Kubernetes Service Mesh: How To Set Up Istio


· ·

In this article, you will learn how to set up Istio as a Kubernetes service mesh using a free Platform9 Kubernetes account.

Istio As A Kubernetes Service Mesh


This article will cover:

Quick Introduction to Kubernetes Service Mesh and Istio

One of the challenges with a highly dynamic microservices architecture is creating and maintaining connections. As pods are updated, added, and removed, you need a mechanism to identify each pod and enable communication between them and other pods in the cluster.

A service mesh is one way of managing the communications within your cluster. Network proxies are attached to each application container using the Sidecar pattern. Together these proxies operate and monitor communication within the Kubernetes cluster, and this is the service mesh. The service mesh manages security, works to optimize network performance within the cluster, and reports on the state of networking within the Kubernetes cluster. In a previous article, we provided a detailed comparison of various Kubernetes service mesh options, specifically Istio, Linkerd, and Consul.

Istio is an open-source, platform-independent service mesh started by teams from Google and IBM in partnership with the Envoy team from Lyft. Istio leverages the powerful and proven Envoy proxy to provide a stable and secure service mesh for your Kubernetes cluster. This article will walk through how to deploy, and configure work with Istio using a free Platform 9 Kubernetes account.

Getting Started

If you want to experience Istio for yourself and work along as we go through this tutorial, there are a couple of things you’ll need to get started. The first is a free account with Platform9. The Platform9 Managed Kubernetes Free Tier makes it easy to get started. The site will guide you through verifying your account, and you should be ready to go in a couple of minutes.

Get started by creating your free Platform9 Managed Kubernetes Account

I’ll be using a virtual machine running Ubuntu 18.04 on my local workstation, and I used the BareOS instructions from the Quick Setup Guide to set it up and connect it to my account. The virtual machine needs to be well provisioned. We suggest a minimum of 4 VCPUS, 16 GB of RAM, and 30GB of HDD.

The Quick Setup Guide has instructions for configuring instances with Amazon Web Services (AWS) and Microsoft Azure. You can also follow the BareOS instructions to connect to instances running in the Google Cloud (GCP) or other public cloud providers.

Once I had the node created and prepared, I initiated the creation of a single master cluster. The Platform9 interface is very intuitive and guides you through the process; however, if you get stuck, the Get Your First Container Running on Kubernetes tutorial has some useful tips and walks you through the process as well.

Installing Istio as a Kubernetes Service Mesh

The first step is to log into the node and download Istio. We do that with the following command.

$ curl -L https://istio.io/downloadIstio | sh -

The command above will download the latest version of Istio to the current directory. At the time of writing, the newest version was 1.8.1. Navigate into the newly-created directory.

$ cd istio-1.8.1

You’ll see the LICENSE file, bin directory, and a samples directory among the contents. We need to add the bin directory to our path.

$ export PATH=$PWD/bin:$PATH

When you install Istio, you’re able to choose from several configuration profiles. We’ll be using the demo profile because it showcases the abilities of Istio with moderate resource usage. Other profiles are more appropriate for production deployments and custom configurations.

We’ll use the Istio Command-line Tool (istioctl) to specify the profile and install the service.

$ istioctl install --set profile=demo -y

The installation may take a few minutes to complete, but ultimately you’ll see output similar to that shown below.

✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete

The final step is to set up a namespace label. When we add this label, we’ll enable Istio Injection. With this label in place, Istio will automatically inject Envoy sidecar proxies to newly deployed workloads.

$ kubectl label namespace default istio-injection=enabled

We’re now ready to deploy a sample application and see Istio in action.

Deploying the BookInfo Application

Istio comes packaged with several sample applications. We’ll deploy the bookinfo application using kubectl. The following assumes you’re still in the root directory for the Istio installation.

$ kubectl apply -f sample/bookinfo/platform/kube/bookinfo.yaml

The YAML configuration file creates several services for us, and we can see a summary of all the installed services if we run the following.

