Installing Istio on Kubernetes Engine

Istio is an open source framework for connecting, monitoring, and securing microservices, including services running on Kubernetes Engine. It lets you create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, without requiring any changes in service code. You add Istio support to services by deploying a special Envoy sidecar proxy to each of your application's pods. The Envoy proxy intercepts all network communication between microservices, and is configured and managed using Istio’s control plane functionality. This tutorial shows you how to install and configure Istio on GKE and deploy an Istio-enabled multi-service application.

Before you begin

Take the following steps to enable the Kubernetes Engine API:
  1. Visit the Kubernetes Engine page in the Google Cloud Platform Console.
  2. Create or select a project.
  3. Wait for the API and related services to be enabled. This can take several minutes.
  4. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

Install the following command-line tools used in this tutorial:

  • gcloud is used to create and delete Kubernetes Engine clusters. gcloud is included in the Google Cloud SDK.
  • kubectl is used to manage Kubernetes, the cluster orchestration system used by Kubernetes Engine. You can install kubectl using gcloud:
    gcloud components install kubectl

Set defaults for the gcloud command-line tool

To save time typing your project ID and Compute Engine zone options in the gcloud command-line tool, you can set the defaults:
gcloud config set project [PROJECT_ID]
gcloud config set compute/zone us-central1-b

Create a GKE cluster

To create a cluster for this tutorial, run the following command - let's call the tutorial cluster istio-tutorial:

gcloud container clusters create istio-tutorial \
    --machine-type=n1-standard-2 \

Using your own cluster

If you want to use an existing cluster for this tutorial, ensure that it is using the GKE default version of Kubernetes and has role based access control (RBAC) enabled. RBAC is enabled by default on all clusters running Kubernetes version 1.6 or later. To enable RBAC on an older version, update your cluster with the option --no-enable-legacy-authorization.

You should also ensure that you have kubectl installed and that the version is the same or more recent than your cluster. You can verify that you are using the latest version by running kubectl version.

Step 1: Install Istio

Now let's install Istio. Istio is installed in its own istio-system namespace, and can manage microservices from all other namespaces. The installation includes Istio core components, tools, and samples.

Follow these steps on the same machine where you have your cluster credentials: this is your cluster admin machine.

  1. Go to the Istio release page to download the installation file corresponding to your OS where you want to run the Istio client.

  2. Extract the downloaded installation file. The installation directory contains:

    • Installation .yaml files for Kubernetes in install/
    • Sample applications in samples/
    • The istioctl client binary in the bin/ directory. istioctl is used when manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.
    • The istio.VERSION configuration file
  3. Ensure that you're in the Istio installation's root directory.

  4. Add the istioctl client to your PATH:

    export PATH=$PWD/bin:$PATH
  5. Grant cluster admin permissions to the current user. You need these permissions to create the necessary role based access control (RBAC) rules for Istio:

    kubectl create clusterrolebinding cluster-admin-binding \
      --clusterrole=cluster-admin \
      --user="$(gcloud config get-value core/account)"
  6. Install Istio's core components:

    kubectl apply -f install/kubernetes/istio-demo-auth.yaml

    This does the following:

    • creates the istio-system namespace along with the required RBAC permissions
    • deploys the core Istio components:

      • Istio-Pilot, which is responsible for service discovery and for configuring the Envoy sidecar proxies in an Istio service mesh.
      • The Mixer components Istio-Policy and Istio-Telemetry, which enforce usage policies and gather telemetry data across the service mesh.
      • Istio-Ingressgateway, which provides an ingress point for traffic from outside the cluster.
      • Istio-Citadel, which automates key and certificate management for Istio.
    • deploys plugins for metrics, logs, and tracing.

    • enables mutual TLS authentication between Envoy sidecars. Note that using this authentication option may not work for all applications: you can find out how to install Istio without it, and when you might want to do this, in the Istio setup guide.

Step 2: Verify Istio installation

  1. Ensure the following Kubernetes services are deployed: istio-citadel, istio-pilot, istio-ingressgateway, istio-policy, and istio-telemetry (you'll also see the other deployed services):

    kubectl get service -n istio-system
    NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                               AGE
    istio-citadel              ClusterIP            8060/TCP,9093/TCP                                                     37s
    istio-egressgateway        ClusterIP           80/TCP,443/TCP                                                        40s
    istio-ingressgateway       LoadBalancer        80:31380/TCP,443:31390/TCP,31400:31400/TCP                            40s
    istio-pilot                ClusterIP            15003/TCP,15005/TCP,15007/TCP,15010/TCP,15011/TCP,8080/TCP,9093/TCP   38s
    istio-policy               ClusterIP           9091/TCP,15004/TCP,9093/TCP                                           39s
    istio-sidecar-injector     ClusterIP           443/TCP                                                               37s
    istio-statsd-prom-bridge   ClusterIP            9102/TCP,9125/UDP                                                     39s
    istio-telemetry            ClusterIP            9091/TCP,15004/TCP,9093/TCP,42422/TCP                                 39s
  2. Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-policy-*, istio-telemetry-*, istio-ingressgateway-*, and istio-citadel-*.

