Install Istio Service Mesh in EKS Kubernetes cluster

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off


The job of the Istio service mesh is to provide access control, traffic monitoring, security, discovery, load balancing, and many other useful functions for services in the Kubernetes cluster. No changes to your code, you can enjoy these services. Istio does all the tasks for you. In this guide, we will study how to install Istio Service Mesh in an EKS Kubernetes cluster.

In short, Istio deploys a proxy (called Sidecar) Each service next to it is deployed in a namespace that is part of the grid. Any traffic used for the service must go through the Sidecar proxy. Then use the Istio strategy to route the traffic to the service. Using Istio, you can also simplify DevOps technologies such as circuit breakers, canary deployment and fault injection.

This is how traffic flows in Istio.

Install Istio Service Mesh in the EKS Kubernetes cluster

For this installation, you need a few items.

  • A valid EKS Kubernetes cluster deployed in AWS
  • Access the cluster as a user with administrator rights
  • If you want to use gateways and virtual services with domain names, please use Route53 hosted zone

Step 1: Install istioctl on the local computer/bastion

It depends on where kubectl is installed and where istioctl is placed on the same machine. If the API server can be accessed from a machine, it can be your local workstation machine. For private EKS clusters deployed in AWS, it will be the bastion server.

Download and unzip istioctl-for Linux and macOS. We will install the version 1.6.8

cd ~/
curl -L | ISTIO_VERSION=1.6.8 sh -

Configure the istioctl client tool for the workstation.

sudo cp istio-1.6.8/bin/istioctl /usr/local/bin/
sudo chmod +x /usr/local/bin/istioctl

Confirm istioctl version:

$ istioctl version

Enable istioctl complete for Bash

--- Bash ---
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash
echo "source ~/completions/istioctl.bash" >> ~/.bashrc

--- Zsh ---
mkdir -p ~/completions && istioctl collateral --zsh -o ~/completions
source ~/completions/_istioctl
echo "source ~/completions/_istioctl" >>~/.zshrc

The verification is done automatically.

$ istioctl 
analyze          dashboard        install          operator         proxy-status     validate
authz            deregister       kube-inject      profile          register         verify-install
convert-ingress  experimental     manifest         proxy-config     upgrade          version

Step 2: Create Istio namespace

Create a namespace that will deploy all istio-related services.

$ kubectl create namespace istio-system
namespace/istio-system created

Step 3: Establish necessary confidentiality

We will install Grafana, Kelly with Jaeger-LeCoultre As part of the Istio installation. In our setup, each component needs to provide credentials, these credentials must be secret.

Let’s create these secrets in the istio-system namespace.

Create the Grafana Secret

GRAFANA_USERNAME=$(echo -n "grafana" | base64)
GRAFANA_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password

cat <

Create Kiali secret

KIALI_USERNAME=$(echo -n "kiali" | base64)
KIALI_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password

cat <

Create Jaeger Secret.

JAEGER_USERNAME=$(echo -n "jaeger" | base64)
JAEGER_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password

cat <

List the created secrets.

$ kubectl get secret -n istio-system
NAME                  TYPE                                  DATA   AGE
default-token-kwrcj   3      16m
grafana               Opaque                                2      4m59s
jaeger                Opaque                                2      47s
kiali                 Opaque                                2      3m7s

Step 4: Create Istio control plane configuration

Now that we have successfully created the required secret, we can create the Istio Control plane configuration file.

I named the file istio-control-plane-eks.yml. The file will be saved Istio control plane specifications Detailed information about configuring Istio.

