You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a namespace for the istio-system components:
30
+
```
31
+
kubectl create namespace istio-system
32
+
```
33
+
34
+
Install all the Istio Custom Resource Definitions (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
(!)Ensure all cluster operations are labeled `DONE` before continuing(!)
45
+
Ensure egress blocking is enabled by switching the mode from `ALLOW_ANY` to `REGISTRY_ONLY` in the Istio ConfigMap:
26
46
```
27
-
gcloud beta container operations list
47
+
kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
28
48
```
29
49
30
-
### Task 2: Verify our Istio Installation
50
+
### Task 3: Verify our Istio Installation
31
51
Istio is a massive project. Luckily, GKE recently released Istio support out of the box by passing a few beta feature flags upon cluster creation.
32
52
33
53
First, let's verify that Istio is installed and running properly in our cluster. Ensure the following Kubernetes services are deployed: istio-pilot, istio-ingressgateway, istio-policy, istio-telemetry, prometheus, istio-galley, and, optionally, istio-sidecar-injector.
@@ -36,11 +56,8 @@ First, let's verify that Istio is installed and running properly in our cluster.
36
56
kubectl get svc -n istio-system
37
57
```
38
58
Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-ingressgateway-*, istio-egressgateway-*, istio-policy-*, istio-telemetry-*, istio-citadel-*, prometheus-*, istio-galley-*, and, optionally, istio-sidecar-injector-*.
39
-
```
40
-
kubectl get pods -n istio-system
41
-
```
42
59
43
-
### Task 3: Enable Automatic Sidecar Injection
60
+
### Task 4: Enable Automatic Sidecar Injection
44
61
45
62
Each pod in the mesh must be running an Istio compatible sidecar. The sidecar is how all traffic to and from pods in the mesh
46
63
@@ -53,7 +70,7 @@ The following command will enable automatic injection for the `default` namespac
### Task 4: Launch our API in the Istio Service Mesh
73
+
### Task 5: Launch our API in the Istio Service Mesh
57
74
Since we have automatic injection enabled for the `default` namespace, any deployments created in that namespace will now have an extra container aka "sidecar" automatically injected. This now places the pod into the Istio service mesh.
58
75
```
59
76
# In the manifests/api directory
@@ -66,13 +83,7 @@ kubectl -n istio-system get service istio-ingressgateway
66
83
67
84
Up until version 1.0, Istio’s default behavior was to block access to external endpoints which created connectivity issues and applications were breaking until all endpoints were configured. We are using a version of Istio that newer than 1.0 so egress is not blocked by default.
68
85
69
-
Paste the IP address with a shortened link as follows in your browser:
Lets build some rules to explicit allow outbound egress traffic to only bit.ly and no other endpoints. This can be accomplished by using a `ServiceEntry`. Check out the file `link-unshorten-egress.yaml` located in the `istio-rules` directory and create it as follows:
77
88
78
89
```
@@ -107,5 +118,5 @@ kubectl delete -f api -f istio-rules
0 commit comments