Istio - Installation

Istio architecture

Istio Architecture

Either download Istio directly from or get the latest version by using curl:

export ISTIO_VERSION="1.0.6"
test -d tmp || mkdir tmp
cd tmp
curl -sL | sh -

Change the directory to the Istio installation files location:

cd istio*

Install istioctl:

sudo mv bin/istioctl /usr/local/bin/

Define the credentials you want to use as the Kiali username and passphrase (admin/admin):

export KIALI_USERNAME=$(echo -n "admin" | base64)
export KIALI_PASSPHRASE=$(echo -n "admin" | base64)

Create the namespace and secret:

kubectl create namespace $NAMESPACE

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
  name: kiali
  namespace: $NAMESPACE
    app: kiali
type: Opaque
  username: $KIALI_USERNAME
  passphrase: $KIALI_PASSPHRASE

Install Istio using Helm:

helm install --wait --name istio --namespace istio-system install/kubernetes/helm/istio \
  --set gateways.istio-ingressgateway.type=NodePort \
  --set gateways.istio-egressgateway.type=NodePort \
  --set grafana.enabled=true \
  --set kiali.enabled=true \
  --set kiali.dashboard.grafanaURL=http://localhost:3000 \
  --set kiali.dashboard.jaegerURL=http://localhost:16686 \
  --set servicegraph.enabled=true \
  --set telemetry-gateway.grafanaEnabled=true \
  --set telemetry-gateway.prometheusEnabled=true \
  --set tracing.enabled=true

See the Istio components:

kubectl get --namespace=istio-system svc,deployment,pods -o wide


NAME                             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                                                                   AGE   SELECTOR
service/grafana                  ClusterIP   <none>        3000/TCP                                                                                                                  15m   app=grafana
service/istio-citadel            ClusterIP    <none>        8060/TCP,9093/TCP                                                                                                         15m   istio=citadel
service/istio-egressgateway      NodePort   <none>        80:31610/TCP,443:31811/TCP                                                                                                15m   app=istio-egressgateway,istio=egressgateway
service/istio-galley             ClusterIP     <none>        443/TCP,9093/TCP                                                                                                          15m   istio=galley
service/istio-ingressgateway     NodePort   <none>        80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:31814/TCP,8060:31435/TCP,853:31471/TCP,15030:30210/TCP,15031:30498/TCP   15m   app=istio-ingressgateway,istio=ingressgateway
service/istio-pilot              ClusterIP     <none>        15010/TCP,15011/TCP,8080/TCP,9093/TCP                                                                                     15m   istio=pilot
service/istio-policy             ClusterIP    <none>        9091/TCP,15004/TCP,9093/TCP                                                                                               15m   istio-mixer-type=policy,istio=mixer
service/istio-sidecar-injector   ClusterIP     <none>        443/TCP                                                                                                                   15m   istio=sidecar-injector
service/istio-telemetry          ClusterIP     <none>        9091/TCP,15004/TCP,9093/TCP,42422/TCP                                                                                     15m   istio-mixer-type=telemetry,istio=mixer
service/jaeger-agent             ClusterIP   None             <none>        5775/UDP,6831/UDP,6832/UDP                                                                                                15m   app=jaeger
service/jaeger-collector         ClusterIP    <none>        14267/TCP,14268/TCP                                                                                                       15m   app=jaeger
service/jaeger-query             ClusterIP    <none>        16686/TCP                                                                                                                 15m   app=jaeger
service/kiali                    ClusterIP   <none>        20001/TCP                                                                                                                 15m   app=kiali
service/prometheus               ClusterIP   <none>        9090/TCP                                                                                                                  15m   app=prometheus
service/servicegraph             ClusterIP    <none>        8088/TCP                                                                                                                  15m   app=servicegraph
service/tracing                  ClusterIP     <none>        80/TCP                                                                                                                    15m   app=jaeger
service/zipkin                   ClusterIP   <none>        9411/TCP                                                                                                                  15m   app=jaeger

