Getting Started

These steps require you to have a cluster running a compatible version of Kubernetes (1.17, 1.18, 1.19, 1.20). You can use any supported platform, for example Minikube or others specified by the .

Follow these steps to get started with Istio:

1. Download and install Istio
3. Open the application to outside traffic

1. Go to the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS):

   The command above downloads the latest release (numerically) of Istio. You can pass variables on the command line to download a specific version or to override the processor architecture. For example, to download Istio 1.6.8 for the x86_64 architecture, run:

2. Move to the Istio package directory. For example, if the package is istio-1.9.1:

   $ cd istio-1.9.1

   The installation directory contains:

   • Sample applications in samples/
   • The client binary in the bin/ directory.

3. Add the istioctl client to your path (Linux or macOS):

   $ export PATH=$PWD/bin:$PATH

Install Istio

1. For this installation, we use the demo . It’s selected to have a good set of defaults for testing, but there are other profiles for production or performance testing.

   If your platform has a vendor-specific configuration profile, e.g., Openshift, use it in the following command, instead of the demo profile. Refer to your platform instructions for details.

   $ istioctl install --set profile=demo -y
   ✔ Istio core installed
   ✔ Istiod installed
   ✔ Egress gateways installed
   ✔ Ingress gateways installed
   ✔ Installation complete

2. Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:

   $ kubectl label namespace default istio-injection=enabled
   namespace/default labeled

Deploy the sample application

1. Deploy the Bookinfo sample application:

   $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
   service/details created
   serviceaccount/bookinfo-details created
   deployment.apps/details-v1 created
   service/ratings created
   serviceaccount/bookinfo-ratings created
   deployment.apps/ratings-v1 created
   service/reviews created
   deployment.apps/reviews-v1 created
   deployment.apps/reviews-v2 created
   deployment.apps/reviews-v3 created
   service/productpage created
   serviceaccount/bookinfo-productpage created
   deployment.apps/productpage-v1 created

2. The application will start. As each pod becomes ready, the Istio sidecar will be deployed along with it.

   $ kubectl get services
   NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
   kubernetes    ClusterIP   10.0.0.1        <none>        443/TCP    25m
   productpage   ClusterIP   10.0.0.57       <none>        9080/TCP   28s
   ratings       ClusterIP   10.0.0.33       <none>        9080/TCP   29s
   reviews       ClusterIP   10.0.0.28       <none>        9080/TCP   29s

   and

   $ kubectl get pods
   NAME                              READY   STATUS    RESTARTS   AGE
   details-v1-558b8b4b76-2llld       2/2     Running   0          2m41s
   productpage-v1-6987489c74-lpkgl   2/2     Running   0          2m40s
   ratings-v1-7dc98c7588-vzftc       2/2     Running   0          2m41s
   reviews-v1-7f99cc4496-gdxfn       2/2     Running   0          2m41s
   reviews-v2-7d79d5bd5d-8zzqd       2/2     Running   0          2m41s
   reviews-v3-7dbcdcbc56-m8dph       2/2     Running   0          2m41s

   Re-run the previous command and wait until all pods report READY 2/2 and STATUS Running before you go to the next step. This might take a few minutes depending on your platform.

3. Verify everything is working correctly up to this point. Run this command to see if the app is running inside the cluster and serving HTML pages by checking for the page title in the response:

   $ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
   <title>Simple Bookstore App</title>

The Bookinfo application is deployed but not accessible from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh.

1. Associate this application with the Istio gateway:

   $ kubectl apply -f @samples/bookinfo/networking/bookinfo-gateway.yaml@
   gateway.networking.istio.io/bookinfo-gateway created
   virtualservice.networking.istio.io/bookinfo created

2. Ensure that there are no issues with the configuration:

Follow these instructions to set the INGRESS_HOST and INGRESS_PORT variables for accessing the gateway. Use the tabs to choose the instructions for your chosen platform:

Set the ingress ports:

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

Ensure a port was successfully assigned to each environment variable:

$ echo "$INGRESS_PORT"
32194

$ echo "$SECURE_INGRESS_PORT"
31632

Set the ingress IP:

$ export INGRESS_HOST=$(minikube ip)

$ echo "$INGRESS_HOST"
192.168.4.102

Run this command in a new terminal window to start a Minikube tunnel that sends traffic to your Istio Ingress Gateway:

$ minikube tunnel

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

$ kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                      AGE

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

Choose the instructions corresponding to your environment:

Follow these instructions if you have determined that your environment has an external load balancer.

