688b8999cd-9g7t7                   1/1     Running     0          4h29m
istio-system   pod/istio-citadel-5749f4b6dd-2q6pc             1/1     Running     0          4h29m
istio-system   pod/istio-egressgateway-666b76dbf7-77tvj       1/1     Running     0          4h29m
istio-system   pod/istio-galley-d68bdc684-mr4l4               1/1     Running     0          4h29m
istio-system   pod/istio-ingressgateway-d67598f4-n78fm        1/1     Running     0          4h29m
istio-system   pod/istio-init-crd-10-cqb9j                    0/1     Completed   0          4h31m
istio-system   pod/istio-init-crd-11-wwr4p                    0/1     Completed   0          4h31m
istio-system   pod/istio-pilot-7667b9b6b4-rk9jc               2/2     Running     0          4h29m
istio-system   pod/istio-policy-5fcbd65f66-qs775              2/2     Running     3          4h29m
istio-system   pod/istio-sidecar-injector-5cf67ccc65-84rmz    1/1     Running     0          4h29m
istio-system   pod/istio-telemetry-686fbff65d-w9wjj           2/2     Running     3          4h29m
istio-system   pod/istio-tracing-5d8f57c8ff-w9jdv             1/1     Running     0          4h29m
istio-system   pod/kiali-95fcf457f-qrc2r                      1/1     Running     0          4h29m
istio-system   pod/prometheus-5554746896-79vwb                1/1     Running     0          4h29m
kube-system    pod/calico-kube-controllers-5cbcccc885-tw9sm   1/1     Running     0          5h50m
kube-system    pod/calico-node-6lsvb                          1/1     Running     0          5h47m
kube-system    pod/calico-node-pkmzc                          1/1     Running     0          5h50m
kube-system    pod/calico-node-vgr95                          1/1     Running     0          5h45m
kube-system    pod/coredns-fb8b8dccf-cwczs                    1/1     Running     0          5h50m
kube-system    pod/coredns-fb8b8dccf-cxjlr                    1/1     Running     0          5h50m
kube-system    pod/etcd-k8s-m-1                               1/1     Running     0          5h49m
kube-system    pod/kube-apiserver-k8s-m-1                     1/1     Running     0          5h49m
kube-system    pod/kube-controller-manager-k8s-m-1            1/1     Running     0          5h49m
kube-system    pod/kube-proxy-6gxck                           1/1     Running     0          5h50m
kube-system    pod/kube-proxy-8xg5m                           1/1     Running     0          5h47m
kube-system    pod/kube-proxy-w889x                           1/1     Running     0          5h45m
kube-system    pod/kube-scheduler-k8s-m-1                     1/1     Running     0          5h49m
kube-system    pod/tiller-deploy-8458f6c667-xkddv             1/1     Running     0          4h31m

NAMESPACE      NAME                             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                                                                                      AGE
default        service/kubernetes               ClusterIP   10.96.0.1        <none>        443/TCP                                                                                                                                      5h50m
istio-system   service/grafana                  ClusterIP   10.101.209.105   <none>        3000/TCP                                                                                                                                     4h29m
istio-system   service/istio-citadel            ClusterIP   10.107.249.6     <none>        8060/TCP,15014/TCP                                                                                                                           4h29m
istio-system   service/istio-egressgateway      NodePort    10.98.120.17     <none>        80:30050/TCP,443:31705/TCP,15443:31741/TCP                                                                                                   4h29m
istio-system   service/istio-galley             ClusterIP   10.110.170.35    <none>        443/TCP,15014/TCP,9901/TCP                                                                                                                   4h29m
istio-system   service/istio-ingressgateway     NodePort    10.108.130.155   <none>        15020:31092/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30152/TCP,15030:31564/TCP,15031:32089/TCP,15032:31854/TCP,15443:31793/TCP   4h29m
istio-system   service/istio-pilot              ClusterIP   10.102.93.12     <none>        15010/TCP,15011/TCP,8080/TCP,15014/TCP                                                                                                       4h29m
istio-system   service/istio-policy             ClusterIP   10.105.58.7      <none>        9091/TCP,15004/TCP,15014/TCP                                                                                                                 4h29m
istio-system   service/istio-sidecar-injector   ClusterIP   10.96.49.91      <none>        443/TCP                                                                                                                                      4h29m
istio-system   service/istio-telemetry          ClusterIP   10.105.187.43    <none>        9091/TCP,15004/TCP,15014/TCP,42422/TCP                                                                                                       4h29m
istio-system   service/jaeger-agent             ClusterIP   None             <none>        5775/UDP,6831/UDP,6832/UDP                                                                                                                   4h29m
istio-system   service/jaeger-collector         ClusterIP   10.99.133.11     <none>        14267/TCP,14268/TCP                                                                                                                          4h29m
istio-system   service/jaeger-query             ClusterIP   10.103.157.30    <none>        16686/TCP                                                                                                                                    4h29m
istio-system   service/kiali                    ClusterIP   10.102.115.83    <none>        20001/TCP                                                                                                                                    4h29m
istio-system   service/prometheus               ClusterIP   10.107.239.74    <none>        9090/TCP                                                                                                                                     4h29m
istio-system   service/tracing                  ClusterIP   10.100.221.155   <none>        80/TCP                                                                                                                                       4h29m
istio-system   service/zipkin                   ClusterIP   10.109.13.30     <none>        9411/TCP                                                                                                                                     4h29m
kube-system    service/kube-dns                 ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP                                                                                                                       5h50m
kube-system    service/tiller                   NodePort    10.103.99.59     <none>        44134:32492/TCP                                                                                                                              4h31m
kube-system    service/tiller-deploy            ClusterIP   10.96.183.175    <none>        44134/TCP                                                                                                                                    4h31m

