Installing Istio on Kubernetes Engine

Istio is an open source framework for connecting, monitoring, and securing microservices, including services running on Kubernetes Engine. It lets you create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, without requiring any changes in service code. You add Istio support to services by deploying a special Envoy sidecar proxy to each of your application's pods. The Envoy proxy intercepts all network communication between microservices, and is configured and managed using Istio’s control plane functionality. This tutorial shows you how to install and configure Istio on Kubernetes Engine and deploy an Istio-enabled multi-service application.

Before you begin

Take the following steps to enable the Google Kubernetes Engine API:
  1. Visit the Kubernetes Engine page in the Google Cloud Platform Console.
  2. Create or select a project.
  3. Wait for the API and related services to be enabled. This can take several minutes.
  4. Enable billing for your project.

    Enable billing

Install the following command-line tools used in this tutorial:

  • gcloud is used to create and delete Kubernetes Engine clusters. gcloud is included in the Google Cloud SDK.
  • kubectl is used to manage Kubernetes, the cluster orchestration system used by Kubernetes Engine. You can install kubectl using gcloud:
    gcloud components install kubectl

Set defaults for the gcloud command-line tool

To save time typing your project ID and Compute Engine zone options in the gcloud command-line tool, you can set default configuration values by running the following commands:
gcloud config set project [PROJECT_ID]
gcloud config set compute/zone us-central1-b

Create a Kubernetes Engine cluster

To create a cluster for this tutorial, run the following command - let's call the tutorial cluster istio-tutorial:

gcloud container clusters create istio-tutorial \
    --machine-type=n1-standard-2 \
    --num-nodes=4 \

Once you have the required cluster:

  • Grant cluster admin permissions to the current user - you need these permissions to create the necessary role based access control (RBAC) rules for Istio:

    $ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"

Using your own cluster

If you want to use an existing cluster for this tutorial, ensure that it is using the Kubernetes Engine default version of Kubernetes and has role based access control (RBAC) enabled. To enable RBAC, you must create or update your cluster with the option --no-enable-legacy-authorization. You should also ensure that you have kubectl installed and that the version is the same or more recent than your cluster.

Step 1: Install Istio

Now let's install Istio. Starting with the 0.2 release, Istio is installed in its own istio-system namespace, and can manage microservices from all other namespaces. The installation includes Istio core components, tools, and samples.

Follow these steps on the same machine where you have your cluster credentials: this is your cluster admin machine.

  1. Go to the Istio release page to download the installation file corresponding to your OS where you want to run the Istio client.

  2. Extract the downloaded installation file. The installation directory contains:

    • Installation .yaml files for Kubernetes in install/
    • Sample applications in samples/
    • The istioctl client binary in the bin/ directory. istioctl is used when manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.
    • The istio.VERSION configuration file
  3. Ensure that you're in the Istio installation's root directory.

  4. Add the istioctl client to your PATH:

    export PATH=$PWD/bin:$PATH
  5. Install Istio's core components:

    kubectl apply -f install/kubernetes/istio-auth.yaml

    This does the following:

    • creates the istio-system namespace along with the required RBAC permissions
    • deploys the core Istio components:

      • Istio-Pilot, which is responsible for service discovery and for configuring the Envoy sidecar proxies in an Istio service mesh.
      • Istio-Mixer, which enforces access control and usage policies across the service mesh.
      • Istio-Ingress, which provides an ingress point for traffic from outside the cluster.
      • Istio-CA (Certificate Authority), which automates key and certificate management for Istio.
    • enables mutual TLS authentication between Envoy sidecars. Note that using this authentication option may not work for all applications: you can find out how to install Istio without it, and when you might want to do this, in the Istio setup guide.

Step 2: Verify Istio installation

  1. Ensure the following Kubernetes services are deployed: istio-pilot, istio-mixer, istio-ingress:

    $ kubectl get service -n istio-system
    NAME            CLUSTER-IP      EXTERNAL-IP       PORT(S)                       AGE
    istio-ingress     80:32730/TCP,443:30574/TCP    5h
    istio-pilot   <none>            8080/TCP,8081/TCP             5h
    istio-mixer   <none>            9091/TCP,9094/TCP,42422/TCP   5h

  2. Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-mixer-*, istio-ingress-*, and istio-ca-*.

