25. Istio Service Mesh: Enhancing Kubernetes Networking
"Hello, I'm Kiran Pawar, a passionate Cloud and Devops Engineer with a strong background in cloud automation, configuration, and deployment. My journey in the world of technology has been a thrilling adventure, where I've had the privilege to work with cutting-edge tools and practices.
🚀 As a DevOps Engineer:
I specialize in automating, configuring, and deploying instances in cloud environments and data centers. My expertise extends to DevOps, GitOps, CI/CD pipeline management, HashiCorp Terraform, and containerization. I'm proficient in AWS and Linux/Unix administration, ensuring robust infrastructure and application performance.
🔧 My Tech Stack:
Front-end skills: HTML, CSS, SCSS, Tailwind CSS, Bootstrap, React, Material-UI, JavaScript DevOps toolbox: GIT, OWASP,Nexus,Trivy, Github, Gitlab, Terraform, Ansible, Docker, Kubernetes, Helm, Jenkins, Prometheus, Grafana, Argo CD, AWS EKS.
🌐 My Cloud Expertise:
I have hands-on experience managing AWS services, including EC2, S3, EBS, VPC, ELB, RDS, IAM, Route53, and more.
🔒 Networking and Security:
My skills include managing networking concepts such as TCP/IP protocols, security policies, and subnet interfacing. I have a strong understanding of infrastructure and networking, covering topics like firewalls, IP addressing, DNS, and more.
💡 What Sets Me Apart:
I bring a positive attitude, a strong work ethic, and a collaborative spirit to every project. I'm a self-starter, a fast learner, and an effective team player with strong interpersonal skills. In addition to my DevOps skills, I've developed shell scripts (Bash) for automating tasks and have proficiency in Python scripting. My ability to communicate and manage projects, along with a track record of resolving client issues, adds value to every team I work with. If you're looking for a DevOps engineer who is also well-versed in front-end technologies, feel free to connect with me. Let's explore new possibilities and create exceptional technical solutions together!"
Istio is an open-source service mesh that provides advanced networking features for microservices. It simplifies service-to-service communication, security, traffic management, and observability in Kubernetes clusters.
1. Key Features of Istio
Traffic Management:
Fine-grained control over service traffic (e.g., routing, retries, failovers).
Canary deployments and A/B testing.
Security:
Enforces mutual TLS (mTLS) for secure communication.
Role-Based Access Control (RBAC) and policies for authorization.
Observability:
- Detailed telemetry, metrics, logs, and tracing (using tools like Prometheus and Jaeger).
Resilience:
Circuit breaking and request retries.
Fault injection for testing.
2. Components of Istio
Envoy Proxy:
A sidecar proxy injected into each Pod.
Handles communication between services.
Istiod (Control Plane):
- Manages configuration, policies, and traffic rules.
Add-ons:
Prometheus: Metrics.
Grafana: Visualizations.
Jaeger: Distributed tracing.
Kiali: Service mesh visualization.
3. Setting Up a Kind Cluster for Istio
Step 1: Create a Kind Cluster
Run the following command to create a Kubernetes cluster using Kind:
kind create cluster --name istio-testing
- The
--nameflag assigns a specific name to the cluster. By default, the cluster is namedkind.
Step 2: Verify the Cluster
List all available clusters:
kind get clusters
Step 3: Check Kubernetes Contexts
List all local Kubernetes contexts:
kubectl config get-contexts
If you run multiple clusters, set the current context for kubectl to communicate with the desired cluster:
kubectl config use-context kind-istio-testing
4. Deploying Istio on Kubernetes
Step 1: Install Istio CLI
Download and install the Istio CLI:
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.24.2
export PATH=$PWD/bin:$PATH
export PATH=$PATH:~/istio/istio-1.24.2/bin
Step 2: Install Istio
Install the demo profile for a basic setup:
istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y
Verify installation:
kubectl get pods -n istio-system
Step 3: Label the Namespace for Injection
Enable sidecar proxy injection for a namespace:
kubectl label namespace default istio-injection=enabled
Step 4: Install the Kubernetes Gateway API CRDs
Install the Gateway API CRDs, if they are not already present:
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.2.0" | kubectl apply -f -; }
5. Example: Deploying Applications with Istio
Sample Application Deployment
Deploy the Bookinfo sample application:
Apply the deployment:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml
The application will start. As each pod becomes ready, the Istio sidecar will be deployed along with it.
Create a VirtualService to manage traffic:
kubectl get services
kubectl get pods
Note that the pods show READY 2/2, confirming they have their application container and the Istio sidecar container.
Validate that the app is running inside the cluster by checking for the page title in the response:
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
Open the application to outside traffic
Create a Kubernetes Gateway for the Bookinfo application:
kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
By default, Istio creates a LoadBalancer service for a gateway. As we will access this gateway by a tunnel, we don’t need a load balancer. If you want to learn about how load balancers are configured for external IP addresses, read the ingress gateways documentation.
Change the service type to ClusterIP by annotating the gateway:
kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
To check the status of the gateway, run:
kubectl get gateway
Access the application
You will connect to the Bookinfo productpage service through the gateway you just provisioned. To access the gateway, you need to use the kubectl port-forward command:
kubectl port-forward svc/bookinfo-gateway-istio 8080:80 --address=0.0.0.0 &
Open your browser and navigate to http://localhost:8080/productpage to view the Bookinfo application.
View the dashboard
To see trace data, you must send requests to your service. The number of requests depends on Istio’s sampling rate and can be configured using the Telemetry API. With the default sampling rate of 1%, you need to send at least 100 requests before the first trace is visible. To send 100 requests to the productpage service, use the following command:
for i in $(seq 1 100); do curl -s -o /dev/null "http://13.201.27.228:20001/productpage"; done
Use the following instructions to deploy the Kiali dashboard, along with Prometheus, Grafana, and Jaeger.
Install Kiali and the other addons and wait for them to be deployed.
kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system
Access the Kiali dashboard.
sudo -E kubectl port-forward -n istio-system service/kiali 20001:20001 --address=0.0.0.0 &
6. Observability with Istio
Enable Metrics and Tracing:
Prometheus and Grafana for metrics.
Jaeger for distributed tracing.
Access Grafana Dashboard:
sudo -E kubectl port-forward svc/grafana -n istio-system 3000:3000 --address=0.0.0.0 &
7. Uninstall Istio
Clean up Istio resources:
istioctl uninstall --purge
kubectl delete namespace istio-system
Deleting the Cluster
Once you are done experimenting, delete the cluster:
kind delete cluster --name istio-testing
Benefits of Istio
Simplifies microservices communication.
Provides consistent observability and security.
Enables advanced traffic shaping and failover mechanisms.
Would you like help with setting up Istio for a specific use case or advanced configurations?