NAMESPACE     NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
kube-system   daemonset.apps/calico-node   3         3         3       3            3           beta.kubernetes.io/os=linux   5h50m
kube-system   daemonset.apps/kube-proxy    3         3         3       3            3           <none>                        5h50m

NAMESPACE      NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
istio-system   deployment.apps/grafana                   1/1     1            1           4h29m
istio-system   deployment.apps/istio-citadel             1/1     1            1           4h29m
istio-system   deployment.apps/istio-egressgateway       1/1     1            1           4h29m
istio-system   deployment.apps/istio-galley              1/1     1            1           4h29m
istio-system   deployment.apps/istio-ingressgateway      1/1     1            1           4h29m
istio-system   deployment.apps/istio-pilot               1/1     1            1           4h29m
istio-system   deployment.apps/istio-policy              1/1     1            1           4h29m
istio-system   deployment.apps/istio-sidecar-injector    1/1     1            1           4h29m
istio-system   deployment.apps/istio-telemetry           1/1     1            1           4h29m
istio-system   deployment.apps/istio-tracing             1/1     1            1           4h29m
istio-system   deployment.apps/kiali                     1/1     1            1           4h29m
istio-system   deployment.apps/prometheus                1/1     1            1           4h29m
kube-system    deployment.apps/calico-kube-controllers   1/1     1            1           5h50m
kube-system    deployment.apps/coredns                   2/2     2            2           5h50m
kube-system    deployment.apps/tiller-deploy             1/1     1            1           4h31m

NAMESPACE      NAME                                                 DESIRED   CURRENT   READY   AGE
istio-system   replicaset.apps/grafana-688b8999cd                   1         1         1       4h29m
istio-system   replicaset.apps/istio-citadel-5749f4b6dd             1         1         1       4h29m
istio-system   replicaset.apps/istio-egressgateway-666b76dbf7       1         1         1       4h29m
istio-system   replicaset.apps/istio-galley-d68bdc684               1         1         1       4h29m
istio-system   replicaset.apps/istio-ingressgateway-d67598f4        1         1         1       4h29m
istio-system   replicaset.apps/istio-pilot-7667b9b6b4               1         1         1       4h29m
istio-system   replicaset.apps/istio-policy-5fcbd65f66              1         1         1       4h29m
istio-system   replicaset.apps/istio-sidecar-injector-5cf67ccc65    1         1         1       4h29m
istio-system   replicaset.apps/istio-telemetry-686fbff65d           1         1         1       4h29m
istio-system   replicaset.apps/istio-tracing-5d8f57c8ff             1         1         1       4h29m
istio-system   replicaset.apps/kiali-95fcf457f                      1         1         1       4h29m
istio-system   replicaset.apps/prometheus-5554746896                1         1         1       4h29m
kube-system    replicaset.apps/calico-kube-controllers-5cbcccc885   1         1         1       5h50m
kube-system    replicaset.apps/coredns-fb8b8dccf                    2         2         2       5h50m
kube-system    replicaset.apps/tiller-deploy-8458f6c667             1         1         1       4h31m

