Installing Istio for Knative

This guide walks you through manually installing and customizing Istio for use with Knative.

If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need to customize your installation.

Before you begin

You need:

  • A Kubernetes cluster created.
  • istioctl installed.
  • Knative Serving installed (can also be installed after the Istio).

Supported Istio versions

You can view the latest tested Istio version on the Knative Net Istio releases page.

Installing Istio

When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the Basic installation with istioctl instructions. If you’re familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.

Basic installation with istioctl

  1. You can easily install and customize your Istio installation with istioctl.

    1. istioctl install -y
  2. To integrate Istio with Knative Serving install the Knative Istio controller by running the command:

    1. kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.14.2/net-istio.yaml

    Hint

    Make sure to also install Knative Serving and configure DNS.

Forming a service mesh

The Istio service mesh provides a few benefits:

  • Allows you to turn on mutual TLS, which secures service-to-service traffic within the cluster.

  • Allows you to use the Istio authorization policy, controlling the access to each Knative service based on Istio service roles.

If you want to use Istio as a service mesh, you must make sure that istio sidecars are injected to all pods that should be part of the service mesh. There are two ways to achieve this:

Using Istio mTLS feature with Knative

Since there are some networking communications between knative-serving namespace and the namespace where your services running on, you need additional preparations for mTLS enabled environment.

Note

It is strongly recommended to use automatic sidecar injection to avoid manually injection sidecars to all pods in knative-serving.

  1. Enable sidecar injection on knative-serving system namespace.

    1. kubectl label namespace knative-serving istio-injection=enabled
  2. Set PeerAuthentication to PERMISSIVE on knative-serving system namespace by creating a YAML file using the following template:

    1. apiVersion: "security.istio.io/v1beta1"
    2. kind: "PeerAuthentication"
    3. metadata:
    4. name: "default"
    5. namespace: "knative-serving"
    6. spec:
    7. mtls:
    8. mode: PERMISSIVE
  3. Apply the YAML file by running the command:

    1. kubectl apply -f <filename>.yaml

    Where <filename> is the name of the file you created in the previous step.

Configuring the installation

Updating the config-istio configmap to use a non-default local gateway

If you create a custom service and deployment for local gateway with a name other than knative-local-gateway, you need to update gateway configmap config-istio under the knative-serving namespace.

  1. Edit the config-istio configmap:

    1. kubectl edit configmap config-istio -n knative-serving
  2. Replace the local-gateways field with the custom service. As an example, if you name both the service and deployment custom-local-gateway under the namespace istio-system, it should be updated to:

    1. local-gateways: |
    2. - name: knative-local-gateway
    3. namespace: knative-serving
    4. service: custom-local-gateway.istio-system.svc.cluster.local

As an example, if both the custom service and deployment are labeled with custom: custom-local-gateway, not the default istio: knative-local-gateway, you must update gateway instance knative-local-gateway in the knative-serving namespace:

  1. kubectl edit gateway knative-local-gateway -n knative-serving

Replace the label selector with the label of your service:

  1. istio: knative-local-gateway

For the service mentioned earlier, it should be updated to:

  1. custom: custom-local-gateway

If there is a change in service ports (compared to that of knative-local-gateway), update the port info in the gateway accordingly.

Verifying your Istio installation

View the status of your Istio installation to make sure the installation was successful. You can use istioctl to verify the installation:

  1. istioctl verify-install

Istio resources

Clean up Istio

See the Uninstall Istio.

What’s next