If you can’t measure it, you can’t manage it.

Peter Drucker

Istio is a Service Mesh, which is another term for: a network of containerized applications working together to discover, measure, manage, load balance, monitor and possibly recover your application. In the setup which follows, we’ll go through the process of starting a GKE cluster and deploying a sample application connected through an Istio sidecar.

This article intends to give you an understanding of what it takes to run your Kubernetes applications injected with Istio instrumentation. In future posts we’ll get further into the details of building upon this base of knowledge. So lets get the configurations out of the way first.

Download and install Istio for your operating system. If you’re installing on windows be sure to get the archive which contains the examples, we’ll be using them later.

As your Kubernetes depoyments get more and more complex, you’re going to need a Service Mesh like Istio to both give you insights into operations and to manage your applications. In this post we’ll move a bit faster from a setup standpoint, having benefited from our earlier work in Terraforming K8S Cluster creation and it’s prerequisite posts.

I’ll be following Google’s Istio Install instructions, and have described below the configuration i’m using to create my Istio cluster in GKE. You can follow along or try your own configuration using Terraform or YAML scripting.

Settings for my GKE cluster create

# My cluster parameters
Cluster name = playing-with-istio
Zone = us-east1-b
default-pool --> Number of Nodes = 4
Cluster Features = Enable Istio

Unless specified above, I left the other cluster create settings as default. Once your configuration is complete, go ahead and create your cluster.

I’ll continue to use the last project I configured in our earlier Terraform example to prepare for this project. You might find the commands below useful with the initial project setup.

Configure project settings

# list your projects
$ gcloud projects list

# set the project to the one in which the cluster was created
#  replace terraform-15209 with your project name
$ gcloud config set project terraform-15209

# list the cluster
$ gcloud container clusters list

# fetch cluster auth (after cluster is running)
$ gcloud container clusters get-credentials playing-with-istio

You might be wondering what all this new configuration and sidecar setup is doing for us. To that end, lets take a deeper look into what a sidecar is and what capabilities they’ll add to our projects.

In our earlier posts on Kubernetes, we talked about a 1 to 1 relationship between pods and containers, while this is generally the case there are patterns where two or more containers may collaborate within a pod. The sidecar pattern is one such example. Istio is a sidecar container which essentially injects service mesh capabilities into your application container which aren’t there by default. It accomplishes this by creating a proxy between your container and the Kubernetes control plane when your container is started. The Pilot manages and configures the proxies to route traffic. Kubernetes will also configure Mixers to enforce policies and collect telemetry. The Citadel can be configured to provide secure transports between services.

The main purpose of the Istio sidecar is to provide your container with service mesh capabilities such as: logging, monitoring, telemetry, instrumentation and more without you having to customize them in your application container. You leverage Kubernetes standards and best practices which have been hardened and tested in PROD, by many other applications. Hopefully by now your cluster is created and running.

After your cluster has been started, click on Services and Gateways to see the Istio Service Pods and Ingress Gateway running.

We can now cut over from the Google Istio Install procedure we were following to the Istio Getting Started procedure to launch a demo app. We’ll be going through those steps below, the getting started link is provided for more detailed reference.

Istio provides several configuration profiles to help get started, eventually you’ll create your own profile. To get started we’ll be using the Demo profile, which will give us access to the largest set of potential Services we may want to use. Istio profiles provide customization of the Istio control plane and to the sidecars in the Istio data plane, that are necessary when your application configurations become more complex.

While Demo provides the greatest potential set of services, Default provides the least options and may be more appropriate for a PROD environment. This is something you’ll need to consider when you decide to leave our sandbox environment and need to think harder about securing your applications.

Configure Istio to use the Demo profile

# configure istio to use demo profile
$ istioctl manifest apply --set profile=demo

- Applying manifest for component Base...
✔ Finished applying manifest for component Base.
- Applying manifest for component Pilot...
✔ Finished applying manifest for component Pilot.
  Waiting for resources to become ready...
  Waiting for resources to become ready...
    ...
  Waiting for resources to become ready...
- Applying manifest for component EgressGateways...
- Applying manifest for component IngressGateways...
- Applying manifest for component AddonComponents...
✔ Finished applying manifest for component EgressGateways.
✔ Finished applying manifest for component IngressGateways.
✔ Finished applying manifest for component AddonComponents.

Next you’ll need to configure a namespace label so Istio can automatically inject Envoy sidecar proxies when you deploy your applications.

Configuring Default namespace

# configure istio app namespace
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled

If you haven’t already done so, change your directory to the Root where you installed Istio and the samples. On my Windows 10 laptop I installed in my C:\Tools directory. Our next configurations will be relative to this location and use the provided YAML configurations in that folder.

# change directory to the Istio Root folder
C:\> cd C:\Tools\istio-1.5.0

Deploy the Istio sample Book application

# deploy istio sample application
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created

You will notice that the sample Book application should start. As each pod becomes ready, the Istio sidecar will deploy along with it. The unique names and possibly the cluster IP address will be different for you.

