Setup a Kubernetes Cluster

    In this module, you set up a Kubernetes cluster that has Istio installed and anamespace to use throughout the tutorial.

    If you are in a workshop and the instructors provide a cluster for you,proceed to setting up your local computer.

    • Create the namespace:
    1. $ kubectl create namespace $NAMESPACE

    If you are an instructor, you should allocate a separate namespace per eachparticipant. The tutorial supports work in multiple namespacessimultaneously by multiple participants.

    • Install Istio with strict mutual TLS enabled. TODO: add command or point to instructions.

    • Enable Envoy’s access logging.

      • Jaeger
      • KialiThe kubectl command can accept an in-line configuration to create theIngress resources for each service:
    • Create a role to provide read access to the istio-system namespace. Thisrole is required to limit permissions of the participants in the stepsbelow.
    1. $ kubectl apply -f - <<EOF
    2. kind: Role
    3. apiVersion: rbac.authorization.k8s.io/v1beta1
    4. metadata:
    5.   name: istio-system-access
    6.   namespace: istio-system
    7. rules:
    8. - apiGroups: ["", "extensions", "apps"]
    9.   resources: ["*"]
    10. EOF
    • Create a service account for each participant:
    • Limit each participant’s permissions. During the tutorial, participants onlyneed to create resources in their namespace and to read resources fromistio-system namespace. It is a good practice, even if using your owncluster, to avoid interfering with other namespaces inyour cluster.

    Create a role to allow read-write access to each participant’s namespace.Bind the participant’s service account to this role and to the role forreading resources from istio-system:

    1. $ kubectl apply -f - <<EOF
    2. kind: Role
    4. metadata:
    5.   name: ${NAMESPACE}-access
    6.   namespace: $NAMESPACE
    7. rules:
    8. - apiGroups: ["", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io",
    9.               "rbac.istio.io", "config.istio.io"]
    10.   resources: ["*"]
    11.   verbs: ["*"]
    12. ---
    13. kind: RoleBinding
    14. apiVersion: rbac.authorization.k8s.io/v1beta1
    15. metadata:
    16.   name: ${NAMESPACE}-access
    17.   namespace: $NAMESPACE
    18. subjects:
    19.   name: ${NAMESPACE}-user
    20.   namespace: $NAMESPACE
    21. roleRef:
    23.   kind: Role
    24.   name: ${NAMESPACE}-access
    25. ---
    26. kind: RoleBinding
    27. apiVersion: rbac.authorization.k8s.io/v1beta1
    28. metadata:
    29.   name: ${NAMESPACE}-istio-system-access
    30.   namespace: istio-system
    31. subjects:
    32. - kind: ServiceAccount
    33.   name: ${NAMESPACE}-user
    34.   namespace: $NAMESPACE
    35. roleRef:
    36.   apiGroup: rbac.authorization.k8s.io
    37.   kind: Role
    38.   name: istio-system-access
    39. EOF

    Generate a Kubernetes configuration file for each participant:

    • If you are setting up the cluster for yourself, copy the${NAMESPACE}-user-config.yaml file mentioned in the previous steps to yourlocal computer, where is the name of the namespace youprovided in the previous steps. For example, tutorial-user-config.yaml.You will need this file later in the tutorial.

    If you are an instructor, send the generated configuration files to eachparticipant who should copy it to their local computer.

    You are ready to .