- Kubernetes Tutorial
- Kubernetes - Home
- Kubernetes - Overview
- Kubernetes - Architecture
- Kubernetes - Setup
- Kubernetes - Setup on Ubuntu
- Kubernetes - Images
- Kubernetes - Jobs
- Kubernetes - Labels & Selectors
- Kubernetes - Namespace
- Kubernetes - Node
- Kubernetes - Service
- Kubernetes - POD
- Kubernetes - Replication Controller
- Kubernetes - Replica Sets
- Kubernetes - Deployments
- Kubernetes - Volumes
- Kubernetes - Secrets
- Kubernetes - Network Policy
- Advanced Kubernetes
- Kubernetes - API
- Kubernetes - Kubectl
- Kubernetes - Kubectl Commands
- Kubernetes - Creating an App
- Kubernetes - App Deployment
- Kubernetes - Autoscaling
- Kubernetes - Dashboard Setup
- Kubernetes - Helm Package Management
- Kubernetes - CI/CD Integration
- Kubernetes - Persistent Storage and PVCs
- Kubernetes - RBAC
- Kubernetes - Logging & Monitoring
- Kubernetes - Service Mesh with Istio
- Kubernetes - Backup and Disaster Recovery
- Managing ConfigMaps and Secrets
- Running Stateful Applications
- Kubernetes Useful Resources
- Kubernetes - Quick Guide
- Kubernetes - Useful Resources
- Kubernetes - Discussion
Service Mesh with Istio in Kubernetes
As modern applications grow in complexity, managing service-to-service communication becomes increasingly challenging. This is where a service mesh comes in. A service mesh provides traffic management, security, observability, and resilience between services without modifying the application code.
Istio is one of the most popular service mesh solutions for Kubernetes. It enhances the way services interact by enabling features such as traffic control, security policies, and deep observability.
What is Istio?
Istio is an open-source service mesh that helps manage service-to-service communication within a Kubernetes cluster. It abstracts away complex networking concerns, making it easier to deploy and scale microservices while ensuring security.
Key Features of Istio
- Traffic Management:Route traffic intelligently with features like load balancing, retries, and failover.
- Security:Enforce strong authentication, authorization, and encryption via mTLS (mutual TLS).
- Observability:Gain insights with tracing, monitoring, and logging using built-in integrations with Prometheus, Grafana, and Jaeger.
- Policy Enforcement:Define policies to control service-to-service interactions, rate limiting, and circuit breaking.
Installing Istio on Kubernetes
Before using Istio, we need to install it in our Kubernetes cluster. The latest version of Istio can be installed using the Istio CLI (istioctl).
Prerequisites:
- A running Kubernetes cluster (v1.25 or later).
- kubectl configured to manage the cluster.
- Helm (optional, but useful for managing Istio components).
Download and Install Istio CLI
$ curl -L https://istio.io/downloadIstio | sh - $ cd istio-*/ $ export PATH=$PWD/bin:$PATH
Output
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 101 100 101 0 0 71 0 0:00:01 0:00:01 --:--:-- 71
100 5124 100 5124 0 0 2366 0 0:00:02 0:00:02 --:--:-- 2366
Downloading istio-1.25.0 from https://github.com/istio/istio/releases/download/1.25.0/istio-1.25.0-linux-amd64.tar.gz ...
Istio 1.25.0 download complete!
The Istio release archive has been downloaded to the istio-1.25.0 directory.
Verify installation:
$ istioctl version
Output
client version: 1.25.0
Install Istio in the Kubernetes Cluster
We'll install Istio using the default configuration profile:
$ istioctl install --set profile=demo -y
Output
|\
| \
| \
| \
/|| \
/ || \
/ || \
/ || \
/ || \
/ || \
/______||__________\
____________________
\__ _____/
\_____/
â Istio core installed âµï¸
â Istiod installed ð§
â Egress gateways installed
â Ingress gateways installed
â Installation complete
Enable Istio Sidecar Injection
Enable automatic sidecar injection by labeling the namespace:
$ kubectl label namespace default istio-injection=enabled
Output
namespace/default labeled
Deploying an Application with Istio
Let's deploy a sample microservices application to see Istio in action.
Deploy the Bookinfo Sample App
$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/bookinfo/platform/kube/bookinfo.yaml
Output
service/details created service/productpage created service/ratings created service/reviews created deployment/details-v1 created deployment/ratings-v1 created deployment/reviews-v1 created deployment/productpage-v1 created
Check if the services are running:
$ kubectl get pods
Output
NAME READY STATUS RESTARTS AGE details-v1-86545f5dfb-ktw6x 2/2 Running 0 33m productpage-v1-7c74cbdbcc-dhrgn 2/2 Running 0 33m ratings-v1-57544668d4-zz2mj 2/2 Running 0 33m reviews-v1-5f58978c56-f8s2h 2/2 Running 0 33m reviews-v2-7bd564ffc6-6kkg9 2/2 Running 0 33m reviews-v3-7dfb7c4b64-lmjjv 2/2 Running 0 33m
Each pod has 2/2 containers, meaning the application and the Istio sidecar proxy (Envoy) are running.
