Istio Installation in Kubernetes

Istio Installation in Kubernetes – A Simple Practical Guide

Last Updated on March 19, 2024 by cscontents

Introduction

Istio is an open-source service mesh platform or tool that helps manage, connect, and secure microservices. Istio is an implementation of the service mesh concept. It was developed by Google, IBM, and Lyft and is now part of the Cloud Native Computing Foundation (CNCF). Istio provides a uniform way to connect, manage, and secure microservices, regardless of the underlying platform.

In recent years, microservices architecture has gained significant popularity in the software development world due to its ability to break down monolithic applications into smaller and more manageable components. However, as the number of microservices increases, managing their communication, and ensuring security, observability, and reliability become challenging. This is where service mesh technologies like Istio come into play.

What is Service Mesh?

Before diving into Istio, let’s briefly understand what a service mesh is. A service mesh is a dedicated layer that facilitates communication between microservices.

It handles tasks such as service discovery, dynamic traffic routing, load balancing, encryption, and monitoring. Previously developers used to include these tasks in the microservice itself which would make the microservices a bit heavier. But once service mesh came into the picture, all those tasks were taken care of by service mesh tools like Istio and developers can focus on only business logic in the microservice development.

Using service mesh technologies takes away all these tasks from individual microservices, they simplify the development and deployment of microservices-based applications.

Key Features of Istio

Below are the key features of Istio.

Traffic Management

  • Istio enables fine-grained control over traffic routing through features like weighted routing, timeouts, and retries. Here, weighted routing means Istio can help us route a certain percentage of traffic in a particular path.
  • Canary releases are simplified with Istio, allowing developers to release new features gradually and monitor their impact.

Security

  • Istio provides robust security features such as mutual TLS (mTLS) for encrypting communication between services.
  • Access control policies, rate limiting, and authentication mechanisms enhance the overall security posture of microservices.

Observability

  • Istio collects telemetry data, providing insights into the behavior of microservices.
  • Distributed tracing and monitoring capabilities help in identifying and resolving performance issues.

Load Balancing

Istio handles load balancing between microservices, distributing traffic efficiently to ensure optimal performance.

Fault Injection and Circuit Breaking

Istio allows the intentional introduction of faults for testing and simulating failure scenarios.

Benefits of Using Istio

Below are the benefits of using Istio.

  • Improved Observability: Istio provides comprehensive metrics, logs, and traces, enabling engineers and developers to gain deep insights into the behavior of microservices.
  • Enhanced Security: Istio helps us to use mTLS in the communication between two services. With mTLS and access control policies, Istio strengthens the security of microservices, protecting against unauthorized access and potential threats.
  • Simplified Operations: Istio abstracts away the complexities of managing microservices communication, reducing the operational overhead for development teams. And, using Istio we can have an end-to-end view of communication happening between the microservices.
  • Traffic Control: Using Istio we can have fine-grained control over traffic routing, and effective load balancing.

Istio Architecture

Istio’s architecture is composed of a data plane and a control plane.

Control Plane

Till Istio version 1.5 its control plane had various components like Pilot, Citadel, Mixer, Galley, etc. But from v1.5 all these components have been consolidated into a single binary and it is called Istiod.

Below are the control plane components (for Istio v<1.5) OR components inside Istiod (for Istio v>=1.5).

Pilot

It is responsible for service discovery and managing the configuration for Envoy proxies.

Citadel

Citadel manages the security aspects of Istio, including certificate issuance and mTLS configuration.

Mixer

Mixer collects telemetry data and enforces access control and usage policies.

Galley

Galley is the central component for configuration processing, validation, and distribution. Galley validates the Istio configuration files (YAML files).

Data Plane

The data plane of Istio is composed of a set of intelligent proxies that run as sidecars within the application/microservice pod.

Envoy Proxy

Envoy Proxy handles communication between services and enforces the policies set by the control plane. Traffics from one microservice to another microservice goes via this Envoy Proxy. Basically, the Envoy proxies hijack all the traffic that comes into the microservice and pass it via itself. These proxies collect and report the telemetry information of the mesh traffic.

Deploying/Installing Istio

Istio typically functions within a container orchestration platform like Kubernetes. Kubernetes provides the necessary infrastructure and functionalities for Istio to manage your microservices effectively.

Installation

Istio can be installed in two ways.

  1. Using Istioctl, a command-line utility provided by Istio. It is a user-friendly command-line tool for installing and managing Istio.
  2. Using Helm charts.

Istio installation using Istioctl

Before installing Istio we need to ensure we have supported Kubernetes versions (1.26, 1.27, 1.28, 1.29). Follow the below steps to install Istio using Istioctl.

