Implementing Istio Service Mesh in Kubernetes

Introduction

As the Kubernetes cluster grows it becomes very difficult and complex to manage the communications between different microservices as the N numbers of services interacts in real time and identifying issues like failed connections, packet loss, unstable connections becomes challenging.

Istio Service Mesh provide solutions to these challenges by creating infrastructure layer that handles traffic management, security, and observability without requiring any changes to our application code. It uses sidecar proxies and a centralized configuration and provides deep visibility into service to service interactions.

In this blog, we will be looking over the implementation of Istio Service Mesh in a Kubernetes cluster, traffic routing using Gateways and VirtualServices-

Prerequisites

• Kubernetes cluster running
• Istio installed
• kubectl admin privilege access
• kubectl and istioctl CLI tools installed
• Basic understanding of YAML and Kubernetes concept like pods, services, and deployments.

Understanding Istio Traffic Flow

When Istio is implemented in our cluster, the incoming traffic goes through multiple layers before reaching to the application pods. At a high level, the traffic path looks like below-

External Client → Load Balancer → Istio Ingress Gateway → Virtual Service → Kubernetes Service → Application Pod (contains Envoy Sidecar)

Installing Istio Service Mesh:

Install istioctl

Install Istio CLI

Add istioctl to PATH

Add istioctl to System PATH

Check the istioctl version to verify the installation:

istioctl version

Now, Lets Install Istio on the Cluster

We can install Istio with demo profile, It we automatically create the Istio ingress and egress gateways:

istioctl install --set profile=demo

Enabling Automatic Sidecar Injection:

The Sidecar proxies needs to injected to pods so that Istio can work properly this is done by Istio itself we just need to add below labels to namespace-

kubectl label namespace default istio-injection=enabled

Then we can just restart the existing pods in the namespace so the sidecar proxies can be injected and the new pods will already have the sidecar proxies.

Configuring Istio Gateway:

It works as the entry point for external traffic entering into the service mesh.

Gateway

Configuring Istio VirtualService:

The traffic would be directed to internal services from the gateway is specified by the VirtualService.

Virtual Service

Exposing the App from Istio Ingress:

Let’s, Expose gateway port through Istio Ingress LoadBalancer svc:

Exposing Service

Now, users will be able to access the application using the Istio ingress gateway external IP and with the exposed port

Conclusion

As the cluster grows, Istio gives a proper visiblity of the cluster. Also, It can simplify and provides a powerful, flexible way to manage and control our traffic in Kubernetes cluster also it simplifies complex service-to-service communication in microservices architectures

Istio Documentation – https://istio.io/latest/docs/
Kubernetes Ingress Documentation – https://istio.io/latest/docs/tasks/traffic-management/ingress/kubernetes-ingress/