Google Kubernetes Engine

Follow these instructions to prepare a GKE cluster for Istio.

1. Create a new cluster.

   $ export PROJECT_ID=`gcloud config get-value project` && \
     export M_TYPE=n1-standard-2 && \
     export ZONE=us-west2-a && \
     export CLUSTER_NAME=${PROJECT_ID}-${RANDOM} && \
     gcloud services enable container.googleapis.com && \
     gcloud container clusters create $CLUSTER_NAME \
     --cluster-version latest \
     --machine-type=$M_TYPE \
     --num-nodes 4 \
     --zone $ZONE \
     --project $PROJECT_ID

   The default installation of Istio requires nodes with >1 vCPU. If you are installing with the demo configuration profile, you can remove the --machine-type argument to use the smaller n1-standard-1 machine size instead.

   To use the Istio CNI feature, the network-policy GKE feature must be enabled in the cluster. Use the --enable-network-policy flag in the gcloud container clusters create command.

   For private GKE clusters

   An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.

   To review this firewall rule for master access:

   $ gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"

   To replace the existing rule and allow master access:

   $ gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017

2. Retrieve your credentials for kubectl.

   $ gcloud container clusters get-credentials $CLUSTER_NAME \
       --zone $ZONE \
       --project $PROJECT_ID