What are the benefits of using Istio in a Kubernetes cluster?

Istio is a service mesh that enhances Kubernetes clusters by providing advanced load balancing, fine-grained traffic control, and mTLS encryption without requiring code changes. It offers better authentication, authorization, and visibility into service performance through metrics and telemetry. Compatible with various deployment options, Istio integrates seamlessly into Kubernetes clusters and virtual machines, simplifying the management of microservices.

What are the security features available with Istio

Istio provides robust security features, including mutual Transport Layer Security (mTLS) for secure communication between services through encryption and authentication. Additionally, it offers enhanced authentication and authorization options, enabling fine-grained access control for microservices and ensuring that only authorized entities can interact with them.

Can Istio be used with non-Kubernetes environments?

Istio is not limited to Kubernetes environments and can be utilized with other platforms, such as virtual machines and supports different deployment options both for installing and running.

How does Istio handle distributed tracing in a Kubernetes cluster?

Istio uses Jaeger to collect telemetry data from each pod in a Kubernetes cluster. OpenTracing APIs propagate trace IDs across the service mesh, while Jaeger visualizes that data to help troubleshoot issues.

What are the recommended best practices for using Istio in a Kubernetes cluster?

When using Istio in a Kubernetes cluster, it's crucial to choose the right Istio profile that fits your environment, perform pre-flight checks to ensure cluster readiness, and customize the installation as needed. Additionally, enable sidecar injection for relevant namespaces and set up observability tools like Kiali, Jaeger, Prometheus, and Grafana to effectively monitor and visualize traffic within the mesh.

What are the benefits of using Istio in a Kubernetes cluster?

Istio is a service mesh that enhances Kubernetes clusters by providing advanced load balancing, fine-grained traffic control, and mTLS encryption without requiring code changes. It offers better authentication, authorization, and visibility into service performance through metrics and telemetry. Compatible with various deployment options, Istio integrates seamlessly into Kubernetes clusters and virtual machines, simplifying the management of microservices.

What are the security features available with Istio

Istio provides robust security features, including mutual Transport Layer Security (mTLS) for secure communication between services through encryption and authentication. Additionally, it offers enhanced authentication and authorization options, enabling fine-grained access control for microservices and ensuring that only authorized entities can interact with them.

Can Istio be used with non-Kubernetes environments?

Istio is not limited to Kubernetes environments and can be utilized with other platforms, such as virtual machines and supports different deployment options both for installing and running.

How does Istio handle distributed tracing in a Kubernetes cluster?

Istio uses Jaeger to collect telemetry data from each pod in a Kubernetes cluster. OpenTracing APIs propagate trace IDs across the service mesh, while Jaeger visualizes that data to help troubleshoot issues.

What are the recommended best practices for using Istio in a Kubernetes cluster?

When using Istio in a Kubernetes cluster, it's crucial to choose the right Istio profile that fits your environment, perform pre-flight checks to ensure cluster readiness, and customize the installation as needed. Additionally, enable sidecar injection for relevant namespaces and set up observability tools like Kiali, Jaeger, Prometheus, and Grafana to effectively monitor and visualize traffic within the mesh.

Kubernetes

Observability

DevOps

Implementing Istio in a Kubernetes cluster

Kristijan Mitevski

Oct 13, 2021

Last Updated:

Oct 13, 2021

Share this post:

Implementing Istio in a Kubernetes cluster

As the complexity of a microservice architecture grows, it becomes important to implement a service mesh for better insights into your cluster and microservices. In this blog, Kristijan explains how Istio can be used as a service mesh, along with a detailed installation steps & configuration setup.

Table of Contents:

Service Mesh? You’ve heard about it, but does it solve something, or is it just another hot buzzword in the industry?

In this article you will learn about the Istio service mesh, along with a full installation guide and configuration setup.

Before moving straight to Istio, it’s worth mentioning that in one of our previous articles - The Age of Service Mesh, Gigi Sayfan explained in detail how service meshes work and what problems they solve.