$ vim istio-control-plane-eks.yml

The content is. -Reference Global grid options

kind: IstioControlPlane
  profile: default
      disablePolicyChecks: false
      # File address for the proxy access log (e.g. /dev/stdout).
      accessLogFile: "/dev/stdout"
      # Set the default behavior of the sidecar for handling outbound traffic from the application
        mode: "ALLOW_ANY"
      # Enable mutual TLS automatically for service to service communication within the mesh
      enableAutoMtls: false
      disablePolicyChecks: false
      # Enable egress gateway
        enabled: true
        autoscaleEnabled: true
      # Enable Ingress gateway
        enabled: true
        autoscaleEnabled: true
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector: linux
      # Enable mutual TLS for the control plane
      controlPlaneSecurityEnabled: true
      # Enable Grafana deployment for analytics and monitoring dashboards
      enabled: true
        # Enable authentication for Grafana
        enabled: true
      # Enable the Kiali deployment for a service mesh observability dashboard
      enabled: true
      # Enable the Jaeger deployment for tracing
      enabled: true
      provider: jaeger # zipkin / jaeger

Verify the configuration by performing a dry run.

$ istioctl manifest apply -f istio-control-plane-eks.yml --dry-run
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Addons installed
- Pruning removed resources

Install istio using the following command:

$ istioctl manifest apply -f istio-control-plane-eks.yml
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Addons installed
✔ Installation complete

Check the deployed Pods to confirm that they are running:

$ kubectl get pods -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
grafana-86897cb4f5-wg29n                1/1     Running   0          3h34m
istio-egressgateway-8667d76d75-2t96d    1/1     Running   0          51s
istio-ingressgateway-5d78f74886-8xpx5   1/1     Running   0          3h35m
istio-tracing-57d7cfd779-xbtd8          1/1     Running   0          3h34m
istiod-58f84ffddc-khncg                 1/1     Running   0          3h35m
kiali-7c974669b4-ckfh4                  1/1     Running   0          3h34m
prometheus-6946fd87b4-ldzt2             2/2     Running   0          3h34m

You can list service endpoints in the following ways:

$ kubectl get svc -n istio-system

Add annotations to Ingress Service to get AWS Load Balancer. The notes to be added are: "nlb" ""

We will use the kubectl command to add comments.

kubectl annotate svc istio-ingressgateway"nlb" -n istio-system
kubectl annotate svc istio-ingressgateway"" -n istio-system

Confirm that LB has been created.

$ kubectl get svc istio-ingressgateway  -n istio-system
NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP                                                                     PORT(S)                                                      AGE
istio-ingressgateway   LoadBalancer   15021:31022/TCP,80:32766/TCP,443:32512/TCP,15443:31919/TCP   3h31m

Access the dashboard:

# Grafana
$ istioctl dashboard grafana

# Kiali
$ istioctl dashboard kiali

# Jaeger
$ istioctl dashboard jaeger

# Prometheus
$ istioctl dashboard prometheus

# Zipkin
$ istioctl dashboard zipkin

# Envoy
$ istioctl dashboard envoy .

Step 5: Configure Route53 DNS

I will delegate a subdomain To AWS Route53 to be used in the Istio gateway.

access Route53 console Create a hosted zone (if you don’t already have one).

Install Istio Service Mesh in EKS Kubernetes cluster

Click "Create Hosted Zone" to add the domain to Route53.

Install Istio Service Mesh in EKS Kubernetes cluster

The system will provide you with DNS server entries for you to update in your registrar to resolve and manage domain DNS entries on Route53.

Since I use Cloudflare to manage DNS, I will update the settings accordingly from the management console. Please note that I used a subdomain on Route53, not the actual domain name.

Install Istio Service Mesh in EKS Kubernetes cluster

The type of record to be added is NS. After adding everything, it will look like this:

Install Istio Service Mesh in EKS Kubernetes cluster

Confirm DNS propagation after the update. For some registration forms, it may take up to 24 hours to push updates.

$ dig NS +short

Create a record on route53 pointing to the load balancer used by Istio Ingress. For me, the record will be *

Please click Create record>Simple route>Define simple record And set:

  • Record name
  • Value/route traffic to: select network load balancer, set region and load balancer ID
  • Record type: A

When not clicking the "Define Simple Record" button.

