Standalone Operator Quick Start Evaluation Install [Experimental]

This guide installs Istio using the standalone Istio operator. The only dependenciesrequired are a supported Kubernetes cluster and the kubectl command. Thisinstallation method lets you quickly evaluate Istio in a Kubernetes cluster onany platform using a variety of profiles.

To install Istio for production use, we recommend using the Helm Installation guideinstead, which is a stable feature.

Prerequisites

  • Perform any necessary platform-specific setup.

  • Check the [Requirements for Pods and Services]/docs/ops/prep/requirements/).

Installation steps

  • Install Istio using the operator with the demo profile:
  1. $ kubectl apply -f https://preliminary.istio.io/operator.yaml

This profile is only for demo usage and should not be used in production.

  • (Optionally) change profiles from the demo profile to one of the following profiles:

When using the permissive mutual TLS mode, all services accept both plaintext andmutual TLS traffic. Clients send plaintext traffic unless configured formutual TLS migration. This profile is installed during the first step.

Choose this profile for:

  • Clusters with existing applications, or
  • Applications where services with an Istio sidecar need to be able tocommunicate with other non-Istio Kubernetes servicesRun the following command to switch to this profile:
  1. $ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml

This profile enablesSecret Discovery Service between all clients and servers.

Use this profile to enhance startup performance of services in the Kubernetes cluster. Additionallyimprove security as Kubernetes secrets that contain knownrisks are not used.

Run the following command to switch to this profile:

  1. $ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml

This profile enables Istio’s default settings which contains recommendedproduction settings. Run the following command to switch to this profile:

  1. $ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml

This profile deploys a Istio’s minimum components to function.

Run the following command to switch to this profile:

  1. $ kubectl apply -f https://preliminary.istio.io/operator-profile-minimal.yaml

Verifying the installation

This document is a work in progress. Expect verification steps for each of the profiles tovary from these verification steps. Inconsistencies will be resolved prior to the publishing ofIstio 1.4. Until that time, these verification steps only apply to the profile-istio-demo.yaml profile.

  • Ensure the following Kubernetes services are deployed and verify they all have an appropriate CLUSTER-IP except the jaeger-agent service:
  1. $ kubectl get svc -n istio-system
  2. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  3. grafana ClusterIP 172.21.211.123 <none> 3000/TCP 2m
  4. istio-citadel ClusterIP 172.21.177.222 <none> 8060/TCP,15014/TCP 2m
  5. istio-egressgateway ClusterIP 172.21.113.24 <none> 80/TCP,443/TCP,15443/TCP 2m
  6. istio-galley ClusterIP 172.21.132.247 <none> 443/TCP,15014/TCP,9901/TCP 2m
  7. istio-ingressgateway LoadBalancer 172.21.144.254 52.116.22.242 15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP 2m
  8. istio-pilot ClusterIP 172.21.105.205 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m
  9. istio-policy ClusterIP 172.21.14.236 <none> 9091/TCP,15004/TCP,15014/TCP 2m
  10. istio-sidecar-injector ClusterIP 172.21.155.47 <none> 443/TCP,15014/TCP 2m
  11. istio-telemetry ClusterIP 172.21.196.79 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m
  12. jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m
  13. jaeger-collector ClusterIP 172.21.135.51 <none> 14267/TCP,14268/TCP 2m
  14. jaeger-query ClusterIP 172.21.26.187 <none> 16686/TCP 2m
  15. kiali ClusterIP 172.21.155.201 <none> 20001/TCP 2m
  16. prometheus ClusterIP 172.21.63.159 <none> 9090/TCP 2m
  17. tracing ClusterIP 172.21.2.245 <none> 80/TCP 2m
  18. zipkin ClusterIP 172.21.182.245 <none> 9411/TCP 2m

If your cluster is running in an environment that does notsupport an external load balancer (e.g., minikube), theEXTERNAL-IP of istio-ingressgateway will say<pending>. To access the gateway, use the service’sNodePort, or use port-forwarding instead.

  • Ensure corresponding Kubernetes pods are deployed and have a STATUS of Running:
  1. $ kubectl get pods -n istio-system
  2. NAME READY STATUS RESTARTS AGE
  3. grafana-f8467cc6-rbjlg 1/1 Running 0 1m
  4. istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m
  5. istio-cleanup-secrets-release-1.1-20190308-09-16-8s2mp 0/1 Completed 0 2m
  6. istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m
  7. istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m
  8. istio-grafana-post-install-release-1.1-20190308-09-16-2p7m5 0/1 Completed 0 2m
  9. istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m
  10. istio-pilot-f479bbf5c-qwr28 2/2 Running 0 1m
  11. istio-policy-6fccc5c868-xhblv 2/2 Running 2 1m
  12. istio-security-post-install-release-1.1-20190308-09-16-bmfs4 0/1 Completed 0 2m
  13. istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m
  14. istio-telemetry-78b96c6cb6-ldm9q 2/2 Running 2 1m
  15. istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m
  16. kiali-99f7467dc-6rvwp 1/1 Running 0 1m
  17. prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m

Deploy your application

You can now deploy your own application or one of the sample applicationsprovided with the installation like Bookinfo.

The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTPtraffic; HTTP/1.0 is not supported.

When you deploy your application using kubectl apply,the Istio sidecar injectorwill automatically inject Envoy containers into yourapplication pods if they are started in namespaces labeled with istio-injection=enabled:

  1. $ kubectl label namespace <namespace> istio-injection=enabled
  2. $ kubectl create -n <namespace> -f <your-app-spec>.yaml

In namespaces without the istio-injection label, you can useistioctl kube-injectto manually inject Envoy containers in your application pods before deployingthem:

  1. $ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -

Uninstall

Delete the Istio Operator and Istio deployment:

  1. $ kubectl -n istio-operator get IstioControlPlane example-istiocontrolplane -o=json | jq '.metadata.finalizers = null' | kubectl delete -f -
  2. $ kubectl delete ns istio-operator --grace-period=0 --force
  3. $ kubectl delete ns istio-system --grace-period=0 --force

相关内容

Installing with Istioctl

Install and customize any Istio configuration profile for in-depth evaluation or production use.

使用 Istioctl 安装

安装和自定义任何 Istio 配置文件以进行深入评估或用于生产。

安装独立 Operator [实验]

使用 Istio operator 在 Kubernetes 集群中安装 Istio 指南。

Demystifying Istio's Sidecar Injection Model

De-mystify how Istio manages to plugin its data-plane components into an existing deployment.

Diagnose your Configuration with Istioctl Analyze

Shows you how to use istioctl analyze to identify potential issues with your configuration.

Docker Desktop

在 Docker Desktop 中运行 Istio 的设置说明。