Istio

This document describes how to configure your Google Kubernetes Engine deployment so that you can use Google Cloud Managed Service for Prometheus to collect metrics from Istio. This document shows you how to do the following:

Set up Istio to report metrics.
Configure a PodMonitoring resource for Managed Service for Prometheus to collect the exported metrics.
Access a dashboard in Cloud Monitoring to view the metrics.
Configure alerting rules to monitor the metrics.

These instructions apply only if you are using managed collection with Managed Service for Prometheus. If you are using self-deployed collection, then see the source repository for Istio for installation information.

These instructions are provided as an example and are expected to work in most Kubernetes environments. If you are having trouble installing an application or exporter due to restrictive security or organizational policies, we recommend you consult open-source documentation for support.

For information about Istio, see Istio.

Prerequisites

To collect metrics from Istio by using Managed Service for Prometheus and managed collection, your deployment must meet the following requirements:

Your cluster must be running Google Kubernetes Engine version 1.21.4-gke.300 or later.
You must be running Managed Service for Prometheus with managed collection enabled. For more information, see Get started with managed collection.

Istio exposes Prometheus-format metrics automatically; you do not have to install it separately. You can run the following checks to verify that the Istio Proxy has been injected as a sidecar and that both Istiod, the control plane of Istio, and Istio Proxy are emitting metrics on the expected endpoints.

To determine if Istio Proxy is injected as a sidecar, run the following command, which enumerates the containers running in the application's pods:
```
kubectl get pod -l app=APPLICATION_NAME -n NAMESPACE_NAME -o jsonpath='{.items[0].spec.containers[*].name}'
```
If you see that the pods contain the istio sidecar container, then the exporter has been injected. If the sidecar is not injected, then follow the instructions at Istio: Installing the sidecar.
To verify that metrics are being emitted by the Istio Proxy, run the following command, which inspects the /stats/prometheus endpoint of the istio on the specified pod:
```
kubectl exec POD_NAME -n NAMESPACE_NAME -c istio-proxy -- curl -sS 'localhost:15090/stats/prometheus'
```
If you see raw istio_* and envoy_* Prometheus metrics, then metrics are being emitted correctly.
To verify that metrics are being emitted similarly on Istiod, run the following command, which inspects the /metrics endpoint of Istiod on one of the pods in the istiod deployment:
```
kubectl exec -n istio-system deployment/istiod -- curl -sS 'localhost:15014/metrics'
```

Define a PodMonitoring resource

For target discovery, the Managed Service for Prometheus Operator requires a PodMonitoring resource that corresponds to the Istio exporter in the same namespace.

You can use the following PodMonitoring configuration:

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
  name: istiod
  namespace: istio-system
  labels:
    app.kubernetes.io/name: istiod
    app.kubernetes.io/part-of: google-cloud-managed-prometheus
spec:
  selector:
    matchLabels:
      app: istiod
  endpoints:
  - port: 15014
    interval: 30s
    path: /metrics
  targetLabels:
    fromPod:
    - from: app
      to: app
---
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
  name: istio-proxy
  labels:
    app.kubernetes.io/name: istio-proxy
    app.kubernetes.io/part-of: google-cloud-managed-prometheus
spec:
  selector:
    matchLabels:
  endpoints:
  - port: http-envoy-prom
    scheme: http
    interval: 30s
    path: /stats/prometheus

Istio requires two separate PodMonitoring resources: One that monitors Istiod and another one that monitors the Istio Proxy sidecars and the ingress and egress gateways. To monitor Istio Proxy metrics across all namespaces in the cluster at once, apply the istio-proxy PodMonitoring to every namespace or set up a ClusterPodMonitoring resource instead of a PodMonitoring resource per namespace.

If you plan to use the Istio-provided Grafana dashboards then in addition to the PodMonitoring resources described in this document ensure that you also configured cAdvisor and Kubelet scraping.

To apply configuration changes from a local file, run the following command:

kubectl apply -n NAMESPACE_NAME -f FILE_NAME

You can also use Terraform to manage your configurations.