Install Istio Service Mesh in EKS Kubernetes cluster

Verify the details and click "Create record"

Install Istio Service Mesh in EKS Kubernetes cluster

Step 6: Enable automatic Sidecar injection for the namespace

Sidecar can be automatically added to applicable Kubernetes pods using the following command Mutation Webhook Admission Controller Provided by Istio.

I will create a demo namespace for this project.

$ kubectl create ns demo
namespace/demo created

Enable automatic sidecar injection by adding istio-injection=enabled Labels on the namespace:

$ kubectl label namespace demo istio-injection=enabled
namespace/demo labeled

Confirm that the label has been added to the namespace.

$ kubectl get namespace demo -L istio-injection
demo   Active   2m20s   enabled

Step 7: Deploy the test application using the Istio gateway

We will use the example in the Istio website-Bookinfo application. This sample deploys a sample application consisting of four separate microservices to demonstrate various Istio functions.

Download the application manifest file.


Deploy the application using the kubectl command:

$ kubectl apply -f bookinfo.yaml -n demo

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created

Confirm that the Pod is running:

$ kubectl get pods -n demo
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-5974b67c8-tqsj9        2/2     Running   0          86s
productpage-v1-64794f5db4-hg7n6   2/2     Running   0          76s
ratings-v1-c6cdf8d98-4dl8h        2/2     Running   0          84s
reviews-v1-7f6558b974-64wrw       2/2     Running   0          81s
reviews-v2-6cb6ccd848-fp2tl       2/2     Running   0          80s
reviews-v3-cc56b578-dpgh2         2/2     Running   0          79s

Confirm that all services are correctly defined.

$ kubectl get svc -n demo
kubectl get svc -n demo
NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP            9080/TCP   4m28s
productpage   ClusterIP            9080/TCP   4m18s
ratings       ClusterIP           9080/TCP   4m26s
reviews       ClusterIP            9080/TCP   4m23s

To confirm that the Bookinfo application is running, send a request to it from a pod via the curl command, for example, by level:

kubectl -n demo exec "$(kubectl get pod  -n demo -l app=ratings -o jsonpath='{.items[0]}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*"

Expected command output:

Simple Bookstore App

Download the gateway file.


Edit it to set the host value.

$ vim bookinfo-gateway.yaml
kind: Gateway
  name: bookinfo-gateway
    istio: ingressgateway # use istio default controller
  - port:
      number: 80
      name: http
      protocol: HTTP
    - ""
kind: VirtualService
  name: bookinfo
  - ""
  - bookinfo-gateway
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    - destination:
        host: productpage
          number: 9080

Define the entry gateway of the application:

$ kubectl apply -f ./bookinfo-gateway.yaml -n demo created created

Use curl or a web browser to test access to the application.


$ curl -s  |  grep -o ".*"
Simple Bookstore App

From the web browser.

Install Istio Service Mesh in EKS Kubernetes cluster

You can use this sample application to try out Istio's features, such as traffic routing, fault injection, rate limiting, etc. Also check Istio tasks understand more. If you are a beginner Configure request routing It is also a good starting point.

Clean the Bookinfo application.

$ kubectl delete -f ./bookinfo-gateway.yaml -n demo "bookinfo-gateway" deleted "bookinfo" deleted

$ kubectl delete -f ./bookinfo.yaml -n demo
service "details" deleted
serviceaccount "bookinfo-details" deleted
deployment.apps "details-v1" deleted
service "ratings" deleted
serviceaccount "bookinfo-ratings" deleted
deployment.apps "ratings-v1" deleted
service "reviews" deleted
serviceaccount "bookinfo-reviews" deleted
deployment.apps "reviews-v1" deleted
deployment.apps "reviews-v2" deleted
deployment.apps "reviews-v3" deleted
service "productpage" deleted
serviceaccount "bookinfo-productpage" deleted
deployment.apps "productpage-v1" deleted

$ kubectl get all -n demo
No resources found in demo namespace.

$ kubectl delete ns demo
namespace "demo" deleted

Related guidelines:

How to install Istio Service Mesh on OpenShift 4.x

Install CloudWatch Container Insights on EKS | Kubernetes

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off