Expose the Application Using Ingress Gateway
$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/bookinfo/networking/bookinfo-gateway.yaml
Output
gateway.networking.istio.io/bookinfo-gateway created virtualservice.networking.istio.io/bookinfo created
Verify the gateway is created:
$ kubectl get gateway
Output
NAME AGE bookinfo-gateway 43s
Retrieve the external IP:
$ kubectl get svc istio-ingressgateway -n istio-system
Output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.100.150.34 34.125.123.45 80:31565/TCP,443:31984/TCP,15021:31276/TCP 5m
Access the application using:
http://<EXTERNAL-IP>/productpage
Alternatively, forward the productpage pod:
$ kubectl port-forward -n default deploy/productpage-v1 8080:9080
Now, open the browser and go to http://localhost:8080/productpage.
Traffic Management with Istio
One of Istioâs most powerful features is controlling traffic between services.
Canary Deployment
We can gradually shift traffic to a new version of a microservice.
Apply the Destination Rule
$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/bookinfo/networking/destination-rule-all.yaml
Output
destinationrule.networking.istio.io/productpage created destinationrule.networking.istio.io/reviews created destinationrule.networking.istio.io/ratings created destinationrule.networking.istio.io/details created
Now, weâll modify traffic routing rules.
Create a new file named virtual-service.yaml and add the following contents:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 75
- destination:
host: reviews
subset: v2
weight: 25
Apply the changes:
$ kubectl apply -f virtual-service.yaml
Output
virtualservice.networking.istio.io/reviews created
Now, 75% of the traffic goes to reviews:v1, and 25% goes to reviews:v2.
Securing Communication with Istio
Enable Mutual TLS (mTLS)
Istio can enforce mutual TLS (mTLS) to encrypt all service-to-service communication.
Create a new file named mtls-policy.yaml and add the following contents:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
Apply the policy:
$ kubectl apply -f mtls-policy.yaml
Output
peerauthentication.security.istio.io/default created
Now, all internal traffic is encrypted automatically.
Implement Authorization Policies
To limit access between services, we can deny all traffic by default.
Create a file named auth-policy.yaml and add the following contents:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
action: DENY
rules:
- {}
Apply the policy:
$ kubectl apply -f auth-policy.yaml
Output
authorizationpolicy.security.istio.io/deny-all created
Now, we'll allow traffic only from specific services.
Create a file named auth-allow.yaml and add the following contents:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-productpage
namespace: default
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/productpage"]
Apply the new rule:
$ kubectl apply -f auth-allow.yaml
Output
authorizationpolicy.security.istio.io/allow-productpage created
This rule restricts unauthorized access and follows the zero-trust security model, ensuring that only approved services can talk to each other within the Istio mesh.
Istio Fault Injection (Resilience Testing)
Fault injection helps simulate failures to test application resilience. We can introduce artificial delays or errors to observe how the system handles them.
Creating the Fault Injection Rule
Create a file named fault-injection.yaml and add the following lines:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- fault:
delay:
fixedDelay: 5s
percent: 50
route:
- destination:
host: reviews
subset: v1
Output
virtualservice.networking.istio.io/reviews created
With this rule, 50% of requests to the reviews service will experience a 5-second delay. This helps test how your application handles latency and resilience under failure conditions.
Istio Traffic Mirroring (Shadow Traffic)
Traffic mirroring allows sending a copy of live traffic to a new service version without impacting production users.
Creating the Traffic Mirroring Rule
Create a file named traffic-mirroring.yaml and add the following lines:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
mirror:
destination:
host: reviews
subset: v2
Apply the rule:
$ kubectl apply -f traffic-mirroring.yaml
Output
virtualservice.networking.istio.io/reviews created
Now, all traffic that goes to reviews v1 will also be mirrored to reviews v2 without affecting the user experience. This allows testing the new version with real-world traffic before fully switching over.
Conclusion
Istio provides a powerful and flexible way to manage microservices in a Kubernetes environment. By abstracting complex networking tasks, Istio enables seamless traffic management, security enforcement, and policy control without modifying application code.
In this guide, we explored Istioâs key features, from installation to advanced traffic control, security policies, and fault injection techniques. With traffic mirroring, canary deployments, rate limiting, and mutual TLS encryption, Istio enhances the resilience, security, and efficiency of microservices at scale.