    $ kubectl get pods -n istio-system
    istio-ca-3657790228-j21b9           1/1       Running   0          5h
    istio-ingress-1842462111-j3vcs      1/1       Running   0          5h
    istio-initializer-184129454-zdgf5   1/1       Running   0          5h
    istio-pilot-2275554717-93c43        1/1       Running   0          5h
    istio-mixer-2104784889-20rm8        2/2       Running   0          5h

Step 3: Deploy the BookInfo sample application

Once Istio is installed and all its components are running, you can try deploying one of the sample applications provided with the installation. In this tutorial, we'll install BookInfo. This is a simple mock bookstore application made up of four services that provide a web product page, book details, reviews (with several versions of the review service), and ratings - all managed using Istio. You can find the source code and all the other files used in this example in your Istio installation's samples/bookinfo directory.

Following these steps deploys the BookInfo application's services in an Istio-enabled environment, with Envoy sidecar proxies injected alongside each service to provide Istio functionality.

  1. Ensure you're still in the root of the Istio installation directory on your cluster admin machine.

  2. Deploy the application using kubectl apply and istioctl kube-inject. The kube-inject command updates the BookInfo deployment so that a sidecar is deployed in each application pod along with the service.

    kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/kube/bookinfo.yaml)
  3. Confirm that the application has been deployed correctly by running the following commands:

    $ kubectl get services
    NAME                       CLUSTER-IP   EXTERNAL-IP   PORT(S)              AGE
    details              <none>        9080/TCP             6m
    kubernetes            <none>        443/TCP              7d
    productpage         <none>        9080/TCP             6m
    ratings              <none>        9080/TCP             6m
    reviews             <none>        9080/TCP             6m


    $ kubectl get pods
    NAME                                        READY     STATUS    RESTARTS   AGE
    details-v1-1520924117-48z17                 2/2       Running   0          6m
    productpage-v1-560495357-jk1lz              2/2       Running   0          6m
    ratings-v1-734492171-rnr5l                  2/2       Running   0          6m
    reviews-v1-874083890-f0qf0                  2/2       Running   0          6m
    reviews-v2-1343845940-b34q5                 2/2       Running   0          6m
    reviews-v3-1813607990-8ch52                 2/2       Running   0          6m

Step 4: Validate the application deployment

Now that it's deployed, let's see the BookInfo application in action.

Getting the ingress IP and port

To use BookInfo, first you need to get the ingress IP and port, as follows:

$ kubectl get ingress -o wide
NAME      HOSTS     ADDRESS                PORTS     AGE
gateway   *          80        1d

This gives you the address of the ingress service, as follows:


Trying the application

Once you have the address and port, check that the BookInfo app is running with curl:

curl -I http://${GATEWAY_URL}/productpage

If the response shows 200 OK, it means the application is working properly with Istio.

Then point your browser to http://$GATEWAY_URL/productpage to view the BookInfo web page. If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars), since we haven’t yet used Istio to control the version routing.

Deploying your own application

If you want to try deploying one of your own applications, just follow the same procedure with your own YAML deployment: Istio requires no changes to the application itself. Note that the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because the Envoy proxy doesn't support HTTP/1.0: it relies on headers that aren't present in HTTP/1.0 for routing.

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

If you don't want to continue exploring the BookInfo app in What's Next?, do the following to avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

  1. Delete the istio-ingress ingress service.

    kubectl -n istio-system delete service istio-ingress
  2. Wait until the istio-ingress load balancer is deleted by watching the output of the following command:

    gcloud compute forwarding-rules list
  3. Delete the container cluster:

    gcloud container clusters delete istio-tutorial

What's next

While the Istio control plane can only be installed on Kubernetes, Istio's mesh expansion functionality lets you add non-Kubernetes machines such as Compute Engine VMs to an Istio service mesh. You can find out how to do this and expand our BookInfo example in Using Istio with Compute Engine.

If you want to explore Istio further, the Istio site's guides section has more tutorials that let you play with BookInfo's Istio functionality. These include:

  • Intelligent Routing: This example shows how to use Istio's various traffic management capabilities with BookInfo, and is a particularly good next step from this tutorial.
  • In-Depth Telemetry: This example demonstrates how to get uniform metrics, logs, and traces across BookInfo's services using Istio Mixer and the Envoy proxy.

Send feedback about...

Kubernetes Engine Tutorials