Using Istio

Istio implements a service mesh, a low-latency infrastructure layer used to process a massive volume of network communications between services in a Managed Service for Kubernetes cluster.

To view Istio usage options:

1. Install Istio.
2. Install a test application.
3. View a service network diagram on the Kiali dashboard.
4. Route service requests.
5. Simulate a service failure.
6. Redistribute traffic.
7. Set authentication mode using mutual TLS.
8. View Istio metrics on the Prometheus dashboard.
9. View Istio metrics on the Grafana dashboard.

If you no longer need the resources you created, delete them.

Getting startedGetting started

1. Create a Kubernetes cluster and a group of nodes.

   Manually

   Terraform

   1. If you do not have a network yet, create one.

   2. If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.

   3. Create service accounts:

      • Service account with the k8s.clusters.agent and vpc.publicAdmin roles for the folder where the Kubernetes cluster is created. This service account will be used to create the resources required for the Kubernetes cluster.
      • Service account with the container-registry.images.puller role. Nodes will pull the required Docker images from the registry on behalf of this account.

      Tip

      You can use the same service account to manage your Kubernetes cluster and its node groups.

   4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   5. Create a Kubernetes cluster and a node group with at least 6 GB of RAM and the security groups created earlier.

   1. If you do not have Terraform yet, install it.

   2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

   3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

   4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

   5. Download the k8s-cluster.tf cluster configuration file to the same working directory. The file describes:

      • Network.

      • Subnet.

      • Kubernetes cluster.

      • Service account required to use the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   6. In k8s-cluster.tf, specify:

      • Folder ID.
      • Kubernetes version for the Kubernetes cluster and node groups.
      • At least 6 GB of RAM for your node group. The value must be a multiple of the number of vCPUs.
      • Kubernetes cluster CIDR.
      • Name of the Managed Service for Kubernetes cluster service account.

   7. Make sure the Terraform configuration files are correct using this command:

      terraform validate
      

      If there are any errors in the configuration files, Terraform will point them out.

   8. Create the required infrastructure:

      1. Run the command to view planned changes:

         terraform plan
         

         If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

      2. If you are happy with the planned changes, apply them:

         1. Run the command:

            terraform apply
            

         2. Confirm the update of resources.

         3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

2. Install kubectl and configure it to work with the created cluster.

Install IstioInstall Istio

1. Install Istio from the Yandex Cloud Marketplace application catalog. When installing the application:

   1. Create a new namespace called istio-system.
   2. Install add-ons for Istio: Kiali, Prometheus, Grafana, Loki, and Jaeger.

2. Make sure that all the pods of Istio and its add-ons have changed their status to Running:

   kubectl get pods -n istio-system
   

   Result:

   NAME                                    READY   STATUS    RESTARTS   AGE
   grafana-75c6d4fcf7-v4sfp                1/1     Running   0          2h
   istio-ingressgateway-6496999d57-hdbnf   1/1     Running   0          2h
   istiod-665dbb97c9-s6xxk                 1/1     Running   0          2h
   jaeger-5468d9c886-x2bq8                 1/1     Running   0          2h
   kiali-6854cc8574-26t65                  1/1     Running   0          2h
   loki-0                                  1/1     Running   0          2h
   prometheus-54f86f6676-vmqqr             2/2     Running   0          2h
   

Install a test applicationInstall a test application

1. Create a new namespace called todoapp:

   kubectl create namespace todoapp
   

2. Add the istio-injection label to the todoapp namespace:

   kubectl label namespace todoapp istio-injection=enabled
   

3. Install a test application named todoapp:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp.yaml -n todoapp
   

   Result:

   deployment.apps/todoapp-v1 created
   deployment.apps/todoapp-v2 created
   deployment.apps/recommender-v1 created
   deployment.apps/todoapp-redis-v1 created
   service/todoapp created
   service/recommender created
   service/todoapp-redis created
   

4. Check the pod status:

   kubectl get pods -n todoapp
   

   Result:

   NAME                                READY   STATUS    RESTARTS   AGE
   recommender-v1-7865c4cfbb-hsp2k     2/2     Running   0          60s
   recommender-v1-7865c4cfbb-vqt68     2/2     Running   0          59s
   todoapp-redis-v1-dbdf4d44-48952     2/2     Running   0          59s
   todoapp-v1-6d4b78b6c9-gfkxd         2/2     Running   0          60s
   todoapp-v1-6d4b78b6c9-jc962         2/2     Running   0          60s
   todoapp-v2-7dd69b445f-2rznm         2/2     Running   0          60s
   todoapp-v2-7dd69b445f-gr4vn         2/2     Running   0          60s
   

   Make sure that all the pods have changed their status to Running and READY=2/2.

