Quick Start Evaluation Install
This guide installs Istio’s built-in demo configuration profile using basic Kubernetes commands without needing to download or install Helm. This installation lets you quickly evaluate Istio in a Kubernetes cluster on any platform.
To install Istio for production use, we recommend using the Helm Installation guide instead, which provides many more options for selecting and managing the Istio configuration. This permits customization of Istio to operator specific requirements.
Prerequisites
Perform any necessary platform-specific setup.
Check the Requirements for Pods and Services.
Installation steps
Install all the Istio Custom Resource Definitions (CRDs) using
kubectl apply, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; doneInstall one of the following variants of the demo profile:
When using the [permissive mutual TLS mode]((/docs/concepts/security/#permissive-mode), all services accept both plaintext and mutual TLS traffic. Clients send plaintext traffic unless configured for mutual TLS migration.
Choose this variant for:
- Clusters with existing applications, or
- Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services
Run the following command to install this variant:
$ kubectl apply -f install/kubernetes/istio-demo.yaml
This variant will enforce mutual TLS authentication between all clients and servers.
Use this variant only on a fresh Kubernetes cluster where all workloads will be Istio-enabled. All newly deployed workloads will have Istio sidecars installed.
Run the following command to install this variant:
$ kubectl apply -f install/kubernetes/istio-demo-auth.yaml
Verifying the installation
Ensure the following Kubernetes services are deployed and verify they all have an appropriate
CLUSTER-IPexcept thejaeger-agentservice:$ kubectl get svc -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 172.21.211.123 <none> 3000/TCP 2m istio-citadel ClusterIP 172.21.177.222 <none> 8060/TCP,9093/TCP 2m istio-egressgateway ClusterIP 172.21.113.24 <none> 80/TCP,443/TCP 2m istio-galley ClusterIP 172.21.132.247 <none> 443/TCP,9093/TCP 2m istio-ingressgateway LoadBalancer 172.21.144.254 52.116.22.242 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:32081/TCP,8060:31695/TCP,853:31235/TCP,15030:32717/TCP,15031:32054/TCP 2m istio-pilot ClusterIP 172.21.105.205 <none> 15010/TCP,15011/TCP,8080/TCP,9093/TCP 2m istio-policy ClusterIP 172.21.14.236 <none> 9091/TCP,15004/TCP,9093/TCP 2m istio-sidecar-injector ClusterIP 172.21.155.47 <none> 443/TCP 2m istio-telemetry ClusterIP 172.21.196.79 <none> 9091/TCP,15004/TCP,9093/TCP,42422/TCP 2m jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m jaeger-collector ClusterIP 172.21.135.51 <none> 14267/TCP,14268/TCP 2m jaeger-query ClusterIP 172.21.26.187 <none> 16686/TCP 2m kiali ClusterIP 172.21.155.201 <none> 20001/TCP 2m prometheus ClusterIP 172.21.63.159 <none> 9090/TCP 2m tracing ClusterIP 172.21.2.245 <none> 80/TCP 2m zipkin ClusterIP 172.21.182.245 <none> 9411/TCP 2mEnsure corresponding Kubernetes pods are deployed and have a
STATUSofRunning:$ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE grafana-f8467cc6-rbjlg 1/1 Running 0 1m istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m istio-cleanup-secrets-release-1.1-20190308-09-16-8s2mp 0/1 Completed 0 2m istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m istio-grafana-post-install-release-1.1-20190308-09-16-2p7m5 0/1 Completed 0 2m istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m istio-pilot-f479bbf5c-qwr28 2/2 Running 0 1m istio-policy-6fccc5c868-xhblv 2/2 Running 2 1m istio-security-post-install-release-1.1-20190308-09-16-bmfs4 0/1 Completed 0 2m istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m istio-telemetry-78b96c6cb6-ldm9q 2/2 Running 2 1m istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m kiali-99f7467dc-6rvwp 1/1 Running 0 1m prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m
Deploy your application
You can now deploy your own application or one of the sample applications provided with the installation like Bookinfo.
When you deploy your application using kubectl apply,
the Istio sidecar injector
will automatically inject Envoy containers into your
application pods if they are started in namespaces labeled with istio-injection=enabled:
$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml
In namespaces without the istio-injection label, you can use
istioctl kube-inject
to manually inject Envoy containers in your application pods before deploying
them:
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
Uninstall
The uninstall deletes the RBAC permissions, the istio-system namespace, and
all resources hierarchically under it. It is safe to ignore errors for
non-existent resources because they may have been deleted hierarchically.
- Uninstall the demo profile corresponding to the mutual TLS mode you enabled:
$ kubectl delete -f install/kubernetes/istio-demo.yaml
$ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
If desired, delete the Istio CRDs:
$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl delete -f $i; done