Installation

Core components of Istio

istiod

the Istio control plane, aka Pilot

Istio ingress gateway

A deployment of Envoy to manage ingress traffic

Istio egress gateway

A deployment of Envoy to manage egress traffic

Configuration Profiles

  • minimal: installs only the Istio control plane, no gateway components

  • default: recommended for production deployments

  • demo: useful for demonstration or learning purposes

  • empty: base profile for custom configurations, used for deploying additional gateways

  • preview: deploys Istio with experimental (preview) features

  • remote: used in the context of installing Istio on a remote cluster (where the control plane resides in another cluster)

Profile: default demo minimal remote empty preview

Core components

istio-egressgateway

Y

istio-egressgateway

Y

Y

Y

istiod

Y

Y

Y

Y

Installation Methods

Istio Operator

This installation method is deprecated because it requires giving the operator controller elevated privileges on the Kubernetes cluster.
Deploy the operator to the cluster
istioctl operator init

Apply the IstioOperator resource to the cluster with kubectl.

Istio CLI

Installation with the Istio CLI is the simplest, and the community-preferred installation method. This method does not have any of the security drawbacks associated with using the Istio Operator.

Installation is performed with the istioctl install subcommand. This installation method retains the use of the IstioOperator API for configuring Istio.

Use the command together with a named profile, for example:
istioctl install --set profile=demo

Helm

Istio with Helm provides three distinct charts

  • istio/base: contains the shared components necessary for each installation

  • istio/istiod: installs the Istio control plane

  • istio/gateway: installs the ingress and egress gateways

kubectl manifests

In environments that require Kubernetes resources to be audited or otherwise vetted before being applied to a target cluster, Istio provides a mechanism to generate the Kubernetes manifest file that captures all Kubernetes resources that need to be applied to install Istio.

istioctl manifest generate -f my-operator-config.yaml

After the audit passes, the manifest file can then be applied with kubectl.

Discovery Selectors

Introduced in Istio 1.10

Discovery selectors allow us to control which namespaces Istio control plane watches and sends configuration updates for.

By default, the Istio control plane watches and processes updates for all Kubernetes resources in a cluster. All Envoy proxies in the mesh are configured so that they can reach every workload in the mesh and accept traffic on all ports associated with the workloads.

We run istioctl proxy-config command to list all endpoints that the foo workload from the foo namespace can see

istioctl proxy-config endpoints deploy/foo.foo

Discovery selectors are a set of Kubernetes selectors that specify the namespaces Istio watches and updates when pushing configuration to the sidecars.

We can update the IstioOperator to include the discoverySelectors field as shown below:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-demo
spec:
  meshConfig:
    discoverySelectors:
      - matchLabels:
          env: test

The above example sets the env=test as a match label. That means the list of namespaces Istio watches and updates will include workloads in namespaces labeled with env=test.

Installing Istio with CLI

For hands-on practice with Istio, provision a Kubernetes cluster using one of minikube, kind or k3d.

The kubectl command-line tool must be configured to communicate with your cluster.

I have used minikube with the minikube tunnel feature to provide a load balancer for use by Istio

minikube start -p minikube-istio
minikube tunnel -p minikube-istio

Download Istio as per the instructions in this link.

curl -L https://istio.io/downloadIstio | sh -

Add the istio-*/bin directory to your environment PATH variable.

Check the version
istioctl version
The output should be similar to:
no ready Istio pods in "istio-system"
1.20.3

For tutorial purposes, use the demo profile for the cluster setup

istioctl install --set profile=demo
You should see an output like below
This will install the Istio 1.20.1 "demo" profile (with components: Istio core, Istiod, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
Made this installation the default for injection and validation.
You should have an istio-system namespace available
kubectl get ns
You should see an output similar to
NAME              STATUS   AGE
kube-system       Active   4m22s
default           Active   4m22s
kube-public       Active   4m22s
kube-node-lease   Active   4m22s
istio-system      Active   2m49s
Check the Pods inside the istio-system namespace
kubectl get pods -n istio-system
You should see an output similar to
NAME                                    READY   STATUS    RESTARTS   AGE
istiod-5c4f4498d-rn6tq                  1/1     Running   0          2m57s
istio-ingressgateway-869d777659-vqdkq   1/1     Running   0          2m39s
istio-egressgateway-765d784c5-7x9td     1/1     Running   0          2m39s

Automatic Injection of Sidecars

Automatic injection of sidecar containers is achieved by setting the label istio-injection=enabled on namespaces.

Example
kubectl label ns default istio-injection=enabled
Create a simple deployment of nginx to test
kubectl create deploy my-nginx --image=nginx
You should see 2 containers for the Pod, as it includes the sidecar container
kubectl get pod
NAME                      READY   STATUS    RESTARTS   AGE
my-nginx-b8dd4cd6-4kh4x   2/2     Running   0          24s

Cleanup

kubectl delete deploy my-nginx

Uninstall Istio

Istio can be uninstalled by using the following command

istioctl uninstall --purge
kubectl delete ns istio-system