List services and pods

# verify the sample Book services are running
$ kubectl get services
NAME          TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.0.10.170   <none>        9080/TCP   2m57s
kubernetes    ClusterIP   10.0.0.1      <none>        443/TCP    33m
productpage   ClusterIP   10.0.5.196    <none>        9080/TCP   2m56s
ratings       ClusterIP   10.0.12.233   <none>        9080/TCP   2m57s
reviews       ClusterIP   10.0.2.78     <none>        9080/TCP   2m56s

# verify the sample Book pods are running
$ kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-c5b5f496d-ngczl        2/2     Running   0          3m10s
productpage-v1-7d6cfb7dfd-kplnp   2/2     Running   0          3m8s
ratings-v1-f745cf57b-fmmwq        1/2     Running   0          3m9s
reviews-v1-85c474d9b8-mrxz5       1/2     Running   0          3m9s
reviews-v2-ccffdd984-d2hq6        1/2     Running   0          3m9s
reviews-v3-98dc67b68-ddr9z        2/2     Running   0          3m9s

To run the Verification step described in the Istio Getting started guide, you’ll need a Linux shell. But, if you’re running from Windows 10 like I am you’ll have better luck using a Git Bash shell. I’m assuming you have Git installed, otherwise this might be a good place to stop (developer humor ha ha, why else would you be reading this).

Verify you can reach the Book Product page

# retrieve html title tag using Git Bash shell from Windows 10 laptop
$ kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"

Unable to use a TTY - input is not a terminal or the right kind of file
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4363  100  4363    0     0   2087      0  0:00:02  0:00:02 --:--:--  2088
<title>Simple Bookstore App</title>

Now that you can successfully reach the deployed application, we can associate it with the Istio gateway and expose it to the outside world.

# associating our sample application with the istio gateway
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created

# verify the gateway has been created
$ kubectl get gateway

NAME               AGE
bookinfo-gateway   50s

# retrieve the gateway association
kubectl get svc istio-ingressgateway -n istio-system

NAME                   TYPE           CLUSTER-IP   EXTERNAL-IP    PORT(S)                                                                                                                                      AGE
istio-ingressgateway   LoadBalancer   10.0.5.173   35.237.34.14   15020:31647/TCP,80:31912/TCP,443:32074/TCP,31400:32203/TCP,15029:32016/TCP,15030:31712/TCP,15031:31852/TCP,15032:31556/TCP,15443:30117/TCP   59m

We’re almost ready to test our sample application from the browser, but first we’ll need to determine how to reach it running inside the GKE cluster. If you’re on Windows, run these commands form Git Bash. You can cheat and look for the IP address of the istio-ingressgateway in the browser on the Services & Ingress page, but you’ll need these environment variables later when you open the Kiali browser tab from your shell.

# determine external address to GKE gateway
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

# build the Gateway URL
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
$ echo $GATEWAY_URL
35.237.34.14:80

You should now be able to reach the product page through the gateway url. Your IP address will be different than mine, and mine will be destroyed after I complete the cleanup, but the url should look like the one below.

# product page url - use your gateway IP address
http://35.237.34.14/productpage

You can now get a sense for some default monitoring provided by the sidecar using Kiali. Kiali is a console for Istio with service mesh configuration capabilities.  Lets go ahead and open a browser tab to Kiali, login using user admin and password admin.

# open browser to kiali
istioctl dashboard kiali

Your basic setup is now complete, you should be able to navigate through some of the screens in Kiali to get a better sense for default monitoring capabilities you can get from Istio out-of-the-box. Don’t be disappointed if you don’t see the graph page the getting started document shows, it has a dependency on Prometheus that the default install didn’t provide for us.

To remove Istio roles, permissions and resources.

# deletes the RBAC permissions, the istio-system namespace, and all resources hierarchically
$ istioctl manifest generate --set profile=demo | kubectl delete -f -

Be sure to destroy your cluster when you’ve complete playing so that you stop incurring charges. I hope you enjoyed this post and look forward to going further in depth in a later article.

Mitch is a Thought Leader and an Architect at Steampunk where he contributes to delivering human-centered, secure digital, platforms. His work related interests span the gamut of: application integration, scalable secure clusters, embedded systems, and user interfaces. After hours you might find him dabbling in the hobby space with Raspberry Pi's, drones, photography, home wine making and other ferments.

Published by Mitch Dresdner

Mitch is a Thought Leader and an Architect at Steampunk where he contributes to delivering human-centered, secure digital, platforms. His work related interests span the gamut of: application integration, scalable secure clusters, embedded systems, and user interfaces. After hours you might find him dabbling in the hobby space with Raspberry Pi's, drones, photography, home wine making and other ferments.

Leave a comment

Your email address will not be published. Required fields are marked *