Define rules and alerts

You can use the following Rules configuration to define alerts on your Istio metrics:

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: monitoring.googleapis.com/v1
kind: Rules
metadata:
  name: istio-rules
  labels:
    app.kubernetes.io/component: rules
    app.kubernetes.io/name: istio-rules
    app.kubernetes.io/part-of: google-cloud-managed-prometheus
spec:
  groups:
  - name: istio
    interval: 30s
    rules:
    - alert: IstioHighTotalRequestRate
      expr: sum(rate(istio_requests_total{reporter="destination"}[5m])) > 1000
      for: 2m
      labels:
        severity: warning
      annotations:
        summary: Istio high total request rate (instance {{ $labels.instance }})
        description: |-
          Global request rate in the service mesh is unusually high.
            VALUE = {{ $value }}
            LABELS = {{ $labels }}
    - alert: IstioLowTotalRequestRate
      expr: sum(rate(istio_requests_total{reporter="destination"}[5m])) < 100
      for: 2m
      labels:
        severity: warning
      annotations:
        summary: Istio low total request rate (instance {{ $labels.instance }})
        description: |-
          Global request rate in the service mesh is unusually low.
            VALUE = {{ $value }}
            LABELS = {{ $labels }}
    - alert: IstioHigh4xxErrorRate
      expr: sum(rate(istio_requests_total{reporter="destination", response_code=~"4.*"}[5m])) / sum(rate(istio_requests_total{reporter="destination"}[5m])) * 100 > 5
      for: 1m
      labels:
        severity: warning
      annotations:
        summary: Istio high 4xx error rate (instance {{ $labels.instance }})
        description: |-
          High percentage of HTTP 5xx responses in Istio (> 5%).
            VALUE = {{ $value }}
            LABELS = {{ $labels }}
    - alert: IstioHigh5xxErrorRate
      expr: sum(rate(istio_requests_total{reporter="destination", response_code=~"5.*"}[5m])) / sum(rate(istio_requests_total{reporter="destination"}[5m])) * 100 > 5
      for: 1m
      labels:
        severity: warning
      annotations:
        summary: Istio high 5xx error rate (instance {{ $labels.instance }})
        description: |-
          High percentage of HTTP 5xx responses in Istio (> 5%).
            VALUE = {{ $value }}
            LABELS = {{ $labels }}
    - alert: IstioHighRequestLatency
      expr: rate(istio_request_duration_milliseconds_sum{reporter="destination"}[1m]) / rate(istio_request_duration_milliseconds_count{reporter="destination"}[1m]) > 100
      for: 1m
      labels:
        severity: warning
      annotations:
        summary: Istio high request latency (instance {{ $labels.instance }})
        description: |-
          Istio average requests execution is longer than 100ms.
            VALUE = {{ $value }}
            LABELS = {{ $labels }}
    - alert: IstioLatency99Percentile
      expr: histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket[1m])) by (destination_canonical_service, destination_workload_namespace, source_canonical_service, source_workload_namespace, le)) > 1
      for: 1m
      labels:
        severity: warning
      annotations:
        summary: Istio latency 99 percentile (instance {{ $labels.instance }})
        description: |-
          Istio 1% slowest requests are longer than 1s.
            VALUE = {{ $value }}
            LABELS = {{ $labels }}

To apply configuration changes from a local file, run the following command:

kubectl apply -n NAMESPACE_NAME -f FILE_NAME

You can also use Terraform to manage your configurations.

For more information about applying rules to your cluster, see Managed rule evaluation and alerting.

This Rules configuration was adapted from the Istio rules provided by Awesome Prometheus Alerts. You can adjust the alert thresholds to suit your application.

Verify the configuration

You can use Metrics Explorer to verify that you correctly configured the Istio exporter. It might take one or two minutes for Cloud Monitoring to ingest your metrics.

To verify the metrics are ingested, do the following:

In the navigation panel of the Google Cloud console, select Monitoring, and then select Metrics explorer:
Go to Metrics explorer
In the toolbar of the query-builder pane, select the button whose name is either MQL or PromQL.
Verify that PromQL is selected in the Language toggle. The language toggle is in the same toolbar that lets you format your query.

Enter and run the following query:

sum(istio_build{cluster="CLUSTER_NAME"}) by (component)

View dashboards

The Cloud Monitoring integration includes the Istio Envoy Prometheus Overview dashboard. Dashboards are automatically installed when you configure the integration. You can also view static previews of dashboards without installing the integration.

To view an installed dashboard, do the following:

In the navigation panel of the Google Cloud console, select Monitoring, and then select Dashboards:
Go to Dashboards
Select the Dashboard List tab.
Choose the Integrations category.
Click the name of the dashboard, for example, Istio Envoy Prometheus Overview.

To view a static preview of the dashboard, do the following:

In the navigation panel of the Google Cloud console, select Monitoring, and then select Integrations:
Go to Integrations
Click the Kubernetes Engine deployment-platform filter.
Locate the Istio integration and click View Details.
Select the Dashboards tab.

Troubleshooting

For information about troubleshooting metric ingestion problems, see Problems with collection from exporters in Troubleshooting ingestion-side problems.