Image for post
Image for post

Istio is an open-source service mesh that provides a key set of functionality across the microservices in a Kubernetes cluster. These features include traffic management, service identity and security, policy enforcement, and observability.
In this article, we will take you through installing this service mesh emphasizing some important points that can’t be found usually in tutorials.

First, setting up an AKS cluster:

You can refer to the next article https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough in order to set up your cluster. So I assume that you’ve created an AKS cluster (Kubernetes 1.13 and above, with RBAC enabled) but we will continue talking here about making the connection to your AKS.

First of all, you will need to be sure that you installed the “AZ CLI” tool in your local machine. Each cloud provider has its own command-line interfaces to manage resources inside it, and the one related to Auzre called “AZ CLI”.

Refer to here to install that command https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest, and be sure afterward that you have logged in using the next command:

az login

After logging in with AZ, you will be able to manage Azure resources that you have access on it using different commands.

We can start by installing kubectl on your local machine using the next command:

az aks install-cli

Where Kubectl: is the command-line tool to manage the Kubernetes cluster, and I assume here that you already know what is Kubernetes cluster.

To connect to your AKS you need to use the next command using your resource group name and cluster name:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

That command will fetch and cache your credentials in Kubeconfig file so it will be used automatically whenever you make any other kubectl commands.
Note: if you have multiple subscriptions on Azure then you need to choose your target subscription through the next commands:

az account list --output table
az account set --subscription <name or id>

Where “Kubeconfig” is a Kubectl local file that will be used to store access info to your clusters. Be aware that if you have multiple clusters installed, then you need to select the current active one using the next command:

kubectl config use-context CONTEXT_NAME

And you can use the next command to list all contexts:

kubectl config get-contexts

Second, setting up Istio CRDs:

Istio uses Custom Resource Definitions (CRDs) to manage its runtime configuration. We need to install the Istio CRDs first since the Istio components have a dependency on them.
First of all, you will need to install Istio on your local machine:

ISTIO_VERSION=1.3.2
curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-osx.tar.gz" | tar xz

The istioctl client binary runs on your client machine and allows you to interact with the Istio service mesh, it adds more functionality above normal kubectl command options.
In order to install that command use the following commands:

cd istio-$ISTIO_VERSION
sudo cp ./bin/istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

We will not use istioctl more in this tutorial nor we will use the installed Istio version in installation on the cluster while installing with Helm easier and better. But you will use istioctl later on to manage Istio service mesh and there is no way to install only the command line other than downloading the whole Istio version until the date of writing this article.

Now we will move to Helm installation where Helm is an application package manager running on Kubernetes. It allows describing the application structure through convenient helm-charts and managing it with simple commands. Add the Istio Helm chart repository for the Istio release. Ensure that you run the helm repo update to update your local information for the chart repository.

helm repo add istio.io https://storage.googleapis.com/istio-release/releases/$ISTIO_VERSION/charts/
helm repo update

Now to install the CRDs we use the next command:

helm install istio.io/istio-init --name istio-init --namespace istio-system

While you want to use helm package manager you need to make sure that tiller is installed on AKS (Tiller is the Kubernetes cluster’s server-side component of Helm), use the next command for that starting by creating a service account for tiller:

kubectl create serviceaccount --namespace kube-system tiller

Then we need to give that service account admin capability using the next command:

kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

Then install helm on AKS by using:

helm init --service-account tiller

Then we can install Istio CRDs on our AKS by using the next command:

helm install istio.io/istio-init --name istio-init --namespace istio-system

Jobs are deployed as part of the istio-init Helm Chart to install the CRDs. These jobs should take less than 20 seconds to complete.

Let’s verify that we have the correct number of Istio CRDs installed. You can verify that all 23 Istio CRDs have been installed by running the following command:

kubectl get crds | grep 'istio.io' | wc -l

Third, setting up Istio components:

Use Helm and the istio chart to install the Istio components into the istio-system namespace in your AKS cluster as next:

helm install istio.io/istio --name istio --namespace istio-system --version 1.3.2 \
--set global.controlPlaneSecurityEnabled=true \
--set global.mtls.enabled=true \
--set grafana.enabled=true --set grafana.security.enabled=true \
--set tracing.enabled=true \
--set kiali.enabled=true \
--set global.defaultNodeSelector."beta\.kubernetes\.io/os"=linux

You need to refer to Istio docs to understand all configurations.
Istio sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the workload instance it is attached to.
To enable auto-injection of sidecar on any service that will be installed later on K8 you need to label your pods namespace with istio-injection=enabled using the next command:

kubectl label namespace default istio-injection=enabled

And that for enabling the injection on default namespace.
Use the kubectl get svc command to view the running services. Query the istio-system namespace, where the Istio and add-on components were installed by the istio Helm chart:

kubectl get svc --namespace istio-system --output wide

So if you found all of Istio resources that means the installation was successful.

Fourth, opening K8 dashboard:

In order to be able to monitor and control your resources on your mesh you need to use the next command to open the dashboard:

az aks browse --resource-group myResourceGroup myAKSCluster

You may be faced with a problem that you can’t access the resources in the dashboard, in that case, you need to create a rolebinding with “cluster-admin” as the permission level and grant this to the service account “kubernates-dashboard” at “kube-system” namespace. Use the next command for that:

kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard

You can review the K8 documentation about that command for more info:

So we reached the end of this short tutorial, I tried to cover most of the important points in setting up Istio as I promised, I hope that will benefit someone.

I am a Software Architect and AI engineer that have a great passion for integrating technology with businesses and human life.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store