Install Istio Service Mesh in EKS Kubernetes cluster
To
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To
The job of the Istio service mesh is to provide access control, traffic monitoring, security, discovery, load balancing, and many other useful functions for services in the Kubernetes cluster. No changes to your code, you can enjoy these services. Istio does all the tasks for you. In this guide, we will study how to install Istio Service Mesh in an EKS Kubernetes cluster.
In short, Istio deploys a proxy (called Sidecar) Each service next to it is deployed in a namespace that is part of the grid. Any traffic used for the service must go through the Sidecar proxy. Then use the Istio strategy to route the traffic to the service. Using Istio, you can also simplify DevOps technologies such as circuit breakers, canary deployment and fault injection.
This is how traffic flows in Istio.
Install Istio Service Mesh in the EKS Kubernetes cluster
For this installation, you need a few items.
- A valid EKS Kubernetes cluster deployed in AWS
- Access the cluster as a user with administrator rights
- If you want to use gateways and virtual services with domain names, please use Route53 hosted zone
Step 1: Install istioctl on the local computer/bastion
It depends on where kubectl is installed and where istioctl is placed on the same machine. If the API server can be accessed from a machine, it can be your local workstation machine. For private EKS clusters deployed in AWS, it will be the bastion server.
Download and unzip istioctl-for Linux and macOS. We will install the version 1.6.8
cd ~/
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 sh -
Configure the istioctl client tool for the workstation.
sudo cp istio-1.6.8/bin/istioctl /usr/local/bin/
sudo chmod +x /usr/local/bin/istioctl
Confirm istioctl version:
$ istioctl version
1.6.8
Enable istioctl complete for Bash
--- Bash ---
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash
echo "source ~/completions/istioctl.bash" >> ~/.bashrc
--- Zsh ---
mkdir -p ~/completions && istioctl collateral --zsh -o ~/completions
source ~/completions/_istioctl
echo "source ~/completions/_istioctl" >>~/.zshrc
The verification is done automatically.
$ istioctl
analyze dashboard install operator proxy-status validate
authz deregister kube-inject profile register verify-install
convert-ingress experimental manifest proxy-config upgrade version
Step 2: Create Istio namespace
Create a namespace that will deploy all istio-related services.
$ kubectl create namespace istio-system
namespace/istio-system created
Step 3: Establish necessary confidentiality
We will install Grafana, Kelly with Jaeger-LeCoultre As part of the Istio installation. In our setup, each component needs to provide credentials, these credentials must be secret.
Let’s create these secrets in the istio-system namespace.
Create the Grafana Secret
GRAFANA_USERNAME=$(echo -n "grafana" | base64)
GRAFANA_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password
cat <
Create Kiali secret
KIALI_USERNAME=$(echo -n "kiali" | base64)
KIALI_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password
cat <
Create Jaeger Secret.
JAEGER_USERNAME=$(echo -n "jaeger" | base64)
JAEGER_PASSPHRASE=$(echo -n "[email protected]" | base64) # Replace [email protected] with your password
cat <
List the created secrets.
$ kubectl get secret -n istio-system
NAME TYPE DATA AGE
default-token-kwrcj kubernetes.io/service-account-token 3 16m
grafana Opaque 2 4m59s
jaeger Opaque 2 47s
kiali Opaque 2 3m7s
Step 4: Create Istio control plane configuration
Now that we have successfully created the required secret, we can create the Istio Control plane configuration file.
I named the file istio-control-plane-eks.yml. The file will be saved Istio control plane specifications Detailed information about configuring Istio.
