What is Istio ?
In this tutorial, we will learn about how to install Istio on Amazon EKS using 6 easy steps. Istio is an open source service mesh that basically provides two pieces of architecture for a cluster i.e data plane and control plane. Data plane’s job is to handle the network traffic between the services in the service mesh environment. Control plane on the other hand is Istio’s core that manages and secures the data plane. Let’s understand some basic concept of Istio before proceeding to the installation in Amazon EKS cluster.
![How to Install Istio on Amazon EKS [6 Easy Steps]](https://www.linuxnasa.com/wp-content/uploads/2023/08/istio-eks.jpg)
What are Configuration Profiles ?
Also read: How to Install Istio on Windows 10 [4 Easy Steps]
In Istio, Configuration Profiles are a way to manage and customize the configuration settings for different environments or deployment scenarios. They provide a mechanism to define variations of Istio configuration that can be applied to different clusters, namespaces, or workloads. They also provide customization of the Istio control plane and of the sidecars for the Istio data plane. Istio supports following built-in configuration profiles.
Default Profile -This profile provides a baseline configuration suitable for most scenarios. It includes features like traffic routing, load balancing, retries, timeout and more.
Demo Profile – This profile is designed to showcase the features of Istio in a single namespace. It provides more advanced configurations for observability, tracing and routing.
Minimal Profile – This profile is optimized for resource-constrained environments. It includes only the essential components necessary for basic service mesh functionality.
Remote Profile – This profile is used for configuring a remote cluster that is managed by an external control plane or by a control plane in a primary cluster of a multi-cluster mesh.
Empty Profile – This profile contains no Istio configuration. It’s useful if you want to start with a clean slate and add configurations manually.
Preview Profile – This profile contains features that are experimental. This is intended to explore new features coming to Istio. Stability, security and performance is not guaranteed in this profile so one should use this at own risk.
How to Install Istio on Amazon EKS [6 Easy Steps]
Prerequisite
- Existing AWS EKS Cluster
- Kubectl Configured to interact with kube api
- Client VM to connect to EKS cluster
Step-1: Install Latest Istioctl CLI
In this step, download the latest Istio version and configure Istioctl using below command. You can also refer to Istio github page to see stable and beta version of Istio.
[linuxnasa@ip-10-176-128-108 istio]$ curl -L https://istio.io/downloadIstio | sh - % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 101 100 101 0 0 433 0 --:--:-- --:--:-- --:--:-- 435 100 4899 100 4899 0 0 6805 0 --:--:-- --:--:-- --:--:-- 0 Downloading istio-1.18.2 from https://github.com/istio/istio/releases/download/1.18.2/istio-1.18.2-linux-amd64.tar.gz ... Istio 1.18.2 Download Complete! Istio has been successfully downloaded into the istio-1.18.2 folder on your system. Next Steps: See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster. To configure the istioctl client tool for your workstation, add the /home/linuxnasa/istio/istio-1.18.2/bin directory to your environment path variable with: export PATH="$PATH:/home/linuxnasa/istio/istio-1.18.2/bin" Begin the Istio pre-installation check by running: istioctl x precheck Need more information? Visit https://istio.io/latest/docs/setup/install/
[linuxnasa@ip-10-176-128-108 istio]$ ls istio-1.18.2
Step-2: Configure Istioctl binary Path
In this step, add the Istioctl binary path to PATH variable using below command.
[linuxnasa@ip-10-176-128-108 istio]$ export PATH="$PATH:/home/linuxnasa/istio/istio-1.18.2/bin"
Next, check which version of Istio is installed using below command.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ istioctl version no ready Istio pods in "istio-system" 1.18.2
Next, do the Istio pre-installation check by running below command.
[linuxnasa@ip-10-176-128-108 ~]$ istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
Step-3: Install Istio
In this step, install Istio using Istioctl cli. There are many configuration profile option available to use for Istio installation as we have discussed in the beginning of this tutorial, we will use demo configuration profile for installing the Istio.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ istioctl install --set profile=demo -y WARNING: Istio control planes installed: 1.15.1. WARNING: A newer installed version of Istio has been detected. Running this command will overwrite it. ✔ Istio core installed ✔ Istiod installed ✔ Egress gateways installed ✔ Ingress gateways installed ✔ Installation complete Making this installation the default for injection and validation.