    kubectl get pods -n istio-system
    NAME                                        READY     STATUS      RESTARTS   AGE
    grafana-6995b4fbd7-mp7ps                    1/1       Running     0          12m
    istio-citadel-54f4678f86-4549b              1/1       Running     0          12m
    istio-cleanup-secrets-5pl77                 0/1       Completed   0          12m
    istio-egressgateway-c68bcd889-p52rb         1/1       Running     0          12m
    istio-galley-7bd8b5f88f-nhwlc               1/1       Running     0          12m
    istio-grafana-post-install-6dwhp            0/1       Completed   3          12m
    istio-ingressgateway-665699c874-l62rg       1/1       Running     0          12m
    istio-pilot-68cbbcd65d-l5298                2/2       Running     0          12m
    istio-policy-7c5b5bb744-k6vm9               2/2       Running     0          12m
    istio-security-post-install-g9l9p           0/1       Completed   3          12m
    istio-sidecar-injector-85ccf84984-2hpfm     1/1       Running     0          12m
    istio-statsd-prom-bridge-55965ff9c8-x6sqd   1/1       Running     0          12m
    istio-telemetry-5b6c57fffc-9j4dc            2/2       Running     0          12m
    istio-tracing-77f9f94b98-jv8vh              1/1       Running     0          12m
    prometheus-7456f56c96-7hrk5                 1/1       Running     0          12m
    servicegraph-684c85ffb9-9cd4x               1/1       Running     0          12m

Step 3: Deploy the BookInfo sample application

Once Istio is installed and all its components are running, you can try deploying one of the sample applications provided with the installation. In this tutorial, we'll install BookInfo. This is a simple mock bookstore application made up of four services that provide a web product page, book details, reviews (with several versions of the review service), and ratings - all managed using Istio. You can find the source code and all the other files used in this example in your Istio installation's samples/bookinfo directory.

Following these steps deploys the BookInfo application's services in an Istio-enabled environment, with Envoy sidecar proxies injected alongside each service to provide Istio functionality.

  1. Ensure you're still in the root of the Istio installation directory on your cluster admin machine.

  2. Deploy the application using kubectl apply and istioctl kube-inject. The kube-inject command updates the BookInfo deployment so that a sidecar is deployed in each application pod along with the service.

    kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)
  3. Confirm that the application has been deployed correctly by running the following commands:

    kubectl get services
    NAME                       CLUSTER-IP   EXTERNAL-IP   PORT(S)              AGE
    details              <none>        9080/TCP             6m
    kubernetes            <none>        443/TCP              7d
    productpage         <none>        9080/TCP             6m
    ratings              <none>        9080/TCP             6m
    reviews             <none>        9080/TCP             6m


    kubectl get pods
    NAME                                        READY     STATUS    RESTARTS   AGE
    details-v1-1520924117-48z17                 2/2       Running   0          6m
    productpage-v1-560495357-jk1lz              2/2       Running   0          6m
    ratings-v1-734492171-rnr5l                  2/2       Running   0          6m
    reviews-v1-874083890-f0qf0                  2/2       Running   0          6m
    reviews-v2-1343845940-b34q5                 2/2       Running   0          6m
    reviews-v3-1813607990-8ch52                 2/2       Running   0          6m
  4. Finally, define the ingress gateway routing for the application:

    kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

Step 4: Validate the application deployment

Now that it's deployed, let's see the BookInfo application in action.

Getting the ingress IP and port

To use BookInfo, first you need to get the ingress IP and port, as follows:

kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
istio-ingressgateway   LoadBalancer   80:31380/TCP,443:31390/TCP,31400:31400/TCP   27m

This gives you the address of the ingress service, as follows (use the first port):


Trying the application

Once you have the address and port, check that the BookInfo app is running with curl:

curl -I http://${GATEWAY_URL}/productpage

If the response shows 200, it means the application is working properly with Istio.

Then point your browser to http://$GATEWAY_URL/productpage to view the BookInfo web page. If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars), since we haven’t yet used Istio to control the version routing.

Deploying your own application

If you want to try deploying one of your own applications, just follow the same procedure with your own YAML deployment: Istio requires no changes to the application itself. Note that the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because the Envoy proxy doesn't support HTTP/1.0: it relies on headers that aren't present in HTTP/1.0 for routing.

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

If you don't want to continue exploring the BookInfo app in What's Next?, do the following to avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

  1. Delete the istio-ingressgateway ingress service.

    kubectl -n istio-system delete service istio-ingressgateway
  2. Wait until the istio-ingressgateway load balancer is deleted by watching the output of the following command:

    gcloud compute forwarding-rules list
  3. Delete the container cluster:

    gcloud container clusters delete istio-tutorial

What's next

While the Istio control plane can only be installed on Kubernetes, Istio's mesh expansion functionality lets you add non-Kubernetes machines such as Compute Engine VMs to an Istio service mesh. You can find out how to do this and expand our BookInfo example in Using Istio with Compute Engine.

If you want to explore Istio further, the Istio site's examples section has more tutorials that let you play with BookInfo's Istio functionality. These include:

  • Traffic management: This example shows how to use Istio's various traffic management capabilities with BookInfo, and is a particularly good next step from this tutorial.
  • In-Depth telemetry: This example demonstrates how to get uniform metrics, logs, and traces across BookInfo's services using Istio Mixer and the Envoy proxy.
Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...

Kubernetes Engine Tutorials