Skip to content

Commit c74b8a6

Browse files
author
Jimmy Mesta
committedSep 10, 2019
istio woes
1 parent f802f82 commit c74b8a6

File tree

1 file changed

+29
-18
lines changed

1 file changed

+29
-18
lines changed
 

‎008-Istio/README.md

+29-18
Original file line numberDiff line numberDiff line change
@@ -17,17 +17,37 @@ kubectl create clusterrolebinding cluster-admin-binding \
1717
--user="$(gcloud config get-value core/account)"
1818
```
1919

20-
Now, we Install Istio using the GKE Addon:
20+
### Task 2: Install Istio
21+
22+
Download and extract the Istio release:
23+
```
24+
wget https://github.com/istio/istio/releases/download/1.1.13/istio-1.1.13-linux.tar.gz && \
25+
tar -xvzf istio-1.1.13-linux.tar.gz && \
26+
cd istio-1.1.13
27+
```
28+
29+
Create a namespace for the istio-system components:
30+
```
31+
kubectl create namespace istio-system
32+
```
33+
34+
Install all the Istio Custom Resource Definitions (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
35+
```
36+
helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
2137
```
22-
gcloud beta container clusters update $(gcloud container clusters list --format json | jq -r '.[].name') --update-addons=Istio=ENABLED --istio-config=auth=MTLS_STRICT --region=us-west1-a
38+
39+
Use helm to install the `demo` configuration profile which enables egress-gateway:
40+
```
41+
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
42+
--values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f -
2343
```
2444

25-
(!)Ensure all cluster operations are labeled `DONE` before continuing(!)
45+
Ensure egress blocking is enabled by switching the mode from `ALLOW_ANY` to `REGISTRY_ONLY` in the Istio ConfigMap:
2646
```
27-
gcloud beta container operations list
47+
kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
2848
```
2949

30-
### Task 2: Verify our Istio Installation
50+
### Task 3: Verify our Istio Installation
3151
Istio is a massive project. Luckily, GKE recently released Istio support out of the box by passing a few beta feature flags upon cluster creation.
3252

3353
First, let's verify that Istio is installed and running properly in our cluster. Ensure the following Kubernetes services are deployed: istio-pilot, istio-ingressgateway, istio-policy, istio-telemetry, prometheus, istio-galley, and, optionally, istio-sidecar-injector.
@@ -36,11 +56,8 @@ First, let's verify that Istio is installed and running properly in our cluster.
3656
kubectl get svc -n istio-system
3757
```
3858
Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-ingressgateway-*, istio-egressgateway-*, istio-policy-*, istio-telemetry-*, istio-citadel-*, prometheus-*, istio-galley-*, and, optionally, istio-sidecar-injector-*.
39-
```
40-
kubectl get pods -n istio-system
41-
```
4259

43-
### Task 3: Enable Automatic Sidecar Injection
60+
### Task 4: Enable Automatic Sidecar Injection
4461

4562
Each pod in the mesh must be running an Istio compatible sidecar. The sidecar is how all traffic to and from pods in the mesh
4663

@@ -53,7 +70,7 @@ The following command will enable automatic injection for the `default` namespac
5370
kubectl label namespace default istio-injection=enabled
5471
```
5572

56-
### Task 4: Launch our API in the Istio Service Mesh
73+
### Task 5: Launch our API in the Istio Service Mesh
5774
Since we have automatic injection enabled for the `default` namespace, any deployments created in that namespace will now have an extra container aka "sidecar" automatically injected. This now places the pod into the Istio service mesh.
5875
```
5976
# In the manifests/api directory
@@ -66,13 +83,7 @@ kubectl -n istio-system get service istio-ingressgateway
6683

6784
Up until version 1.0, Istio’s default behavior was to block access to external endpoints which created connectivity issues and applications were breaking until all endpoints were configured. We are using a version of Istio that newer than 1.0 so egress is not blocked by default.
6885

69-
Paste the IP address with a shortened link as follows in your browser:
70-
```
71-
http://35.197.37.188/api/check?url=https://bit.ly/hi
72-
# This should resolve as expected
73-
```
74-
75-
### Task 5: Build Egress Rules
86+
### Task 6: Build Egress Rules
7687
Lets build some rules to explicit allow outbound egress traffic to only bit.ly and no other endpoints. This can be accomplished by using a `ServiceEntry`. Check out the file `link-unshorten-egress.yaml` located in the `istio-rules` directory and create it as follows:
7788

7889
```
@@ -107,5 +118,5 @@ kubectl delete -f api -f istio-rules
107118

108119
Now, disable Istio:
109120
```
110-
gcloud beta container clusters update $(gcloud container clusters list --format json | jq -r '.[].name') --update-addons=Istio=DISABLED --region=us-west1-a
121+
kubectl delete ns istio-system
111122
```

0 commit comments

Comments
 (0)
Please sign in to comment.