Once installation completes, a new namespace is created in which there will be three pods created as shown below.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl get ns NAME STATUS AGE default Active 36d istio-system Active 63s kube-node-lease Active 36d kube-public Active 36d kube-system Active 36d
Check the pods in istio-system namespace using below command. There is egress and ingress gateway pod created which will control the incoming and outgoing traffic. Third pod is istiod which is nothing but the istio control plane.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl get po -n istio-system NAME READY STATUS RESTARTS AGE istio-egressgateway-6c4796c98-nmd9s 1/1 Running 0 2m19s istio-ingressgateway-d94b4444b-gm9bw 1/1 Running 0 2m18s istiod-85669db8fd-k6rck 1/1 Running 0 2m31s
Step-4: Deploy Sample Application
In this step, deploy the sample application which comes with the istio package that we had downloaded in step-1. Create the sample application as shown below. Notice that the sample application .yaml configuration file is creating different K8 resources i.e multiple service, deployment, service account etc.
Firstly, create a new namespace istio-app where we will deploy the sample application instead of default namespace using below command.
[linuxnasa@ip-10-176-128-108 kube]$ kubectl create ns istio-app namespace/istio-app created
Next, Switch to directory path where application configuration file is kept.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ cd samples/bookinfo/platform/kube/
Next, Create the sample application in istio-app namespace using below command.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl create -f bookinfo.yaml -n istio-app service/details created serviceaccount/bookinfo-details created deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 created
Check the pods in istio-app namespace using below command.
[linuxnasa@ip-10-176-128-108 kube]$ kubectl get po -n istio-app NAME READY STATUS RESTARTS AGE details-v1-5ffd6b64f7-885jv 1/1 Running 0 3m55s productpage-v1-8b588bf6d-fncc8 1/1 Running 0 3m55s ratings-v1-5f9699cfdf-vkqzj 1/1 Running 0 3m55s reviews-v1-569db879f5-pdtx7 1/1 Running 0 3m55s reviews-v2-65c4dc6fdc-jtkcp 1/1 Running 0 3m55s reviews-v3-c9c4fb987-8j49g 1/1 Running 0 3m55s
Notice that all the microservices are in 1/1 READY state which means there is only 1 container in all the microservice and that is main container . In the next step, we will inject the Istio sidecar in all these microservices.
Step-5: Inject Istio sidecar
In this step, inject the Istio sidecar i.e Envoy that actually injects the data plane with main conatiner. Envoy sidecar becomes the channel to communicate with the Istio Control plane and Data plane. To inject the istio sidecar, easiest way is to delete all the pods as these pods are created as replica. This way new pods will be automatically recreated and this time it will come up with 2 container i.e main container and istio sidecar container. Execute the command in same order as shown below.
Firstly, label the namespace where pods are deployed using below command.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl label namespace istio-app istio-injection=enabled namespace/istio-app labeled
Next, Delete all the pods in istio-app namespace
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ for i in `kubectl get po -n istio-app | awk -F" " '{print $1}'| grep -vE "Post|Error:|NAME"`; do kubectl delete po $i -n istio-app; done pod "details-v1-5ffd6b64f7-ps8bp" deleted pod "productpage-v1-8b588bf6d-bhgwf" deleted pod "ratings-v1-5f9699cfdf-p9n9t" deleted pod "reviews-v1-569db879f5-sx8rn" deleted pod "reviews-v2-65c4dc6fdc-cxwwv" deleted pod "reviews-v3-c9c4fb987-ktt4g" deleted
Check pods again in istio-app namespace. This time all pods will come up with 2 containers as shown below.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl get po -n istio-app NAME READY STATUS RESTARTS AGE details-v1-5ffd6b64f7-jfrhm 2/2 Running 0 74s productpage-v1-8b588bf6d-j5lxl 2/2 Running 0 73s ratings-v1-5f9699cfdf-dxnk2 2/2 Running 0 71s reviews-v1-569db879f5-lts8m 2/2 Running 0 69s reviews-v2-65c4dc6fdc-w9987 2/2 Running 0 66s reviews-v3-c9c4fb987-z8jwq 2/2 Running 0 63s
Step-6: Verify Application Up and Running
In this step, login to ratings-v1-5f9699cfdf-dxnk2 pod and try to get the response using curl command as shown below.
[linuxnasa@ip-10-176-128-108 istio-1.18.2]$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}' -n istio-app)" -c ratings -n istio-app -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>" <title>Simple Bookstore App</title>
Summary
Refer to Istio official documentation for more guide on installation.