Istio: Boosting Kubernetes Networking Efficiency

Istio is an open-source service mesh that provides advanced networking features for microservices. It simplifies service-to-service communication, security, traffic management, and observability in Kubernetes clusters.

1. Key Features of Istio

Traffic Management:
- Fine-grained control over service traffic (e.g., routing, retries, failovers).
- Canary deployments and A/B testing.
Security:
- Enforces mutual TLS (mTLS) for secure communication.
- Role-Based Access Control (RBAC) and policies for authorization.
Observability:
- Detailed telemetry, metrics, logs, and tracing (using tools like Prometheus and Jaeger).
Resilience:
- Circuit breaking and request retries.
- Fault injection for testing.

2. Components of Istio

Envoy Proxy:
- A sidecar proxy injected into each Pod.
- Handles communication between services.
Istiod (Control Plane):
- Manages configuration, policies, and traffic rules.
Add-ons:
- Prometheus: Metrics.
- Grafana: Visualizations.
- Jaeger: Distributed tracing.
- Kiali: Service mesh visualization.

3. Setting Up a Kind Cluster for Istio

Step 1: Create a Kind Cluster

Run the following command to create a Kubernetes cluster using Kind:

kind create cluster --name istio-testing

The --name flag assigns a specific name to the cluster. By default, the cluster is named kind.

Step 2: Verify the Cluster

List all available clusters:

kind get clusters

Step 3: Check Kubernetes Contexts

List all local Kubernetes contexts:

kubectl config get-contexts

If you run multiple clusters, set the current context for kubectl to communicate with the desired cluster:

kubectl config use-context kind-istio-testing

4. Deploying Istio on Kubernetes

Step 1: Install Istio CLI

Download and install the Istio CLI:

curl -L https://istio.io/downloadIstio | sh -
cd istio-1.24.2
export PATH=$PWD/bin:$PATH
export PATH=$PATH:~/istio/istio-1.24.2/bin

Step 2: Install Istio

Install the demo profile for a basic setup:

istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y

Verify installation:

kubectl get pods -n istio-system

Step 3: Label the Namespace for Injection

Enable sidecar proxy injection for a namespace:

kubectl label namespace default istio-injection=enabled

Step 4: Install the Kubernetes Gateway API CRDs

Install the Gateway API CRDs, if they are not already present:

kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.2.0" | kubectl apply -f -; }

5. Example: Deploying Applications with Istio

Sample Application Deployment

Deploy the Bookinfo sample application:

Apply the deployment:

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml

The application will start. As each pod becomes ready, the Istio sidecar will be deployed along with it.

Create a VirtualService to manage traffic:

kubectl get services
kubectl get pods

Note that the pods show READY 2/2, confirming they have their application container and the Istio sidecar container.

Validate that the app is running inside the cluster by checking for the page title in the response:

kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

Open the application to outside traffic
Create a Kubernetes Gateway for the Bookinfo application:

kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml

By default, Istio creates a LoadBalancer service for a gateway. As we will access this gateway by a tunnel, we don’t need a load balancer. If you want to learn about how load balancers are configured for external IP addresses, read the ingress gateways documentation.

Change the service type to ClusterIP by annotating the gateway:

kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default

To check the status of the gateway, run:

kubectl get gateway

Access the application

You will connect to the Bookinfo productpage service through the gateway you just provisioned. To access the gateway, you need to use the kubectl port-forward command:

kubectl port-forward svc/bookinfo-gateway-istio 8080:80 --address=0.0.0.0 &

Open your browser and navigate to http://localhost:8080/productpage to view the Bookinfo application.

View the dashboard

To see trace data, you must send requests to your service. The number of requests depends on Istio’s sampling rate and can be configured using the Telemetry API. With the default sampling rate of 1%, you need to send at least 100 requests before the first trace is visible. To send 100 requests to the productpage service, use the following command:

for i in $(seq 1 100); do curl -s -o /dev/null "http://13.201.27.228:20001/productpage"; done

Use the following instructions to deploy the Kiali dashboard, along with Prometheus, Grafana, and Ja eger.

Install Kiali and the other addons and wait for them to be deployed.

kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system

Access the Kiali dashboard.

sudo -E kubectl port-forward -n istio-system service/kiali 20001:20001 --address=0.0.0.0 &

6. Observability with Istio

Enable Metrics and Tracing:
- Prometheus and Grafana for metrics.
- Jaeger for distributed tracing.

Access Grafana Dashboard:

 sudo -E kubectl port-forward svc/grafana -n istio-system 3000:3000 --address=0.0.0.0 &

7. Uninstall Istio

Clean up Istio resources:

istioctl uninstall --purge
kubectl delete namespace istio-system

Deleting the Cluster

Once you are done experimenting, delete the cluster:

kind delete cluster --name istio-testing

Benefits of Istio

Simplifies microservices communication.
Provides consistent observability and security.
Enables advanced traffic shaping and failover mechanisms.

Would you like help with setting up Istio for a specific use case or advanced configurations?

25. Istio Service Mesh: Enhancing Kubernetes Networking

Table of contents