I highly suggest you give that article a read. Maybe even as a prequel, as it will provide you with great insight into service mesh basics and the general idea behind them.

Right now, there are a plethora of options for service meshes.

To name a few:

Each service mesh has its pros and cons, along with specific use cases that you should consider for your cluster and end goal.

You can decide which “brand” of a service mesh to install.

What is Istio?

Istio is a service mesh designed to enhance and give you better insight into your cluster and microservices.

One of the great things about Istio and service meshes overall is that they require absolutely no code change for them to work.

Istio works by integrating itself as an additional layer inside the Kubernetes cluster and thus provides modern features that you can utilize to your advantage.

Those features can include advanced load balancing, circuit breaking, mTLS traffic encryption, better authentication and authorization options, metrics, telemetry, and overall fine-grain control over the cluster’s traffic going in and out.

Now Istio isn’t just a single object that you install. It’s more of a collection of entities that work together and make up the whole service mesh.

Like Kubernetes, Istio has a control plane that manages everything and a data plane that handles the traffic between the services.

There is more to Istio, as it isn’t bound to only work in a Kubernetes cluster. It will also work with virtual machines and supports different deployment options both for installing and running.

In the next section, we will explain Istio’s components and architecture.

Istio Architecture

As the saying goes, a picture is worth a thousand words.

Consider the following diagram:

You can see that the traffic destined in and out of the pods doesn’t flow directly now; Instead, it first must pass through the sidecar proxies.

The container sidecars are Envoy proxies that get automatically injected into your pods on startup.

During installation, you instruct Istio which namespace to ‘watch’ and deploy Envoy proxies along with your applications.

You will see how this is done in action when we get to the installing section.

The other part is the control plane, made of multiple components bundled in one binary - istiod. The control plane manages the proxies, certificates, service discovery, and executing the configuration you set.

The components making Istio are:

To explain a bit better and give some analogy here.

Consider the service mesh as a telephone network.

The data plane consists of phones that you and your friends use to communicate with each other.

You will be able to communicate without them, but you will have to yell across. Instead, this way is much more modern, secure, and with better control over the communication.

Now the control plane will be the telephone service provider, and from there, all the calls get managed, routed, and billed.

Everything you apply is done towards and on the control plane; the control plane will communicate that change to the sidecar proxies.

The traffic traversing the data plane is only visible to the proxies; the other Istio components have no access.

Installing Istio

Depending on your setup, Istio offers you different installation and deployment strategies.

Each cloud service provider has its own thing. So it’s best to go over the platform setup and check if any prerequisites or dependencies are needed before installing.

The install options can range from using helm, istioctl, or using an operator.

You can look into them at the following link.

For this guide, we will install Istio using the istioctl tool.

First, you’ll need to download the binary:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/f7e747844259eb9ae2b13a046cb4940f.js

Navigate into the newly created folder, export the path to the binary, and verify that it works:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/fc9a786672ced8269ff065d01805a997.js

Well, that’s okay, you still haven’t installed Istio.

It is a good idea to run the pre-flight check to verify if your cluster doesn’t have any issues running the Istio service mesh.

CODE: https://gist.github.com/ShubhanjanMedhi-dev/5f8191bae5bc0513883c4324c76d70a7.js

Before moving forward, you should assess which type of profile you want Istio to be installed with.

There are six of them at the time of this writing:

Default
Demo
Minimal
External
Empty
Preview

You can view each profile with an extended description here.

We will go with the default profile intended for production environments.

Each profile is just a set of features that Istio will enable when installed.

If you want to test every feature, you can install it using the demo profile.

Note: Installing profiles that include the Ingress or Egress Gateway will automatically spin up an external load balancer.

Istio also offers customizations and custom third-party add-ons you can include in the profile.

Suppose none of the above profiles meet your requirements, you can use istioctl to generate and create custom manifests to fit your needs.