Set the ingress IP and ports:

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

In certain environments, the load balancer may be exposed using a host name, instead of an IP address. In this case, the ingress gateway’s EXTERNAL-IP value will not be an IP address, but rather a host name, and the above command will have failed to set the INGRESS_HOST environment variable. Use the following command to correct the INGRESS_HOST value:

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Follow these instructions if your environment does not have an external load balancer and choose a node port instead.

Set the ingress ports:

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

GKE:

You need to create firewall rules to allow the TCP traffic to the ingressgateway service’s ports. Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:

$ gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
$ gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"

IBM Cloud Kubernetes Service:

$ ibmcloud ks workers --cluster cluster-name-or-id
$ export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes

Docker For Desktop:

$ export INGRESS_HOST=127.0.0.1

Other environments:

$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')

1. Set GATEWAY_URL:

   $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

2. Ensure an IP address and port were successfully assigned to the environment variable:

   $ echo "$GATEWAY_URL"
   192.168.99.100:32194

Verify external access

Confirm that the Bookinfo application is accessible from outside by viewing the Bookinfo product page using a browser.

1. Run the following command to retrieve the external address of the Bookinfo application.

   $ echo "http://$GATEWAY_URL/productpage"

2. Paste the output from the previous command into your web browser and confirm that the Bookinfo product page is displayed.

View the dashboard

Istio integrates with different telemetry applications. These can help you gain an understanding of the structure of your service mesh, display the topology of the mesh, and analyze the health of your mesh.

Use the following instructions to deploy the Kiali dashboard, along with , Grafana, and .

1. Install Kiali and the other addons and wait for them to be deployed.

   $ kubectl apply -f samples/addons
   $ kubectl rollout status deployment/kiali -n istio-system
   Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are available...
   deployment "kiali" successfully rolled out

   If there are errors trying to install the addons, try running the command again. There may be some timing issues which will be resolved when the command is run again.

2. Access the Kiali dashboard.

   $ istioctl dashboard kiali

3. The Kiali dashboard shows an overview of your mesh with the relationships between the services in the Bookinfo sample application. It also provides filters to visualize the traffic flow.

   Kiali Dashboard

Next steps

Congratulations on completing the evaluation installation!

These tasks are a great place for beginners to further evaluate Istio’s features using this demo installation:

• Fault injection
• Querying metrics
• Accessing external services

Before you customize Istio for production use, see these resources:

• Deployment models
• Pod requirements

We welcome you to ask questions and give us feedback by joining the Istio community.

Uninstall

To delete the Bookinfo sample application and its configuration, see Bookinfo cleanup.

The Istio uninstall deletes the RBAC permissions and all resources hierarchically under the istio-system namespace. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

$ kubectl delete -f @samples/addons@
$ istioctl manifest generate --set profile=demo | kubectl delete --ignore-not-found=true -f -

The namespace is not removed by default. If no longer needed, use the following command to remove it:

The label to instruct Istio to automatically inject Envoy sidecar proxies is not removed by default. If no longer needed, use the following command to remove it:

$ kubectl label namespace default istio-injection-

See also

A new deployment model for Istio.

Safely Upgrade Istio using a Canary Control Plane Deployment

Simplifying Istio upgrades by offering safe canary deployments of the control plane.

Provision and manage DNS certificates in Istio.

Introducing the Istio Operator

Introduction to Istio’s new operator-based installation and control plane management feature.

A more secure way to manage Istio webhooks.

Demystifying Istio’s Sidecar Injection Model

De-mystify how Istio manages to plugin its data-plane components into an existing deployment.