Skip to content

Istio

Introduction

Resource

ServiceEntry

yaml
# cat serviceentry.yaml
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: svc-entry
spec:
  hosts:
    - ext-svc.example.com
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

---
# ext destinationrule.yaml
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: ext-res-dr
spec:
  host: ext-svc.example.com
  trafficPolicy:
    connectionPool:
      tcp:
        connectTimeout: 1s

Sidecar

yaml
# cat sidecar.yaml
apiVersion: networking.istio.io/v1
kind: Sidecar
metadata:
  name: default
  namespace: bookinfo
spec:
  egress:
    - hosts:
        - "./*"
        - "istio-system/*"

Gateway

yaml
# cat gateway.yaml
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: ext-host-gw
  namespace: istio-system
spec:
  selector:
    app: my-ingressgateway
  servers:
    - hosts:
        - "*.example.com"
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: false
    - hosts:
        - "*.example.com"
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: ext-host-cert
        mode: SIMPLE

VirtualService

yaml
# cat virtualservice.yaml
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  labels:
    app.kubernetes.io/name: my-app
    app.kubernetes.io/version: 0.1.0
  name: bookinfo
  namespace: istio-system
spec:
  # Gateway
  gateways:
  - istio-system/ext-host-gw
  # TCPRoute
  hosts:
  - mongo.prod.svc.cluster.local
  tcp:
  - match:
    - port: 27017
    route:
    - destination:
        host: mongo.backup.svc.cluster.local
        port:
          number: 5555
  # HTTPMatchRoute
  hosts:
  - book.example.com
  http:
  - match:
    - uri:
        prefix: /reviews
    route:
    - destination:
        host: reviews.istio-system.svc.cluster.local
  - match:
    - uri:
        prefix: /ratings
    route:
    - destination:
        host: ratings.istio-system.svc.cluster.local
  - match:
    - headers:
        end-user:
          exact: jason
      uri:
        prefix: /ratings
    route:
    - destination:
        host: ratings.istio-system.svc.cluster.local
        subset: v2
  # default destination route
  - route:
    - destination:
        host: default-service.istio-system.svc.cluster.local
        port:
          number: 8080


  # HTTPRouteDestination
  hosts:
  - canary.prod.svc.cluster.local
  http:
  - route:
    - destination:
        host: canary.prod.svc.cluster.local
        subset: v2
      weight: 25
    - destination:
        host: canary.prod.svc.cluster.local
        subset: v1
      weight: 75

DestinationRule

yaml
# cat destinationrule.yaml
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: my-destination-rule
spec:
  host: my-svc
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN
    - name: v3
      labels:
        version: v3

Deploy By Container

Sidecar Mode

Install by istioctl

bash
# Download istioctl
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.23.2
export PATH=$PWD/bin:$PATH

# istioctl
istioctl profile --list
istioctl profile dump demo
istioctl profile diff default stable
istioctl manifest generate > generated-manifest.yaml
istioctl uninstall --purge

# install istio cluster
istioctl install --set meshConfig.accessLogFile=/dev/stdout
kubectl label namespace default istio-injection=enabled
# install Gateway API CRD resource
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.1.0" | kubectl apply -f -; }
# install Gateway
kubectl apply -f gateway.yml -n istio-system

# uninstall
kubectl delete -f samples/addons
istioctl uninstall -y --purge
kubectl delete namespace istio-system
kubectl label namespace default istio-injection-
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.1.0" | kubectl delete -f -

Install by helm

bash
# Add and update repo
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
kubectl create namespace istio-system

# Install istio-base CRD
helm install istio-base istio/base -n istio-system

# Install istiod
helm install istiod istio/istiod -n istio-system --wait

# Install gateway
kubectl create namespace istio-ingress
helm install istio-ingress-internal istio/gateway -n istio-ingress --wait -f values-internal.yaml
helm install istio-ingress-external istio/gateway -n istio-ingress --wait -f values-external.yaml

Deploy application

bash
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl get pods,services
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

Outside traffic and access

bash
# install Gateway
kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
kubectl get gateway

# install VirtualService
kubectl apply -f virtualservice.yaml

# access
kubectl get virtualservice xxx -oyaml

Ambient Mode

bash
#

Reference:

  1. Official Website
  2. Repository
  3. GKE service-load-balancer-parameters

Power by VitePress & Vue