To install using the default profile:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/29e60b82bd23789cb0a106f220dc6552.js

Excellent! You’ve installed Istio successfully!

You are halfway there.

Now you will need to label which namespace Istio will control and inject sidecar proxies in the pods.

For example, to label the default namespace for sidecar injection:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/452f43ac03634885985a09563c7a42c0.js

You can now verify this with:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/96e585d289e6a4f6b782d8e6509061fa.js

With that, you completed the Istio core components installation.

Observability

I installed Istio, and now what?

Next comes the observability part.

The Envoy proxies will send off telemetry and other data that you can use to visualize the traffic in the mesh.

Like the Prometheus and the Grafana setup, you will need Istio paired with a visualization tool to display the data.

You will use the Kiali dashboard to visualize and see what’s going on in the cluster.

There is one caveat, however. Kiali requires that you have a running Prometheus instance in your cluster.

You can deploy one or supply the address of the existing one if you have it already deployed.

For simplicity and example purposes, the following section will use the demo manifests for deploying Kiali, Jaeger, Prometheus, and Grafana.

Keep in mind that you shouldn’t rely on this setup for running in production environments!

Further below, there will be an explanation of how to set up Kiali to work with an existing Prometheus instance.

Installing the Kiali dashboard

Navigate to the Istio folder and apply the manifests located under samples/addons:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/4ea63c0284833e9c1e84c777d24ecaa9.js

Applying the above will deploy many objects, so give them a couple of minutes to start.

Check on the Kiali pod if it’s started:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/7e644109f2806b796ec4a1ac3d29c0dd.js

Once it’s running, you can now access the dashboard using kubectl and port-forward.

However, istioctl offers a much simpler way:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/5491b07ee17ae4c9de18255d70abc485.js

open http://localhost:20001/kiali in your browser.

As you can see, there is no traffic running in the selected namespace, and Kiali will show no connections.

If you want to access the other dashboards - Grafana and Jaeger, you can again use istioctl dashboard:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/f41aaef91345c0da04ec4aa5279e0a63.js

CODE: https://gist.github.com/ShubhanjanMedhi-dev/08c67f42a22a8e014828fbfc6d6f35c3.js

Kiali tips

There are also other ways to deploy Kiali that are more inclined to production use, where you can customize and set your own parameters.

Installing Kiali can be done by deploying the Kiali-server or the Kiali-operator.

You can find the GitHub link for both Helm charts here.

As mentioned in the previous section, you can specify external instances of Prometheus and the other tools.

It’s best to install all the tooling Kiali needs for you to have the most benefit and greater observability in the service mesh.

Those are the Prometheus instance, Grafana, and Jaeger for tracing.

Note: Refer to the Jaeger documentation as it requires additional configuration to have full distributed tracing in your apps.

Grafana and Jaeger are optional for Kiali and not required for it to work.

Kiali external and optional service — *Image Source*

You can specify every connection to the other systems during installation.

Example, for specifying an existing Prometheus instance:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/afac464db4493eb96fca5b32b1603e1c.js

The Kiali authentication options are available here.

The anonymous option used above provides free unauthenticated access to the dashboard.

Demo application

You’ve deployed Istio, have a running service mesh inside your cluster, and you also installed the Kiali dashboard to observe the traffic.

Let’s now deploy a simple demo application.

You can use the following hello-world web app that will display a simple web page for testing.

Apply the following deployment and service manifests:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/b3021ac82384770be3fd370ab319037b.js

Verify that the pod is running and the service is deployed:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/7221e2c4113e5ffbb4e17bcca0aadc5e.js

Now, for testing, you can use port-forward to access the application. However, a more permanent solution would be to use a load balancer or an ingress.

Istio has its own ingress controller that you can utilize and test the application.

The following ingress manifest will expose the application on the `/ ` path:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/1b8a3991fb149911a8256f70fc146f95.js

Note: Notice the ingress class annotation; you specify that the Istio ingress controller will pick up this object.