$ vim istio-control-plane-eks.yml
The content is. -Reference Global grid options
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
profile: default
values:
meshConfig:
disablePolicyChecks: false
# File address for the proxy access log (e.g. /dev/stdout).
accessLogFile: "/dev/stdout"
# Set the default behavior of the sidecar for handling outbound traffic from the application
outboundTrafficPolicy:
mode: "ALLOW_ANY"
# Enable mutual TLS automatically for service to service communication within the mesh
enableAutoMtls: false
disablePolicyChecks: false
gateways:
# Enable egress gateway
istio-egressgateway:
enabled: true
autoscaleEnabled: true
# Enable Ingress gateway
istio-ingressgateway:
enabled: true
autoscaleEnabled: true
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
# Enable mutual TLS for the control plane
controlPlaneSecurityEnabled: true
grafana:
# Enable Grafana deployment for analytics and monitoring dashboards
enabled: true
security:
# Enable authentication for Grafana
enabled: true
kiali:
# Enable the Kiali deployment for a service mesh observability dashboard
enabled: true
tracing:
# Enable the Jaeger deployment for tracing
enabled: true
provider: jaeger # zipkin / jaeger
Verify the configuration by performing a dry run.
$ istioctl manifest apply -f istio-control-plane-eks.yml --dry-run
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Addons installed
- Pruning removed resources
......
Install istio using the following command:
$ istioctl manifest apply -f istio-control-plane-eks.yml
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Addons installed
✔ Installation complete
Check the deployed Pods to confirm that they are running:
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-86897cb4f5-wg29n 1/1 Running 0 3h34m
istio-egressgateway-8667d76d75-2t96d 1/1 Running 0 51s
istio-ingressgateway-5d78f74886-8xpx5 1/1 Running 0 3h35m
istio-tracing-57d7cfd779-xbtd8 1/1 Running 0 3h34m
istiod-58f84ffddc-khncg 1/1 Running 0 3h35m
kiali-7c974669b4-ckfh4 1/1 Running 0 3h34m
prometheus-6946fd87b4-ldzt2 2/2 Running 0 3h34m
You can list service endpoints in the following ways:
$ kubectl get svc -n istio-system
Add annotations to Ingress Service to get AWS Load Balancer. The notes to be added are:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0"
We will use the kubectl command to add comments.
kubectl annotate svc istio-ingressgateway service.beta.kubernetes.io/aws-load-balancer-type="nlb" -n istio-system
kubectl annotate svc istio-ingressgateway service.beta.kubernetes.io/aws-load-balancer-internal="0.0.0.0/0" -n istio-system
Confirm that LB has been created.
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.100.49.28 a75fa02249f79436290b35e8a00a00b5-8e63bc91906eba93.elb.eu-west-1.amazonaws.com 15021:31022/TCP,80:32766/TCP,443:32512/TCP,15443:31919/TCP 3h31m
Access the dashboard:
# Grafana
$ istioctl dashboard grafana
# Kiali
$ istioctl dashboard kiali
# Jaeger
$ istioctl dashboard jaeger
# Prometheus
$ istioctl dashboard prometheus
# Zipkin
$ istioctl dashboard zipkin
# Envoy
$ istioctl dashboard envoy .
Step 5: Configure Route53 DNS
I will delegate a subdomain cloud.hirebestengineers.com To AWS Route53 to be used in the Istio gateway.
access Route53 console Create a hosted zone (if you don’t already have one).
Click "Create Hosted Zone" to add the domain to Route53.
The system will provide you with DNS server entries for you to update in your registrar to resolve and manage domain DNS entries on Route53.
Since I use Cloudflare to manage DNS, I will update the settings accordingly from the management console. Please note that I used a subdomain on Route53, not the actual domain name.
The type of record to be added is NS. After adding everything, it will look like this:
Confirm DNS propagation after the update. For some registration forms, it may take up to 24 hours to push updates.
$ dig NS cloud.hirebestengineers.com +short
ns-1335.awsdns-38.org.
ns-1879.awsdns-42.co.uk.
ns-454.awsdns-56.com.
ns-643.awsdns-16.net.
Create a record on route53 pointing to the load balancer used by Istio Ingress. For me, the record will be * .cloud.hirebestengineers.com
Please click Create record>Simple route>Define simple record And set:
- Record name
- Value/route traffic to: select network load balancer, set region and load balancer ID
- Record type: A
When not clicking the "Define Simple Record" button.