5. Check the status of services:

   kubectl get services -n todoapp
   

   Result:

   NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
   recommender     ClusterIP   10.96.255.93    <none>        80/TCP     80s
   todoapp         ClusterIP   10.96.232.143   <none>        80/TCP     80s
   todoapp-redis   ClusterIP   10.96.174.100   <none>        6379/TCP   80s
   

6. Make sure that the web app is up and running:

   kubectl exec "$(kubectl get pod -l app=recommender -n todoapp -o jsonpath='{.items[0].metadata.name}')" -n todoapp \
      -- curl -sS todoapp:80 | grep -o "<title>.*</title>"
   

   Result:

   <title>Todoapp</title>
   

7. Publish the app:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp
   

   Result:

   gateway.networking.istio.io/todoapp-gateway created
   virtualservice.networking.istio.io/todoapp-vs created
   

8. Get the Ingress gateway IP to access the app:

   kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
   

9. To run the web app, paste the obtained IP into the browser address bar.

   Note

   If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

   Each time the page is refreshed, its content will be updated. Depending on the version of the pod processing your request, you will see:

   • Pod v1: Section with a to-do list.
   • Pod v2: Section with a to-do list and a section with recommendations.

View a service network diagram on the Kiali dashboardView a service network diagram on the Kiali dashboard

1. Make sure that Kiali is installed and available in the Managed Service for Kubernetes cluster:

   kubectl get service kiali -n istio-system
   

   Result:

   NAME    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)              AGE
   kiali   ClusterIP   10.96.207.108   <none>        20001/TCP,9090/TCP   15d
   

2. Configure kiali service port forwarding to the local computer:

   kubectl port-forward service/kiali 8080:20001 -n istio-system
   

3. To open the Kiali dashboard, paste http://localhost:8080 into the browser address bar.

   The Kiali dashboard provides various information, such as the service network diagram, Istio configuration, service configuration and status, as well as pod metrics, traces, and logs.

4. To generate traffic to your test app, play around with it. For example, add a to-do list.

5. Open the Kiali dashboard, go to Graph, and select the todoapp namespace. You will see a diagram with the test app components running in the Istio service network.

   Tip

   Use the Kiali dashboard to track changes in the next steps of this tutorial. For example, you can see how the display of services or traffic distribution changes.

Route service requestsRoute service requests

The todoapp service pods are deployed on v1 and v2 concurrently. When the test app page is refreshed, the recommendations panel is sometimes not displayed, as only the todoapp v2 pods make requests to the service and show the results.

Use routing to route users to a specific service version:

1. Route all requests to v1:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v1.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr created
   virtualservice.networking.istio.io/todoapp-vs configured
   

2. Refresh the test app page several times. Now all requests are handled by the v1 pods. The page only shows the to-do list.

3. Route all requests to v2:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v2.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

4. Refresh the test app page several times. Now all requests are handled by the v2 pods. The page shows the to-do list and recommendations sections.

To cancel routing, run the command below:

kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp

Result:

gateway.networking.istio.io/todoapp-gateway unchanged
virtualservice.networking.istio.io/todoapp-vs configured

Simulate a service failureSimulate a service failure

With Istio, you can test your app's reliability by simulating service failures.
When accessing the recommender service, there is a 3-second timeout. If the service does not respond within this time, the recommendations section is not displayed.

