Kubernetes istio istioctl - ghdrako/doc_snipets GitHub Wiki

How traffic is routed from outside of your cluster?

On a very high overview. External traffic is routed as below:

Request → IngressGateway → VirtualService (considering Destination Rules) → endpoints →Pod

Resource:

Get Istio

curl -L https://istio.io/downloadIstio | sh -

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.0 sh -
cd istio-1.13.0
./bin/istioctl version
# add to path istioctl
istioctl x precheck

Installing & Configuration Profiles

Configuration profiles:

  • default: The recommended profile for production deployments. Features minimal add-ons and uses production-grade defaults.
  • demo: Used to showcase the breadth of Istio's functionality. Features the complete set of add-ons and configuration optimized for minimal resource usage. It also contains an elevated amount of tracing and access logging, so it is generally not recommended for performance-sensitive deployments.
  • minimal: A minimalistic deployment of Istio sufficient to utilize its traffic management capabilities.
istioctl install # install the default Istio configuration profile
istioctl install --set profile=demo
istioctl install --set profile=default
istioctl install --set profile=demo -y
istioctl install --set addonComponents.grafana.enabled=true
istioctl install --charts=manifests/  #  use external charts rather than the compiled-inuses compiled-in charts to generate the install manifest


istioctl install --set addonComponents.kiali.enabled=true \ 
--set components.telemetry.enabled=true \ 
--set components.citadel.enabled=true \ 
--set values.global.proxy.privileged=true \ 
--set addonComponents.tracing.enabled=true \ 
--set values.pilot.traceSampling=100.0 \ 
--set values.global.proxy.tracer=datadog

istioctl install --set profile=demo \
--set meshConfig.defaultHttpRetryPolicy.attempts=0


istioctl manifest apply --set profile=demo \
    --set values.tracing.enabled=true \
    --set values.tracing.provider=zipkin

kubectl get pod -n istio-system
istioctl verify-install

Note: While changing any config, make sure to pass all the previous flags with the new ones. Failing to add any previously enabled variable will revert the config to its default values. One way to store the dump in a file and do istioctl apply or use helm charts for Istio.

Note: istioctl install and istioctl manifest apply are exactly the same command. In Istio 1.6, the simpler install command replaces manifest apply

istioctl profile dump default  # display the configuration of a profile
istioctl profile dump --config-path components.pilot demo #  view a subset of the entire configuration
istioctl profile diff default demo  # show differences between profiles

istioctl manifest generate > $HOME/generated-manifest.yaml # generate a manifest before installation to inspect what exactly is installed as well as to track changes to the manifest over time

Note The output from manifest generate can also be used to install Istio using kubectl apply or equivalent but it is not recomended

Install the control-plane supporting components

kubectl apply -f ./samples/addons
kubectl get pod -n istio-system

Manual inject the Istio service proxy so that service can participate in the service mesh

istioctl kube-inject -f services/catalog/kubernetes/catalog.yaml

The istioctl kube-inject command takes a Kubernetes resource file and enriches it with the sidecar deployment of the Istio service proxy and a few additional components The YAML now includes a few extra containers as part of the deployment.

- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- catalog.$(POD_NAMESPACE)
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --trust-domain=cluster.local
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
...
image: docker.io/istio/proxyv2:{1.13.0}
imagePullPolicy: Always
name: istio-proxy

Sidecar injection - Automatic

To enable sidecar, we have to add labels at the namespace level.

kubectl label namespace dsl-test istio-injection=enabled
kubectl label namespace istioinaction istio-injection=enabled

For services, which do not require sidecar, we need to add the following annotation in the deployment template:

# Pod Annotations 
podAnnotations: 
	sidecar.istio.io/inject: "false"

$ istioctl proxy-status  # overview of your mesh

istioctl proxy-config routes

istioctl dashboard grafana
istioctl dashboard kiali
istioctl dashboard jaeger

kubectl get pods -n istio-system
kubectl get validatingwebhookconfiguration
kubectl delete validatingwebhookconfiguration istiod-default-validator

