Setup a Kubernetes Cluster

    In this module, you set up a Kubernetes cluster that has Istio installed and a namespace to use throughout the tutorial.

    If you are in a workshop and the instructors provide a cluster for you, proceed to setting up your local computer.

    1. Ensure you have access to a . You can use the Google Kubernetes Engine or the .

    2. Create an environment variable to store the name of a namespace that you will use when you run the tutorial commands. You can use any name, for example .

    3. Create the namespace:

      1. $ kubectl create namespace $NAMESPACE

      If you are an instructor, you should allocate a separate namespace per each participant. The tutorial supports work in multiple namespaces simultaneously by multiple participants.

    4. Install Istio using the demo profile.

    6. Create a Kubernetes Ingress resource for these common Istio services using the kubectl command shown. It is not necessary to be familiar with each of these services at this point in the tutorial.

      The kubectl command can accept an in-line configuration to create the Ingress resources for each service:

      1. $ kubectl apply -f - <<EOF
      2. apiVersion: extensions/v1beta1
      3. kind: Ingress
      4. metadata:
      5.   name: istio-system
      6.   namespace: istio-system
      7. spec:
      8.   rules:
      9.   - host: my-istio-dashboard.io
      10.     http:
      11.       paths:
      12.       - path: /*
      13.         backend:
      14.           serviceName: grafana
      15.           servicePort: 3000
      16.   - host: my-istio-tracing.io
      17.     http:
      18.       paths:
      19.       - path: /*
      20.         backend:
      21.           serviceName: tracing
      22.           servicePort: 9411
      23.   - host: my-istio-logs-database.io
      24.       paths:
      25.       - path: /*
      26.         backend:
      27.           serviceName: prometheus
      28.           servicePort: 9090
      30.     http:
      31.       paths:
      32.       - path: /*
      33.         backend:
      34.           serviceName: kiali
      35.           servicePort: 20001
      36. EOF

    7. Create a role to provide read access to the istio-system namespace. This role is required to limit permissions of the participants in the steps below.

    8. Create a service account for each participant:

      1. $ kubectl apply -f - <<EOF
      2. apiVersion: v1
      3. kind: ServiceAccount
      4. metadata:
      5.   name: ${NAMESPACE}-user
      6.   namespace: $NAMESPACE
      7. EOF

    9. Limit each participant’s permissions. During the tutorial, participants only need to create resources in their namespace and to read resources from istio-system namespace. It is a good practice, even if using your own cluster, to avoid interfering with other namespaces in your cluster.

      Create a role to allow read-write access to each participant’s namespace. Bind the participant’s service account to this role and to the role for reading resources from istio-system:

      1. $ kubectl apply -f - <<EOF
      2. kind: Role
      3. apiVersion: rbac.authorization.k8s.io/v1beta1
      4. metadata:
      5.   name: ${NAMESPACE}-access
      6.   namespace: $NAMESPACE
      7. rules:
      8. - apiGroups: ["", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io",
      9.               "rbac.istio.io", "config.istio.io"]
      10.   resources: ["*"]
      11.   verbs: ["*"]
      12. kind: RoleBinding
      13. apiVersion: rbac.authorization.k8s.io/v1beta1
      14. metadata:
      15.   name: ${NAMESPACE}-access
      17. subjects:
      18. - kind: ServiceAccount
      19.   name: ${NAMESPACE}-user
      20.   namespace: $NAMESPACE
      21. roleRef:
      22.   apiGroup: rbac.authorization.k8s.io
      23.   kind: Role
      24.   name: ${NAMESPACE}-access
      25. ---
      26. kind: RoleBinding
      27. apiVersion: rbac.authorization.k8s.io/v1beta1
      28. metadata:
      29.   name: ${NAMESPACE}-istio-system-access
      30.   namespace: istio-system
      31. subjects:
      32. - kind: ServiceAccount
      33.   name: ${NAMESPACE}-user
      34.   namespace: $NAMESPACE
      35. roleRef:
      36.   apiGroup: rbac.authorization.k8s.io
      37.   kind: Role
      38.   name: istio-system-access
      39. EOF

    10. Each participant needs to use their own Kubernetes configuration file. This configuration file specifies the cluster details, the service account, the credentials and the namespace of the participant. The kubectl command uses the configuration file to operate on the cluster.

      This command assumes your cluster is named tutorial-cluster. If your cluster is named differently, replace all references with the name of your cluster.

    11. Set the KUBECONFIG environment variable for the ${NAMESPACE}-user-config.yaml configuration file:

      1. $ export KUBECONFIG=./${NAMESPACE}-user-config.yaml

    12. Verify that the configuration took effect by printing the current namespace:

      1. $ kubectl config view -o jsonpath="{.contexts[?(@.name==\"$(kubectl config current-context)\")].context.namespace}"
      2. tutorial

      You should see the name of your namespace in the output.

    Congratulations, you configured your cluster for the tutorial!