You can get the IP address using:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/2b3a86c8263faba91104801ac8050329.js

Visiting the external IP of the ingress gateway will open up the web application.

To see some activity in the Kiali dashboard, you first need to generate some traffic.

The simplest way is to use curl and a while loop:

From another terminal run:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/e8151f5225585fcacb7b74727f8435bb.js

And check the Kiali dashboard:

Success!!

You can now see that Kiali displays the traffic, and it reaches the web application without any issues.

Recap

You learned what is Istio and how it works
Got your hands dirty by installing and configuring Istio in a cluster
In addition to that, you installed Kiali to visualize the traffic in the mesh
You deployed a demo application and connected it using Istio’s ingress

‍

Squadcast is an incident management tool that’s purpose-built for SRE. Your team can get rid of unwanted alerts, receive relevant notifications, work in collaboration using the virtual incident war rooms, and use automated tools like runbooks to eliminate toil.

What you should do now

Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
Curious about how Squadcast can assist you in implementing SRE best practices? Discover the platform's capabilities through our Interactive Demo.
Enjoyed the article? Explore further insights on the best SRE practices.

Schedule a personalized demo to witness firsthand how Squadcast supports and upholds key SRE best practices.
Experience Squadcast with a 14-day free trial. Experience all our On-Call and Noise reduction features.
Enjoyed the article? Explore further insights on the best SRE practices.

Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
Curious about how Squadcast can assist you in implementing SRE best practices? Discover the platform's capabilities through our Interactive Demo.
Enjoyed the article? Explore further insights on the best SRE practices.

Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management.
Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit

See Redis' Journey to Efficient Incident Management though alert noise reduction With Squadcast
Wondering how Squadcast can help you streamline your Incident Management Process? Explore the platform through this Interactive Demo
Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.

Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
Experience Squadcast with a 14-day free trial. Experience all our On-Call and Noise reduction features.
Interested in Squadcast? Check out our pricing plans and find the right fit for you

Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
Experience Squadcast with a 14-day free trial. Experience all our On-Call and Noise reduction features.
Interested in Squadcast? Check out our pricing plans and find the right fit for you

Learn how Squadcast helped Scoro to create a solid foundation for better on-call practices
Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
Schedule a demo session with Squadcast where we can show you around, answer your questions and help see if Squadcast is the right fit for you.

Experience Squadcast with a 14-day free trial. Experience all our On-Call and Noise reduction features.
Schedule a demo session with Squadcast where we can show you around, answer your questions and help see if Squadcast is the right fit for you.
Learn how Squadcast helped Scoro to create a solid foundation for better on-call practices

Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management
Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit

Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management
Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit

Start a 14-day free trial and experience the benefits of our Incident Management and on-call solution firsthand
Compare Squadcast with Opsgenie and see if Squadcast is the right fit for your needs
Pricing Page - Compare our plans and find the perfect fit for your business

What you should do now?

Here are 3 ways you can continue your journey to learn more about Unified Incident Management

Explore our Interactive Demo

Discover the platform's capabilities through our Interactive Demo.

Read Success Stories

See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management.

Share the article

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Start 14 Day Free trial

Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.

Pricing Page

Compare our plans and find the perfect fit for your business.

Read Success Stories

See Redis' Journey to Efficient Incident Management through alert noise reduction With Squadcast.

Explore Our Interactive Demo

Discover the platform's capabilities through our Interactive Demo.

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Start 14 Day Free trial

Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.

Compare Squadcast & PagerDuty / Opsgenie

Compare and see if Squadcast is the right fit for your needs.

Pricing Page

Compare our plans and find the perfect fit for your business.

Read Success Stories

Learn how Scoro created a solid foundation for better on-call practices with Squadcast.

Explore Our Interactive Demo

Discover the platform's capabilities through our Interactive Demo.

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Start 14 Day Free trial

Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Read Success Stories

Learn how Scoro created a solid foundation for better on-call practices with Squadcast.

