Installing Istio for Knative

    If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. If your cloud platform offers a managed Istio installation, the install guide for your specific platform will have those instructions.

    You need:

    • A Kubernetes cluster created.
    • (v1.5.4 or later) installed.

    When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the Installing Istio without sidecar injection instructions. If you’re familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.

    You can easily customize your Istio installation with istioctl. The below sections cover a few useful Istio configurations and their benefits.

    You can install Istio with or without a service mesh:

    • (Recommended default installation)

    If you want to get up and running with Knative quickly, we recommend installing Istio without automatic sidecar injection. This install is also recommended for users who don’t need the Istio service mesh, or who want to enable the service mesh by manually injecting the Istio sidecars.

    Installing Istio without sidecar injection

    Enter the following command to install Istio:

    Installing Istio with sidecar injection

    If you want to enable the Istio service mesh, you must enable . The Istio service mesh provides a few benefits:

    • Allows you to turn on mutual TLS, which secures service-to-service traffic within the cluster.

    To automatic sidecar injection, set autoInject: enabled in addition to above operator configuration.

    1.     global:
    2.       proxy:
    3.         autoInject: enabled

    Using Istio mTLS feature

    • Enable sidecar container on knative-serving system namespace.
    • Set PeerAuthentication to PERMISSIVE on knative-serving system namespace.
    1. cat <<EOF | kubectl apply -f -
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "PeerAuthentication"
    4. metadata:
    5.   name: "default"
    7. spec:
    8.   mtls:
    9.     mode: PERMISSIVE
    10. EOF

    View the status of your Istio installation to make sure the install was successful. It might take a few seconds, so rerun the following command until all of the pods show a STATUS of Running or Completed:

    Knative dispatches to different services based on their hostname, so it greatly simplifies things to have DNS properly configured. For this, we must look up the external IP address that Istio received. This can be done with the following command:

    1. $ kubectl get svc -n istio-system
    2. cluster-local-gateway   ClusterIP      10.0.2.216   <none>         15020/TCP,80/TCP,443/TCP                     2m14s
    4. istio-pilot             ClusterIP      10.0.3.27    <none>         15010/TCP,15011/TCP,8080/TCP,15014/TCP       2m14s

    This external IP can be used with your DNS provider with a wildcard A record; however, for a basic functioning DNS setup (not suitable for production!) this external IP address can be used with xip.io in the config-domain ConfigMap in knative-serving. You can edit this with the following command:

    Given the external IP above, change the content to:

    1. apiVersion: v1
    2. kind: ConfigMap
    3. metadata:
    4.   name: config-domain
    5.   namespace: knative-serving
    6. data:
    7.   # xip.io is a "magic" DNS provider, which resolves all DNS lookups for:
    8.   # *.{ip}.xip.io to {ip}.

    See the .