Verify the details and click "Create record"
Step 6: Enable automatic Sidecar injection for the namespace
Sidecar can be automatically added to applicable Kubernetes pods using the following command Mutation Webhook Admission Controller Provided by Istio.
I will create a demo namespace for this project.
$ kubectl create ns demo
namespace/demo created
Enable automatic sidecar injection by adding istio-injection=enabled Labels on the namespace:
$ kubectl label namespace demo istio-injection=enabled
namespace/demo labeled
Confirm that the label has been added to the namespace.
$ kubectl get namespace demo -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
demo Active 2m20s enabled
Step 7: Deploy the test application using the Istio gateway
We will use the example in the Istio website-Bookinfo application. This sample deploys a sample application consisting of four separate microservices to demonstrate various Istio functions.
Download the application manifest file.
wget https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
Deploy the application using the kubectl command:
$ kubectl apply -f bookinfo.yaml -n demo
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
Confirm that the Pod is running:
$ kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
details-v1-5974b67c8-tqsj9 2/2 Running 0 86s
productpage-v1-64794f5db4-hg7n6 2/2 Running 0 76s
ratings-v1-c6cdf8d98-4dl8h 2/2 Running 0 84s
reviews-v1-7f6558b974-64wrw 2/2 Running 0 81s
reviews-v2-6cb6ccd848-fp2tl 2/2 Running 0 80s
reviews-v3-cc56b578-dpgh2 2/2 Running 0 79s
Confirm that all services are correctly defined.
$ kubectl get svc -n demo
kubectl get svc -n demo
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.100.229.76 9080/TCP 4m28s
productpage ClusterIP 10.100.23.164 9080/TCP 4m18s
ratings ClusterIP 10.100.172.229 9080/TCP 4m26s
reviews ClusterIP 10.100.18.183 9080/TCP 4m23s
To confirm that the Bookinfo application is running, send a request to it from a pod via the curl command, for example, by level:
kubectl -n demo exec "$(kubectl get pod -n demo -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".* "
Expected command output:
Simple Bookstore App
Download the gateway file.
wget https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
Edit it to set the host value.
$ vim bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.cloud.hirebestengineers.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.cloud.hirebestengineers.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
Define the entry gateway of the application:
$ kubectl apply -f ./bookinfo-gateway.yaml -n demo
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
Use curl or a web browser to test access to the application.
curly:
$ curl -s http://bookinfo.cloud.hirebestengineers.com/productpage | grep -o ".* "
Simple Bookstore App
From the web browser.
You can use this sample application to try out Istio's features, such as traffic routing, fault injection, rate limiting, etc. Also check Istio tasks understand more. If you are a beginner Configure request routing It is also a good starting point.
Clean the Bookinfo application.
$ kubectl delete -f ./bookinfo-gateway.yaml -n demo
gateway.networking.istio.io "bookinfo-gateway" deleted
virtualservice.networking.istio.io "bookinfo" deleted
$ kubectl delete -f ./bookinfo.yaml -n demo
service "details" deleted
serviceaccount "bookinfo-details" deleted
deployment.apps "details-v1" deleted
service "ratings" deleted
serviceaccount "bookinfo-ratings" deleted
deployment.apps "ratings-v1" deleted
service "reviews" deleted
serviceaccount "bookinfo-reviews" deleted
deployment.apps "reviews-v1" deleted
deployment.apps "reviews-v2" deleted
deployment.apps "reviews-v3" deleted
service "productpage" deleted
serviceaccount "bookinfo-productpage" deleted
deployment.apps "productpage-v1" deleted
$ kubectl get all -n demo
No resources found in demo namespace.
$ kubectl delete ns demo
namespace "demo" deleted
Related guidelines:
How to install Istio Service Mesh on OpenShift 4.x
Install CloudWatch Container Insights on EKS | Kubernetes
To
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To