NAME                                           READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS                 IMAGES                                                      SELECTOR
deployment.extensions/grafana                  1/1     1            1           15m   grafana                    grafana/grafana:5.2.3                                       app=grafana
deployment.extensions/istio-citadel            1/1     1            1           15m   citadel                                         istio=citadel
deployment.extensions/istio-egressgateway      1/1     1            1           15m   istio-proxy                                     app=istio-egressgateway,istio=egressgateway
deployment.extensions/istio-galley             1/1     1            1           15m   validator                                        istio=galley
deployment.extensions/istio-ingressgateway     1/1     1            1           15m   istio-proxy                                     app=istio-ingressgateway,istio=ingressgateway
deployment.extensions/istio-pilot              1/1     1            1           15m   discovery,istio-proxy,   app=pilot,istio=pilot
deployment.extensions/istio-policy             1/1     1            1           15m   mixer,istio-proxy,   app=policy,istio=mixer,istio-mixer-type=policy
deployment.extensions/istio-sidecar-injector   1/1     1            1           15m   sidecar-injector-webhook                      istio=sidecar-injector
deployment.extensions/istio-telemetry          1/1     1            1           15m   mixer,istio-proxy,   app=telemetry,istio=mixer,istio-mixer-type=telemetry
deployment.extensions/istio-tracing            1/1     1            1           15m   jaeger                                 app=jaeger
deployment.extensions/kiali                    1/1     1            1           15m   kiali                                             app=kiali
deployment.extensions/prometheus               1/1     1            1           15m   prometheus                                   app=prometheus
deployment.extensions/servicegraph             1/1     1            1           15m   servicegraph                               app=servicegraph

NAME                                          READY   STATUS      RESTARTS   AGE   IP            NODE                             NOMINATED NODE   READINESS GATES
pod/grafana-59b8896965-pmwd2                  1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-citadel-856f994c58-8r8nr            1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-egressgateway-5649fcf57-sv8wf       1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-galley-7665f65c9c-8sjmm             1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-grafana-post-install-kw74d          0/1     Completed   0          10m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-ingressgateway-6755b9bbf6-f7pnx     1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/istio-pilot-56855d999b-6zq86              2/2     Running     0          15m   pruzicka-k8s-istio-workshop-node01   <none>           <none>
pod/istio-policy-6fcb6d655f-4zndw             2/2     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>
pod/istio-sidecar-injector-768c79f7bf-74wbc   1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>
pod/istio-telemetry-664d896cf5-smz7w          2/2     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>
pod/istio-tracing-6b994895fd-vb58q            1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>
pod/kiali-67c69889b5-sw92h                    1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node03   <none>           <none>
pod/prometheus-76b7745b64-kwzj5               1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>
pod/servicegraph-5c4485945b-j9bp2             1/1     Running     0          15m   pruzicka-k8s-istio-workshop-node02   <none>           <none>

Configure Istio with a new log type and send those logs to the FluentD:

kubectl apply -f ../../files/fluentd-istio.yaml

Check + Enable Istio in default namespace.

Allow the default namespace to use Istio injection:

kubectl label namespace default istio-injection=enabled

Check namespaces:

kubectl get namespace -L istio-injection


default            Active   70m   enabled
es-operator        Active   41m
istio-system       Active   16m
kube-public        Active   70m
kube-system        Active   70m
logging            Active   38m
rook-ceph          Active   59m
rook-ceph-system   Active   63m


Run the following command on your local environment.

Configure port forwarding to Istio services:

# Jaeger - http://localhost:16686
kubectl port-forward -n istio-system $(kubectl get pod -n istio-system -l app=jaeger -o jsonpath="{.items[0]}") 16686:16686 &

# Prometheus - http://localhost:9090/graph
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=prometheus -o jsonpath="{.items[0]}") 9090:9090 &

# Grafana - http://localhost:3000/dashboard/db/istio-mesh-dashboard
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath="{.items[0]}") 3000:3000 &

# Kiali - http://localhost:20001
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=kiali -o jsonpath="{.items[0]}") 20001:20001 &

# Servicegraph - http://localhost:8088/force/forcegraph.html
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=servicegraph -o jsonpath="{.items[0]}") 8088:8088 &