Set up a Kubernetes Cluster
In this module, you set up a Kubernetes cluster that has Istio installed and a namespace to use throughout the tutorial.
Ensure you have access to a Kubernetes cluster. You can use the Google Kubernetes Engine or the IBM Cloud Kubernetes Service.
Create an environment variable to store the name of a namespace that you will use when you run the tutorial commands. You can use any name, for example
tutorial.$ export NAMESPACE=tutorialCreate the namespace:
$ kubectl create namespace $NAMESPACEInstall Istio using the
demoprofile.The Kiali and Prometheus addons are used in this example and need to be installed. All addons are installed using:
$ kubectl apply -f @samples/addons@Create a Kubernetes Ingress resource for these common Istio services using the
kubectlcommand shown. It is not necessary to be familiar with each of these services at this point in the tutorial.The
kubectlcommand can accept an in-line configuration to create the Ingress resources for each service:$ kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: istio-system namespace: istio-system annotations: kubernetes.io/ingress.class: istio spec: rules: - host: my-istio-dashboard.io http: paths: - path: / pathType: Prefix backend: service: name: grafana port: number: 3000 - host: my-istio-tracing.io http: paths: - path: / pathType: Prefix backend: service: name: tracing port: number: 9411 - host: my-istio-logs-database.io http: paths: - path: / pathType: Prefix backend: service: name: prometheus port: number: 9090 - host: my-kiali.io http: paths: - path: / pathType: Prefix backend: service: name: kiali port: number: 20001 EOFCreate a role to provide read access to the
istio-systemnamespace. This role is required to limit permissions of the participants in the steps below.$ kubectl apply -f - <<EOF kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: istio-system-access namespace: istio-system rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["get", "list"] EOFCreate a service account for each participant:
$ kubectl apply -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: ${NAMESPACE}-user namespace: $NAMESPACE EOFLimit each participant’s permissions. During the tutorial, participants only need to create resources in their namespace and to read resources from
istio-systemnamespace. It is a good practice, even if using your own cluster, to avoid interfering with other namespaces in your cluster.Create a role to allow read-write access to each participant’s namespace. Bind the participant’s service account to this role and to the role for reading resources from
istio-system:$ kubectl apply -f - <<EOF kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ${NAMESPACE}-access namespace: $NAMESPACE rules: - apiGroups: ["", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "config.istio.io", "security.istio.io"] resources: ["*"] verbs: ["*"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ${NAMESPACE}-access namespace: $NAMESPACE subjects: - kind: ServiceAccount name: ${NAMESPACE}-user namespace: $NAMESPACE roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${NAMESPACE}-access --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ${NAMESPACE}-istio-system-access namespace: istio-system subjects: - kind: ServiceAccount name: ${NAMESPACE}-user namespace: $NAMESPACE roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-system-access EOFEach participant needs to use their own Kubernetes configuration file. This configuration file specifies the cluster details, the service account, the credentials and the namespace of the participant. The
kubectlcommand uses the configuration file to operate on the cluster.Generate a Kubernetes configuration file for each participant:
$ cat <<EOF > ./${NAMESPACE}-user-config.yaml apiVersion: v1 kind: Config preferences: {} clusters: - cluster: certificate-authority-data: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath='{.data.ca\.crt}') server: $(kubectl config view -o jsonpath="{.clusters[?(.name==\"$(kubectl config view -o jsonpath="{.contexts[?(.name==\"$(kubectl config current-context)\")].context.cluster}")\")].cluster.server}") name: ${NAMESPACE}-cluster users: - name: ${NAMESPACE}-user user: as-user-extra: {} client-key-data: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath='{.data.ca\.crt}') token: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath={.data.token} | base64 --decode) contexts: - context: cluster: ${NAMESPACE}-cluster namespace: ${NAMESPACE} user: ${NAMESPACE}-user name: ${NAMESPACE} current-context: ${NAMESPACE} EOFSet the
KUBECONFIGenvironment variable for the${NAMESPACE}-user-config.yamlconfiguration file:$ export KUBECONFIG=$PWD/${NAMESPACE}-user-config.yamlVerify that the configuration took effect by printing the current namespace:
$ kubectl config view -o jsonpath="{.contexts[?(@.name==\"$(kubectl config current-context)\")].context.namespace}" tutorialYou should see the name of your namespace in the output.
If you are setting up the cluster for yourself, copy the
${NAMESPACE}-user-config.yamlfile mentioned in the previous steps to your local computer, where${NAMESPACE}is the name of the namespace you provided in the previous steps. For example,tutorial-user-config.yaml. You will need this file later in the tutorial.If you are an instructor, send the generated configuration files to each participant. The participants must copy their configuration file to their local computer.
Congratulations, you configured your cluster for the tutorial!
You are ready to set up a local computer.