Upgrade istio

istioctl upgrade --set profile=default
istioctl x upgrade -f <your-istiocontrolplane-config-changes>


istioctl1.7 install --set revision=1-7-5

Debuging istio

istioctl proxy-status
  • SYNCED means that Envoy has acknowledged the last configuration Istiod has sent to it.
  • NOT SENT means that Istiod hasn’t sent anything to Envoy. This usually is because Istiod has nothing to send.
  • STALE means that Istiod has sent an update to Envoy but has not received an acknowledgement. This usually indicates a networking issue between Envoy and Istiod or a bug with Istio itself.
istioctl proxy-config cluster -n istio-system istio-ingressgateway-7d6874b48f-qxhn5

istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs
istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs --port 15001 -o json

Inspecting bootstrap configuration

istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5

The analyze command runs a set of analyzers, each of which is specialized to detect a certain set of issues.

istioctl analyze -n <namespace>

Describe

Describe analyzes the Istio configuration that affects one workload directly or indirectly and prints a summary. This summary answers questions about the workload such as

  • Is it part of the service mesh?
  • What virtual services and destination rules apply to it?
  • Does it require mutually authenticated traffic?
$ istioctl x describe pod catalog-68666d4988-vqhmb
$ istioctl x describe pod $POD

The istioctl proxy-config command enables us to retrieve and filter the proxy configuration of a workload based on the Envoy xDS APIs, where each subcommand is appropriately named:

  • cluster—Retrieves the cluster configuration
  • endpoint—Retrieves the endpoint configuration
  • listener—Retrieves the listener configuration
  • route—Retrieves the route configuration
  • secret—Retrieves the secret configuration

These APIs have the following effects on the proxy:

  • Envoy listeners define a networking configuration such as an IP address and port that allows downstream traffic into the proxy.
  • An HTTP filter chain is created for the admitted connections. The most important filter in the chain is the router filter, which performs the advanced routing tasks.
  • Envoy routes are sets of rules that match the virtual hosts to clusters. Routes are processed in the listed order. The first to match is used to route traffic to clusters of workloads. Routes can be configured statically, but in Istio, RDS is used to dynamically configure them.
  • In Envoy clusters, each cluster has a group of endpoints to similar workloads.Subsets are used to further divide workloads within a cluster, which enables fine-grained traffic management.
  • Envoy endpoints represent the IP addresses of the workloads that serve the requests.
Quering listener
istioctl proxy-config listeners \
deploy/istio-ingressgateway -n istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 8080  ALL  Route: http.8080             # routing for this listener is done by route http.808
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
  • A listener is configured on port 8080.
  • The traffic is routed according to the route named http.8080 for that listener. traffic from port 80 to 8080 is forwarded by the Kubernetes service named istio-ingressgateway
kubectl -n istio-system get svc istio-ingressgateway -o yaml \
| grep "ports:" -A 10
...
- name: http2
nodePort: 32589
port: 80
protocol: TCP
targetPort: 8080
...
Quering route
istioctl pc routes deploy/istio-ingressgateway \
-n istio-system --name http.8080

istioctl pc routes deploy/istio-ingressgateway -n istio-system \
--name http.8080 -o json

Configure gateways

$ istioctl profile dump --config-path components.ingressGateways
$ istioctl profile dump --config-path values.gateways.istio-ingressgateway

Get stats from proxy

kubectl exec -it deploy/webapp -c istio-proxy \
-- pilot-agent request GET stats
# list Envoy admin endpoints
kubectl exec -it deploy/webapp -c istio-proxy \
-- pilot-agent request GET help

Get stats from control plane

kubectl exec -it -n istio-system deploy/istiod -- curl localhost:15014/metrics

Uninstall istio

istioctl manifest generate --set profile=default | kubectl delete -f -
 istioctl manifest generate <your original installation options> | kubectl delete -f -

kubectl delete namespace istio-system
⚠️ **GitHub.com Fallback** ⚠️