Implementing Service Mesh with Istio in Kubernetes
Introduction
Istio provides a service mesh layer for microservices with traffic management, security, and observability features without changing application code.
Prerequisites
- Kubernetes cluster >=1.22
- kubectl configured
- Helm v3
Step 1: Install Istio
Download and install Istio:
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.19.0
export PATH=$PWD/bin:$PATH
# Install Istio with demo profile
istioctl install --set values.defaultRevision=default
# Enable sidecar injection for default namespace
kubectl label namespace default istio-injection=enabled
Step 2: Deploy Sample Application
Create bookinfo-app.yaml
:
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: productpage-v1
labels:
app: productpage
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: productpage
version: v1
template:
metadata:
labels:
app: productpage
version: v1
spec:
containers:
- name: productpage
image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
env:
- name: DETAILS_HOSTNAME
value: details:9080
- name: REVIEWS_HOSTNAME
value: reviews:9080
---
apiVersion: v1
kind: Service
metadata:
name: details
labels:
app: details
service: details
spec:
ports:
- port: 9080
name: http
selector:
app: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: details-v1
labels:
app: details
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: details
version: v1
template:
metadata:
labels:
app: details
version: v1
spec:
containers:
- name: details
image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
Deploy the application:
kubectl apply -f bookinfo-app.yaml
Step 3: Configure Gateway and VirtualService
Create gateway.yaml
:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- bookinfo.example.com
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.example.com
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
Apply gateway configuration:
kubectl apply -f gateway.yaml
Step 4: Traffic Management with Canary Deployment
Create multiple versions and traffic splitting:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 90
- destination:
host: reviews
subset: v3
weight: 10
Step 5: Security Policies with mTLS
Enable automatic mutual TLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage
spec:
selector:
matchLabels:
app: productpage
rules:
- from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
- to:
- operation:
methods: ["GET"]
paths: ["/productpage", "/static/*", "/login", "/logout", "/api/v1/products/*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: details-viewer
spec:
selector:
matchLabels:
app: details
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/default"]
to:
- operation:
methods: ["GET"]
Step 6: Observability Configuration
Install observability addons:
kubectl apply -f samples/addons/kiali.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml
Create telemetry configuration:
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: metrics
spec:
metrics:
- providers:
- name: prometheus
- overrides:
- match:
metric: ALL_METRICS
tagOverrides:
request_protocol:
value: "http"
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: tracing
spec:
tracing:
- providers:
- name: jaeger
Step 7: Advanced Traffic Policies
Implement circuit breaker and retry policies:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews-circuit-breaker
spec:
host: reviews
trafficPolicy:
connectionPool:
tcp:
maxConnections: 10
http:
http1MaxPendingRequests: 10
maxRequestsPerConnection: 2
maxRetries: 3
consecutiveGatewayErrors: 5
interval: 30s
baseEjectionTime: 30s
outlierDetection:
consecutiveGatewayErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minHealthPercent: 30
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-retry
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream
timeout: 10s
Step 8: Rate Limiting
Configure rate limiting:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: local_rate_limiter
token_bucket:
max_tokens: 10
tokens_per_fill: 10
fill_interval: 60s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
Step 9: Multi-Cluster Service Mesh
For multi-cluster setup:
# Install Istio on cluster 1
istioctl install --set values.pilot.env.EXTERNAL_ISTIOD=true
# Create network for cluster 1
kubectl apply -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
spec:
values:
pilot:
env:
CLUSTER_ID: cluster1
NETWORK: network1
EOF
# Install Istio on cluster 2 (remote)
istioctl install --set istiodRemote.enabled=true
Step 10: Monitoring and Troubleshooting
Create monitoring dashboard access:
# Access Kiali dashboard
kubectl port-forward svc/kiali -n istio-system 20001:20001
# Access Jaeger
kubectl port-forward svc/jaeger -n istio-system 16686:16686
# Access Grafana
kubectl port-forward svc/grafana -n istio-system 3000:3000
# Check proxy configuration
istioctl proxy-config cluster productpage-v1-xxx.default
# Analyze configuration
istioctl analyze
# Check proxy status
istioctl proxy-status
Summary
Istio service mesh provides traffic management, security policies, and observability for microservices without code changes. Use VirtualServices for routing, DestinationRules for policies, and PeerAuthentication for mTLS security.