Standalone Operator Quick Start Evaluation Install [Experimental]
This guide installs Istio using the standalone Istio operator. The only dependenciesrequired are a supported Kubernetes cluster and the kubectl
command. Thisinstallation method lets you quickly evaluate Istio in a Kubernetes cluster onany platform using a variety of profiles.
To install Istio for production use, we recommend using the Helm Installation guideinstead, which is a stable feature.
Prerequisites
Perform any necessary platform-specific setup.
Check the [Requirements for Pods and Services]/docs/ops/prep/requirements/).
Installation steps
- Install Istio using the operator with the demo profile:
$ kubectl apply -f https://preliminary.istio.io/operator.yaml
This profile is only for demo usage and should not be used in production.
- (Optionally) change profiles from the demo profile to one of the following profiles:
When using the permissive mutual TLS mode, all services accept both plaintext andmutual TLS traffic. Clients send plaintext traffic unless configured formutual TLS migration. This profile is installed during the first step.
Choose this profile for:
- Clusters with existing applications, or
- Applications where services with an Istio sidecar need to be able tocommunicate with other non-Istio Kubernetes servicesRun the following command to switch to this profile:
$ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml
This profile enablesSecret Discovery Service between all clients and servers.
Use this profile to enhance startup performance of services in the Kubernetes cluster. Additionallyimprove security as Kubernetes secrets that contain knownrisks are not used.
Run the following command to switch to this profile:
$ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml
This profile enables Istio’s default settings which contains recommendedproduction settings. Run the following command to switch to this profile:
$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml
This profile deploys a Istio’s minimum components to function.
Run the following command to switch to this profile:
$ kubectl apply -f https://preliminary.istio.io/operator-profile-minimal.yaml
Verifying the installation
This document is a work in progress. Expect verification steps for each of the profiles tovary from these verification steps. Inconsistencies will be resolved prior to the publishing ofIstio 1.4. Until that time, these verification steps only apply to the profile-istio-demo.yaml
profile.
- Ensure the following Kubernetes services are deployed and verify they all have an appropriate
CLUSTER-IP
except thejaeger-agent
service:
$ kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 172.21.211.123 <none> 3000/TCP 2m
istio-citadel ClusterIP 172.21.177.222 <none> 8060/TCP,15014/TCP 2m
istio-egressgateway ClusterIP 172.21.113.24 <none> 80/TCP,443/TCP,15443/TCP 2m
istio-galley ClusterIP 172.21.132.247 <none> 443/TCP,15014/TCP,9901/TCP 2m
istio-ingressgateway LoadBalancer 172.21.144.254 52.116.22.242 15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP 2m
istio-pilot ClusterIP 172.21.105.205 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m
istio-policy ClusterIP 172.21.14.236 <none> 9091/TCP,15004/TCP,15014/TCP 2m
istio-sidecar-injector ClusterIP 172.21.155.47 <none> 443/TCP,15014/TCP 2m
istio-telemetry ClusterIP 172.21.196.79 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m
jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m
jaeger-collector ClusterIP 172.21.135.51 <none> 14267/TCP,14268/TCP 2m
jaeger-query ClusterIP 172.21.26.187 <none> 16686/TCP 2m
kiali ClusterIP 172.21.155.201 <none> 20001/TCP 2m
prometheus ClusterIP 172.21.63.159 <none> 9090/TCP 2m
tracing ClusterIP 172.21.2.245 <none> 80/TCP 2m
zipkin ClusterIP 172.21.182.245 <none> 9411/TCP 2m
If your cluster is running in an environment that does notsupport an external load balancer (e.g., minikube), theEXTERNAL-IP
of istio-ingressgateway
will say<pending>
. To access the gateway, use the service’sNodePort
, or use port-forwarding instead.
- Ensure corresponding Kubernetes pods are deployed and have a
STATUS
ofRunning
:
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-f8467cc6-rbjlg 1/1 Running 0 1m
istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m
istio-cleanup-secrets-release-1.1-20190308-09-16-8s2mp 0/1 Completed 0 2m
istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m
istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m
istio-grafana-post-install-release-1.1-20190308-09-16-2p7m5 0/1 Completed 0 2m
istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m
istio-pilot-f479bbf5c-qwr28 2/2 Running 0 1m
istio-policy-6fccc5c868-xhblv 2/2 Running 2 1m
istio-security-post-install-release-1.1-20190308-09-16-bmfs4 0/1 Completed 0 2m
istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m
istio-telemetry-78b96c6cb6-ldm9q 2/2 Running 2 1m
istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m
kiali-99f7467dc-6rvwp 1/1 Running 0 1m
prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m
Deploy your application
You can now deploy your own application or one of the sample applicationsprovided with the installation like Bookinfo.
The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTPtraffic; HTTP/1.0 is not supported.
When you deploy your application using kubectl apply
,the Istio sidecar injectorwill automatically inject Envoy containers into yourapplication pods if they are started in namespaces labeled with istio-injection=enabled
:
$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml
In namespaces without the istio-injection
label, you can useistioctl kube-inject
to manually inject Envoy containers in your application pods before deployingthem:
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
Uninstall
Delete the Istio Operator and Istio deployment:
$ kubectl -n istio-operator get IstioControlPlane example-istiocontrolplane -o=json | jq '.metadata.finalizers = null' | kubectl delete -f -
$ kubectl delete ns istio-operator --grace-period=0 --force
$ kubectl delete ns istio-system --grace-period=0 --force
相关内容
Install and customize any Istio configuration profile for in-depth evaluation or production use.
安装和自定义任何 Istio 配置文件以进行深入评估或用于生产。
使用 Istio operator 在 Kubernetes 集群中安装 Istio 指南。
Demystifying Istio's Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Diagnose your Configuration with Istioctl Analyze
Shows you how to use istioctl analyze to identify potential issues with your configuration.
在 Docker Desktop 中运行 Istio 的设置说明。