Step 1: Download Istio

Run the below command to download and extract the latest release of the Istioctl client. In our case, the version is 1.21.0

curl -L https://istio.io/downloadIstio | sh -

If you want other versions of Istio, please check this URL – https://github.com/istio/istio/releases

You can run the below command (with parameters) to download a specific version of Istio.

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.20.4 TARGET_ARCH=x86_64 sh -

You can use the “TARGET_ARCH” value as per your machine architecture.

Once you run any of the above download commands, it will give output like below and it has instructions as to what needs to be done next.

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   101  100   101    0     0    483      0 --:--:-- --:--:-- --:--:--   483
100  4899  100  4899    0     0  17372      0 --:--:-- --:--:-- --:--:-- 17372

Downloading istio-1.21.0 from https://github.com/istio/istio/releases/download/1.21.0/istio-1.21.0-linux-amd64.tar.gz ...

Istio 1.21.0 Download Complete!

Istio has been successfully downloaded into the istio-1.21.0 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /home/ubuntu/temp/istio-1.21.0/bin directory to your environment path variable with:
         export PATH="$PATH:/home/ubuntu/temp/istio-1.21.0/bin"

Begin the Istio pre-installation check by running:
         istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

The above output, it is showing what command needs to be run to add Istioctl in the PATH variable.

You can run the above command that is showing the output or run the below commands.

cd istio-1.21.0/

Next, we will add the Istioctl into the PATH variable.

export PATH=$PWD/bin:$PATH
Step 2: Install Istio

In Step 1 we downloaded the Istioctl binary files and added it in the PATH variable. In this step, we will install Istio using the Istioctl client.

Important points to be noted:

  • Istio comes with some built-in configuration profiles that can be used during installation of Istio. Below are the built-in configuration profiles.
    • default
    • demo
    • minimal
    • remote
    • empty
    • preview
    • ambient (currently in Alpha phase)

Below is a table that shows the core components of Istio that will be installed for various profiles.

default demo minimal remote empty preview ambient
Core components
istio-egressgateway Yes
istio-ingressgateway Yes Yes Yes
istiod Yes Yes Yes Yes Yes
CNI Yes
Ztunnel Yes

For more information, you can check this URL – https://istio.io/latest/docs/setup/additional-setup/config-profiles/

In our case, we will use the “demo” configuration profile. Now, execute the below command to install Istio.

istioctl install --set profile=demo -y

The above command will install Istio.

Moving forward if we want to deploy any microservice in the K8s cluster, in that case, we must label the namespace (in which pods will be deployed) with “istio-injection=enabled”.

Istio installation using Helm

In this guide, we are not adding details for “Istio installation using Helm”. Please refer to the official documents for the same.

Official doc Istio installation using Helm – https://istio.io/latest/docs/setup/install/helm/

Istio Configuration

Istio configuration is defined using Custom Resource Definitions (CRDs) in Kubernetes. Below are a few important resources (CRDs) that are very crucial in Istio configuration.

  • VirtualService: Defines rules for routing traffic to different services based on HTTP headers, URI paths, or other criteria.
  • DestinationRule: Specifies policies for load balancing, traffic splitting, and connection pooling for a specific service. VirtualService and DestinationRule together are the main building blocks of traffic routing in Istio.
  • Gateway: Configures ingress and egress gateways to allow external traffic to enter or exit the Istio service mesh. Gateway operates at the edge of the service mesh. It is the entry point of the K8s cluster.
  • ServiceEntry: It defines external services that can be accessed by services within the mesh, enabling communication with services outside the Kubernetes cluster.
  • AuthorizationPolicy: Sets access control policies for controlling which services can communicate with each other and enforcing authentication and authorization rules.
  • PeerAuthentication: It defines how traffic will be tunneled to the sidecar. Using PeerAuthentication mutual TLS (mTLS) authentication is configured between services to ensure secure communication within the mesh.
  • Sidecar: Specifies additional settings for the Envoy sidecar proxy, such as resource limits, tracing configurations, and custom Envoy filters.

Conclusion

Istio plays a crucial role in addressing the challenges of microservices communication by providing a robust and feature-rich service mesh solution. Its ability to manage traffic, enhance security, and improve observability makes it a valuable tool for organizations embracing microservices architecture. As the landscape of microservices continues to evolve, Istio remains a powerful ally in ensuring the reliability and efficiency of distributed systems.

 

Thank you.

 

If you are interested in learning DevOps, please have a look at the below articles, which will help you greatly.