NAMESPACE      NAME                                                       REFERENCE                         TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
istio-system   horizontalpodautoscaler.autoscaling/istio-egressgateway    Deployment/istio-egressgateway    <unknown>/80%   1         5         1          4h29m
istio-system   horizontalpodautoscaler.autoscaling/istio-ingressgateway   Deployment/istio-ingressgateway   <unknown>/80%   1         5         1          4h29m
istio-system   horizontalpodautoscaler.autoscaling/istio-pilot            Deployment/istio-pilot            <unknown>/80%   1         5         1          4h29m
istio-system   horizontalpodautoscaler.autoscaling/istio-policy           Deployment/istio-policy           <unknown>/80%   1         5         1          4h29m
istio-system   horizontalpodautoscaler.autoscaling/istio-telemetry        Deployment/istio-telemetry        <unknown>/80%   1         5         1          4h29m

NAMESPACE      NAME                          COMPLETIONS   DURATION   AGE
istio-system   job.batch/istio-init-crd-10   1/1           28s        4h31m
istio-system   job.batch/istio-init-crd-11   1/1           27s        4h31m

Prometheus, Jaeger, Grafana and Kiali in Kubernetes

Istio deploys the following software:

  • Prometheus: scrapes and stores time series data using service discovery. It is used to record status data about every aspect of the Kubernetes Cluster nodes, Istio mesh, and deployments.
  • Jaeger: it is a distributed tracing system developed by Uber, it provides context propagation, transaction monitoring, service dependency, performance and latency analysis for distributed applications.
  • Grafana: uses Prometheus as a data source to visualize different dashboards with metrics from the services deployed in the Kubernetes Cluster.
  • Kiali: visualizes the service mesh topology in Kubernetes showing the status of the applications and its individual components and connections. It also provides an interface to edit Istio configuration objects, like virtual services.

To access the dashboards using a web browser from the client machine a proxy is needed as the services listen in a Cluster IP.

During development, a NodePort can be used to insecurely publish each service.

Create the file istio-services.yaml with the following content:

#Grafana
apiVersion: v1
kind: Service
metadata:
  labels:
    app: grafana
    chart: grafana
    heritage: Tiller
    release: istio
  name: grafana-np
  namespace: istio-system
spec:
  ports:
  - name: http
    nodePort: 32493
    port: 3000
    protocol: TCP
    targetPort: 3000
  selector:
    app: grafana
  sessionAffinity: None
  type: NodePort
---
#prometheus
apiVersion: v1
kind: Service
metadata:
  labels:
    app: prometheus
    chart: prometheus
    heritage: Tiller
    release: istio
  name: prometheus-np
  namespace: istio-system
spec:
  ports:
  - name: http
    nodePort: 32494
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: prometheus
  sessionAffinity: None
  type: NodePort
---
#jaeger
apiVersion: v1
kind: Service
metadata:
  labels:
    app: jaeger
    chart: tracing
    heritage: Tiller
    release: istio
  name: tracing-np
  namespace: istio-system
spec:
  ports:
  - name: http-tracing
    nodePort: 32495
    port: 80
    protocol: TCP
    targetPort: 16686
  selector:
    app: jaeger
  sessionAffinity: None
  type: NodePort
---
#kiali
apiVersion: v1
kind: Service
metadata:
  labels:
    app: kiali
    chart: kiali
    heritage: Tiller
    release: istio
  name: kiali-np
  namespace: istio-system
spec:
  ports:
  - name: http-kiali
    nodePort: 32496
    port: 20001
    protocol: TCP
    targetPort: 20001
  selector:
    app: kiali
  sessionAffinity: None
  type: NodePort

Apply the file to the Kubernetes cluster:

$ kubectl apply -f istio-services.yaml 
service/grafana-np created
service/prometheus-np created
service/tracing-np created
service/kiali-np created

Access the services using a web browser:

 

Use Istio for your service mesh microservices architecture

Other IT Wonder Lab tutorials explaining how to use Istio for traffic management:

 

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

We are sorry that this post was not useful for you!

Let us improve this post!


Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.