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Explore Our Interactive Demo

Discover the platform's capabilities through our Interactive Demo.

Enjoyed the article? Explore further insights on the best SRE practices.

Schedule a Demo session

We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.

Start 14 Day Free trial

Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.

Enjoyed the article? Explore further insights on the best SRE practices.

Written By:

Kristijan Mitevski

October 13, 2021

Kristijan Mitevski

October 13, 2021

Share this post:

Subscribe to our latest updates

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Implementing Istio in a Kubernetes cluster

Kristijan Mitevski

Oct 13, 2021

Last Updated:

Oct 13, 2021

Service Mesh? You’ve heard about it, but does it solve something, or is it just another hot buzzword in the industry?

In this article you will learn about the Istio service mesh, along with a full installation guide and configuration setup.

I highly suggest you give that article a read. Maybe even as a prequel, as it will provide you with great insight into service mesh basics and the general idea behind them.

Right now, there are a plethora of options for service meshes.

To name a few:

Each service mesh has its pros and cons, along with specific use cases that you should consider for your cluster and end goal.

You can decide which “brand” of a service mesh to install.

What is Istio?

Istio is a service mesh designed to enhance and give you better insight into your cluster and microservices.

One of the great things about Istio and service meshes overall is that they require absolutely no code change for them to work.

Istio works by integrating itself as an additional layer inside the Kubernetes cluster and thus provides modern features that you can utilize to your advantage.

Now Istio isn’t just a single object that you install. It’s more of a collection of entities that work together and make up the whole service mesh.

Like Kubernetes, Istio has a control plane that manages everything and a data plane that handles the traffic between the services.

There is more to Istio, as it isn’t bound to only work in a Kubernetes cluster. It will also work with virtual machines and supports different deployment options both for installing and running.

In the next section, we will explain Istio’s components and architecture.

Istio Architecture

As the saying goes, a picture is worth a thousand words.

Consider the following diagram:

You can see that the traffic destined in and out of the pods doesn’t flow directly now; Instead, it first must pass through the sidecar proxies.

The container sidecars are Envoy proxies that get automatically injected into your pods on startup.

During installation, you instruct Istio which namespace to ‘watch’ and deploy Envoy proxies along with your applications.

You will see how this is done in action when we get to the installing section.

The components making Istio are:

To explain a bit better and give some analogy here.

Consider the service mesh as a telephone network.

The data plane consists of phones that you and your friends use to communicate with each other.

You will be able to communicate without them, but you will have to yell across. Instead, this way is much more modern, secure, and with better control over the communication.

Now the control plane will be the telephone service provider, and from there, all the calls get managed, routed, and billed.

Everything you apply is done towards and on the control plane; the control plane will communicate that change to the sidecar proxies.

The traffic traversing the data plane is only visible to the proxies; the other Istio components have no access.

Installing Istio

Depending on your setup, Istio offers you different installation and deployment strategies.

Each cloud service provider has its own thing. So it’s best to go over the platform setup and check if any prerequisites or dependencies are needed before installing.

The install options can range from using helm, istioctl, or using an operator.

You can look into them at the following link.

For this guide, we will install Istio using the istioctl tool.

First, you’ll need to download the binary:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/f7e747844259eb9ae2b13a046cb4940f.js

Navigate into the newly created folder, export the path to the binary, and verify that it works:

CODE: https://gist.github.com/ShubhanjanMedhi-dev/fc9a786672ced8269ff065d01805a997.js

Well, that’s okay, you still haven’t installed Istio.

It is a good idea to run the pre-flight check to verify if your cluster doesn’t have any issues running the Istio service mesh.

CODE: https://gist.github.com/ShubhanjanMedhi-dev/5f8191bae5bc0513883c4324c76d70a7.js

Before moving forward, you should assess which type of profile you want Istio to be installed with.

There are six of them at the time of this writing:

Default
Demo
Minimal
External
Empty
Preview