Skip to content

Kubernetes istio istioctl

Jump to bottom
ghdrako edited this page Aug 17, 2022 · 24 revisions

Get Istio

curl -L https://istio.io/downloadIstio | sh -

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.0 sh -
cd istio-1.13.0
./bin/istioctl version
# add to path istioctl
istioctl x precheck

Installing & Configuration Profiles

Configuration profiles:

  • default: The recommended profile for production deployments. Features minimal add-ons and uses production-grade defaults.
  • demo: Used to showcase the breadth of Istio's functionality. Features the complete set of add-ons and configuration optimized for minimal resource usage. It also contains an elevated amount of tracing and access logging, so it is generally not recommended for performance-sensitive deployments.
  • minimal: A minimalistic deployment of Istio sufficient to utilize its traffic management capabilities.
istioctl install --set profile=demo
istioctl install --set profile=default
istioctl install --set profile=demo -y

istioctl manifest apply --set profile=demo \
    --set values.tracing.enabled=true \
    --set values.tracing.provider=zipkin

kubectl get pod -n istio-system
istioctl verify-install

Customizing configs

istioctl profile dump default  # show settings

istioctl install --set addonComponents.kiali.enabled=true \ 
--set components.telemetry.enabled=true \ 
--set components.citadel.enabled=true \ 
--set values.global.proxy.privileged=true \ 
--set addonComponents.tracing.enabled=true \ 
--set values.pilot.traceSampling=100.0 \ 
--set values.global.proxy.tracer=datadog

While changing any config, make sure to pass all the previous flags with the new ones. Failing to add any previously enabled variable will revert the config to its default values. One way to store the dump in a file and do istioctl apply or use helm charts for Istio.

Install the control-plane supporting components

kubectl apply -f ./samples/addons
kubectl get pod -n istio-system

Manual inject the Istio service proxy so that service can participate in the service mesh

istioctl kube-inject -f services/catalog/kubernetes/catalog.yaml

The istioctl kube-inject command takes a Kubernetes resource file and enriches it with the sidecar deployment of the Istio service proxy and a few additional components The YAML now includes a few extra containers as part of the deployment.

- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- catalog.$(POD_NAMESPACE)
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --trust-domain=cluster.local
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
...
image: docker.io/istio/proxyv2:{1.13.0}
imagePullPolicy: Always
name: istio-proxy

Sidecar injection - Automatic

To enable sidecar, we have to add labels at the namespace level.

kubectl label namespace dsl-test istio-injection=enabled
kubectl label namespace istioinaction istio-injection=enabled

For services, which do not require sidecar, we need to add the following annotation in the deployment template:

# Pod Annotations 
podAnnotations: 
	sidecar.istio.io/inject: "false"

$ istioctl proxy-status  # overview of your mesh

istioctl proxy-config routes

istioctl dashboard grafana
istioctl dashboard kiali
istioctl dashboard jaeger

kubectl get pods -n istio-system
kubectl get validatingwebhookconfiguration
kubectl delete validatingwebhookconfiguration istiod-default-validator

Upgrade istio

istioctl upgrade --set profile=default


istioctl1.7 install --set revision=1-7-5

Debuging istio

istioctl proxy-status
  • SYNCED means that Envoy has acknowledged the last configuration Istiod has sent to it.
  • NOT SENT means that Istiod hasn’t sent anything to Envoy. This usually is because Istiod has nothing to send.
  • STALE means that Istiod has sent an update to Envoy but has not received an acknowledgement. This usually indicates a networking issue between Envoy and Istiod or a bug with Istio itself.
istioctl proxy-config cluster -n istio-system istio-ingressgateway-7d6874b48f-qxhn5

istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs
istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs --port 15001 -o json

Inspecting bootstrap configuration

istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5

Uninstall istio

istioctl manifest generate --set profile=default | kubectl delete -f -

Test

Clone this wiki locally