$ kubectl get services

The output should look similar to the following:

details		ClusterIP	< none >	9080/TCP	39s
kubernetes	ClusterIP	< none >	443/TCP		48m
productpage	ClusterIP	< none >	9080/TCP	38s
ratings		ClusterIP	< none >	9080/TCP	39s
reviews		ClusterIP	< none >	9080/TCP	39s

We also need to ensure that all of the pods are ready to go, as this may take a little more time. We can see this on our node directly by executing kubectl get pods, or we can view their status on the Platform9 dashboard.

$ kubectl get pods

We need two (2) of each pod to have a status of running.

details-v1-558b8b4b76-ck1g5	2/2	Running		0		10m
productpage-v1-6987489c74-b64sn	2/2	Running		0		10m
ratings-v1-7dc98c7588-qb4ng	2/2	Running		0		10m
reviews-v17f99cc4496-7cd47	2/2	Running		0		10m
reviews-v2-7d79d5bd5d-5gz7j	2/2	Running		0		10m
reviews-v3-7dbcdcbc56-k7wh1	2/2	Running		0		10m

Managing Ingress

This configuration creates two resources in the cluster:

  • gateway.networking.istio.io/bookinfo-gateway
  • virtualservice.networking.istio.io/bookinfo

Istio includes an analysis tool that validates the installation. Now with everything we’ve completed deploying our application, we can use this tool to validate our namespace.

$ istioctl analyze
✔ No validation issues found when analyzing namespace: default

For the next step, we need to determine if the environment has an internal or external load balancer. Execute the following command.

$ kubectl get svc instio-ingressgateway -n istio-system

In the output, look for the EXTERNAL-IP. If the results show an IP Address or a Host Name, then you have an external load balancer. If the results show either or , you don’t have access to an external load balancer. Export the following Environment Variables (EVs) based on whether you have an external load balancer or not.

External Load Balancer

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

No External Load Balancer

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')

With those EVs set, you can now set your Gateway URL.


Execute the following command to get the external address for the BookInfo application, and paste it into your web browser to access the application.

$ echo “http://$GATEWAY_URL/productpage”

Monitoring Kubernetes and Istio

Finally, as with any complex system, we need to monitor and observe what is happening. We can monitor different aspects of Istio with PrometheusGrafanaJaeger, and Kiali.

Platform9 Managed Kubernetes Free Tier deploys monitoring with every cluster to ensure that workloads run with a purpose built metrics platform. Platform9 Monitoring provides metrics across all nodes in a cluster as well as metrics from the Kubernetes cluster itself; covering pod metrics, cluster metrics, API Server metrics and OS level collections. When enabled, Monitoring deploys a pre-configured and integrated Prometheus, Alertmanager and Grafana that instantly provides insight into every aspect of the Kubernetes cluster, including a set of rules that fire alerts for the most critical of Kubernetes infrastructure.

Monitoring A Kubernetes Service Mesh

Refer to the Monitoring documentation for more information.

For Kubernetes service mesh specific monitoring, Kiali is especially useful because it was built for Istio and gives excellent insights into your service mesh, including what services are attached and how they are connected and performing.

First, let’s install the tool from the sample/addons directory.

$ kubectl apply -f samples/addons

And now, let’s deploy Kiali to view the dashboard.

$ kubectl rollout status deployment/kiali -n istio-system

We can open the dashboard using:

$ istioctl dashboard kiali

Further Reading

For more information on Istio as a Kubernetes service mesh, the latest documentation is available here.

If you’re looking for more information about service meshes, including tips on selecting and implementing a service mesh, the following articles have a great deal of helpful information.

  1. Comparing Kubernetes service mesh options and how to migrate between them
  2. How to set up Linkerd as a Kubernetes service mesh
  3. Top tips for configuring your Kubernetes service mesh
  4. Best Practices for Selecting and Implementing Your Service Mesh

Next Steps

In this blog, we walked through a tutorial on setting up Istio as a Kubernetes service mesh using a Platform9 Managed Kubernetes Free Tier account. We hope you found this blog informative and engaging. For more reads like this one, visit our blog page or subscribe for up-to-date news, projects, and related content in real-time.

Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest - for now. By day he works as an Engineer Manager for a DevOps team, and by night he writes and tinkers with other technology projects. When he's not tapping on the keys, he can be found trail-running, hiking and exploring both the urban and the rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or Single-malt Scotch.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar