Quick Start with Kubernetes

To install and configure Istio in a Kubernetes cluster, follow these instructions:

Prerequisites

1. Download the Istio release.

2. Kubernetes platform setup:

• Alibaba Cloud
• Amazon Web Services (AWS) with Kops
• Azure
• Google Container Engine (GKE)
• IBM Cloud
• Minikube
• OpenShift Origin
• Oracle Cloud Infrastructure (OKE)

1. Check the Requirements for Pods and Services.

Installation steps

1. Install Istio's Custom Resource Definitions via kubectl apply, and wait a few seconds for the CRDs to be committed in the kube-apiserver:

   $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml

2. To install Istio's core components you can choose any of the following four mutually exclusive options described below. However, for a production setup of Istio, we recommend installing with the Helm Chart, to use all the configuration options. This permits customization of Istio to operator specific requirements.

Option 1: Install Istio without mutual TLS authentication between sidecars

Visit our mutual TLS authentication between sidecars concept page for more information.

Choose this option for:

• Clusters with existing applications,
• Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services,
• Applications that use liveness and readiness probes,
• Headless services, or
• StatefulSets

To install Istio without mutual TLS authentication between sidecars:

$ kubectl apply -f install/kubernetes/istio-demo.yaml

Option 2: Install Istio with default mutual TLS authentication

Use this option only on a fresh Kubernetes cluster where newly deployed workloads are guaranteed to have Istio sidecars installed.

To Install Istio and enforce mutual TLS authentication between sidecars by default:

$ kubectl apply -f install/kubernetes/istio-demo-auth.yaml

Option 3: Render Kubernetes manifest with Helm and deploy with kubectl

Follow our setup instructions to render the Kubernetes manifest with Helm and deploy with kubectl.

Option 4: Use Helm and Tiller to manage the Istio deployment

Follow our instructions on how to use Helm and Tiller to manage the Istio deployment.

Verifying the installation

1. Ensure the following Kubernetes services are deployed: istio-pilot, istio-ingressgateway, istio-policy, istio-telemetry, prometheus, istio-galley, and, optionally, istio-sidecar-injector.

   $ kubectl get svc -n istio-system
   NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                                                               AGE
   istio-citadel              ClusterIP      10.47.247.12    <none>            8060/TCP,9093/TCP                                                     7m
   istio-egressgateway        ClusterIP      10.47.243.117   <none>            80/TCP,443/TCP                                                        7m
   istio-galley               ClusterIP      10.47.254.90    <none>            443/TCP                                                               7m
   istio-ingress              LoadBalancer   10.47.244.111   35.194.55.10      80:32000/TCP,443:30814/TCP                                            7m
   istio-ingressgateway       LoadBalancer   10.47.241.20    130.211.167.230   80:31380/TCP,443:31390/TCP,31400:31400/TCP                            7m
   istio-pilot                ClusterIP      10.47.250.56    <none>            15003/TCP,15005/TCP,15007/TCP,15010/TCP,15011/TCP,8080/TCP,9093/TCP   7m
   istio-policy               ClusterIP      10.47.245.228   <none>            9091/TCP,15004/TCP,9093/TCP                                           7m
   istio-sidecar-injector     ClusterIP      10.47.245.22    <none>            443/TCP                                                               7m
   istio-statsd-prom-bridge   ClusterIP      10.47.252.184   <none>            9102/TCP,9125/UDP                                                     7m
   istio-telemetry            ClusterIP      10.47.250.107   <none>            9091/TCP,15004/TCP,9093/TCP,42422/TCP                                 7m
   prometheus                 ClusterIP      10.47.253.148   <none>            9090/TCP                                                              7m

   If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP of istio-ingress and istio-ingressgateway will say <pending>. You will need to access it using the service NodePort, or use port-forwarding instead.

2. Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-ingressgateway-*, istio-egressgateway-*, istio-policy-*, istio-telemetry-*, istio-citadel-*, prometheus-*, istio-galley-*, and, optionally, istio-sidecar-injector-*.

   $ kubectl get pods -n istio-system
   NAME                                       READY     STATUS        RESTARTS   AGE
   istio-citadel-75c88f897f-zfw8b             1/1       Running       0          1m
   istio-egressgateway-7d8479c7-khjvk         1/1       Running       0          1m
   istio-galley-6c749ff56d-k97n2              1/1       Running       0          1m
   istio-ingress-7f5898d74d-t8wrr             1/1       Running       0          1m
   istio-ingressgateway-7754ff47dc-qkrch      1/1       Running       0          1m
   istio-policy-74df458f5b-jrz9q              2/2       Running       0          1m
   istio-sidecar-injector-645c89bc64-v5n4l    1/1       Running       0          1m
   istio-statsd-prom-bridge-949999c4c-xjz25   1/1       Running       0          1m
   istio-telemetry-676f9b55b-k9nkl            2/2       Running       0          1m
   prometheus-86cb6dd77c-hwvqd                1/1       Running       0          1m

Deploy your application

You can now deploy your own application or one of the sample applications provided with the installation like Bookinfo.

Note: The application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.

If you started the Istio-sidecar-injector, you can deploy the application directly using kubectl apply.

The Istio-Sidecar-injector will automatically inject Envoy containers into your application pods. The injector assumes the application pods are running in namespaces labeled with istio-injection=enabled

$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml

If you don't have the Istio-sidecar-injector installed, you must use istioctl kube-inject to manually inject Envoy containers in your application pods before deploying them:

$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -

Uninstall Istio core components

The uninstall deletes the RBAC permissions, the istio-system namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

• If you installed Istio with istio-demo.yaml:

  $ kubectl delete -f install/kubernetes/istio-demo.yaml

• If you installed Istio with istio-demo-auth.yaml:

  $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml

• If you installed Istio with Helm, follow the uninstall Istio with Helm steps.

• If desired, delete the CRDs:

  $ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system

See also