You can simulate a failure by specifying a timeout longer than 3 seconds in the VirtualService resource configuration. For example, this code block implements a 50-percent probability of a 5-second delay:

fault:
  delay:
    percentage:
      value: 50.0
    fixedDelay: 5s

To simulate a failure of your test app:

1. Apply the VirtualService configuration:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/recommender-dr created
   virtualservice.networking.istio.io/recommender-vs created
   

2. Refresh the test app page several times. When there is a response delay, the recommendations section is not displayed although the request is handled by the v2 pod. The app handles a failure of the recommender service correctly.

To roll back the VirtualService configuration, run this command:

kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp

Result:

destinationrule.networking.istio.io "recommender-dr" deleted
virtualservice.networking.istio.io "recommender-vs" deleted

Redistribute trafficRedistribute traffic

When upgrading the microservice version, you can redistribute traffic between its versions without affecting the number of application pods. You can manage traffic routes using the weight parameter of the VirtualService resource.

To redistribute traffic in your test app:

1. Set the weight for v1 and v2 to 50%:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-50.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

2. Refresh the test app page several times. The app is handled by the v1 and v2 pod versions in roughly equal proportions.

3. Increase the weight for v2 to 100%:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-100.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

4. Refresh the test app page several times. The app is only handled by the v2 pods.

Set authentication mode using mutual TLSSet authentication mode using mutual TLS

By default, applications running an Istio sidecar proxy exchange traffic with mutual TLS encryption.

You can configure a strict authentication policy by prohibiting unencrypted traffic from applications that use no Istio sidecar proxy.

To test how your test app runs in different modes:

1. Create an authentication policy:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp
   

   Result:

   peerauthentication.security.istio.io/default created
   

2. Try creating a pod in the default namespace to test a connection to the todoapp service:

   kubectl run -i -n default \
      --rm \
      --restart=Never curl \
      --image=curlimages/curl \
      --command \
      -- sh -c 'curl -k http://todoapp.todoapp.svc.cluster.local'
   

   Result:

     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
     0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   curl: (56) Recv failure: Connection reset by peer
   pod "curl" deleted
   pod default/curl terminated (Error)
   

3. Delete the authentication policy:

   kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp
   

   Result:

   peerauthentication.security.istio.io "default" deleted
   

4. Try creating a pod once again:

   kubectl run -i -n default \
      --rm \
      --restart=Never curl \
      --image=curlimages/curl \
      --command \
      -- sh -c 'curl -k http://todoapp.todoapp.svc.cluster.local'
   

   Result:

     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100  2658  100  2658    0     0   147k      0 --:--:-- --:--:-- --:--:--  152k
   <!DOCTYPE html>
   <html lang="ru">
   <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
       <title>Todoapp</title>
   ...
   

View Istio metrics on the Prometheus dashboardView Istio metrics on the Prometheus dashboard

1. Make sure that Prometheus is installed and available in the Managed Service for Kubernetes cluster:

   kubectl get service prometheus -n istio-system
   

   Result:

   NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
   prometheus   ClusterIP   10.96.147.249   <none>        9090/TCP   15d
   

2. Configure prometheus service port forwarding to the local computer:

   kubectl port-forward service/prometheus 9090:9090 -n istio-system
   

3. To open the Prometheus dashboard, paste http://localhost:9090 into the browser address bar.

4. Enter the following request in the Expression field:

   istio_requests_total{destination_service="recommender.todoapp.svc.cluster.local"}
   

5. Go to the Graph tab. It shows Istio metrics.

View Istio metrics on the Grafana dashboardView Istio metrics on the Grafana dashboard

1. Make sure that Grafana is installed and available in the Managed Service for Kubernetes cluster:

   kubectl get service grafana -n istio-system
   

   Result:

   NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
   grafana   ClusterIP   10.96.205.86   <none>        3000/TCP   15d
   

2. Configure grafana service port forwarding to the local computer:

   kubectl port-forward service/grafana 3000:3000 -n istio-system
   

3. To open the Grafana dashboard, paste http://localhost:3000 into the browser address bar.

4. In the list of dashboards, find and open the Istio Mesh Dashboard. It shows the metrics of requests to your test app's services.

Delete the resources you createdDelete the resources you created

Delete the resources you no longer need to avoid paying for them: