Using Istio

Istio implements a service mesh, a low-latency infrastructure layer that manages large-scale network communications between services in a Managed Service for Kubernetes cluster.

To explore Istio use cases:

1. Install Istio.
2. Install a test application.
3. View a service network diagram on the Kiali dashboard.
4. Route requests.
5. Simulate a service failure.
6. Redistribute traffic.
7. Set up mutual TLS authentication.
8. View Istio metrics on the Prometheus dashboard.
9. View Istio metrics on the Grafana dashboard.

If you no longer need the resources you created, delete them.

Required paid resourcesRequired paid resources

The support cost for this solution includes:

• Fee for using the master and outgoing traffic in a Managed Service for Kubernetes cluster (see Managed Service for Kubernetes pricing).
• Fee for using computing resources, OS, and storage in cluster nodes (VMs) (see Compute Cloud pricing).
• Fee for a public IP address assigned to cluster nodes (see Virtual Private Cloud pricing).

Getting startedGetting started

1. Create a Kubernetes cluster and node group.

   Manually

   Terraform

   1. If you do not have a network yet, create one.

   2. If you do not have any subnets yet, create them in the availability zones where the new Kubernetes cluster and node group will reside.

   3. Create service accounts:

      • Service account with the k8s.clusters.agent and vpc.publicAdmin roles for the folder where you want to create a Kubernetes cluster. This service account will be used to create resources for your Kubernetes cluster.
      • Service account with the container-registry.images.puller role. The nodes will use this account to pull the required Docker images from the registry.

      Tip

      You can use the same service account to manage your Kubernetes cluster and its node groups.

   4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   5. Create a Kubernetes cluster and node group with at least 6 GB of RAM and the security groups you created earlier.

   1. If you do not have Terraform yet, install it.

   2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

   3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

   4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

   5. Download the k8s-cluster.tf cluster configuration file to the same working directory. This file describes:

      • Network.

      • Subnet.

      • Kubernetes cluster.

      • Service account for the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   6. Specify the following in k8s-cluster.tf:

      • Folder ID.
      • Kubernetes version for the Kubernetes cluster and node groups.
      • RAM for your node group, which must be at least 6 GB and a multiple of the vCPU count.
      • Kubernetes cluster CIDR.
      • Name of the Managed Service for Kubernetes cluster service account.

   7. Make sure the Terraform configuration files are correct using this command:

      terraform validate
      

      Terraform will show any errors found in your configuration files.

   8. Create the required infrastructure:

      1. Run this command to view the planned changes:

         terraform plan
         

         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

         1. Run this command:

            terraform apply
            

         2. Confirm updating the resources.

         3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

2. Install kubect and configure it to work with the new cluster.

Install IstioInstall Istio

1. Install Istio from Yandex Cloud Marketplace. When installing the app:

   1. Create a new namespace called istio-system.
   2. Install Istio add-ons: Kiali, Prometheus, Grafana, Loki, and Jaeger.

2. Make sure all pods of Istio and its add-ons switched to Running:

   kubectl get pods -n istio-system
   

   Result:

   NAME                                    READY   STATUS    RESTARTS   AGE
   grafana-75c6d4fcf7-v4sfp                1/1     Running   0          2h
   istio-ingressgateway-6496999d57-hdbnf   1/1     Running   0          2h
   istiod-665dbb97c9-s6xxk                 1/1     Running   0          2h
   jaeger-5468d9c886-x2bq8                 1/1     Running   0          2h
   kiali-6854cc8574-26t65                  1/1     Running   0          2h
   loki-0                                  1/1     Running   0          2h
   prometheus-54f86f6676-vmqqr             2/2     Running   0          2h
   

Install a test applicationInstall a test application

1. Create a new namespace called todoapp:

   kubectl create namespace todoapp
   

2. Add the istio-injection label to the todoapp namespace:

   kubectl label namespace todoapp istio-injection=enabled
   

3. Install the todoapp test application:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp.yaml -n todoapp
   

   Result:

   deployment.apps/todoapp-v1 created
   deployment.apps/todoapp-v2 created
   deployment.apps/recommender-v1 created
   deployment.apps/todoapp-redis-v1 created
   service/todoapp created
   service/recommender created
   service/todoapp-redis created
   

4. Check the pod status:

   kubectl get pods -n todoapp
   

   Result:

   NAME                                READY   STATUS    RESTARTS   AGE
   recommender-v1-7865c4cfbb-hsp2k     2/2     Running   0          60s
   recommender-v1-7865c4cfbb-vqt68     2/2     Running   0          59s
   todoapp-redis-v1-dbdf4d44-48952     2/2     Running   0          59s
   todoapp-v1-6d4b78b6c9-gfkxd         2/2     Running   0          60s
   todoapp-v1-6d4b78b6c9-jc962         2/2     Running   0          60s
   todoapp-v2-7dd69b445f-2rznm         2/2     Running   0          60s
   todoapp-v2-7dd69b445f-gr4vn         2/2     Running   0          60s
   

   Make sure all pods switched to Running and READY=2/2.

5. Check the status of services:

   kubectl get services -n todoapp
   

   Result:

   NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
   recommender     ClusterIP   10.96.255.93    <none>        80/TCP     80s
   todoapp         ClusterIP   10.96.232.143   <none>        80/TCP     80s
   todoapp-redis   ClusterIP   10.96.174.100   <none>        6379/TCP   80s
   

6. Make sure the web app is up and running:

   kubectl exec "$(kubectl get pod -l app=recommender -n todoapp -o jsonpath='{.items[0].metadata.name}')" -n todoapp \
      -- curl --silent --show-error todoapp:80 | grep -o "<title>.*</title>"
   

   Result:

   <title>Todoapp</title>
   

7. Publish the app:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp
   

   Result:

   gateway.networking.istio.io/todoapp-gateway created
   virtualservice.networking.istio.io/todoapp-vs created
   

8. Get the ingress gateway IP address to access the app:

   kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
   

9. To run the web app, paste the obtained IP address into the address bar of your browser.

   Note

   If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

   Each time the page is refreshed, its content will be updated. Depending on the version of the pod serving your request, you will see:

   • Pod v1: To-do list panel.
   • Pod v2: To-do list and recommendations panels.

View a service network diagram on the Kiali dashboardView a service network diagram on the Kiali dashboard

1. Make sure kiali is installed and available in your Managed Service for Kubernetes cluster:

   kubectl get service kiali -n istio-system
   

   Result:

   NAME    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)              AGE
   kiali   ClusterIP   10.96.207.108   <none>        20001/TCP,9090/TCP   15d
   

2. Set up kiali port forwarding to your local computer:

   kubectl port-forward service/kiali 8080:20001 -n istio-system
   

3. To open the Kiali dashboard, paste http://localhost:8080 into the address bar of your browser.

   The Kiali dashboard visualizes various information, including the service mesh diagram, Istio configuration, service configurations and statuses, as well as metrics, traces, and pod logs.

4. To generate traffic, use your test app. For example, add a to-do list.

5. Open the Kiali dashboard, go to Graph, and select the todoapp namespace. On the diagram, you will see the test application components running within the Istio service mesh.

   Tip

   Use the Kiali dashboard to monitor changes in the next steps of this tutorial. For example, you can see how the display of services or traffic distribution changes.

Route requestsRoute requests

todoapp service pods run concurrently in the v1 and v2 versions. When you refresh the test app page, the recommendations panel is sometimes not displayed, as only the todoapp v2 pods send requests to the recommendations service and show the results.

Use routing to direct users to a specific service version:

1. Route all requests to v1:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v1.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr created
   virtualservice.networking.istio.io/todoapp-vs configured
   

2. Refresh the test app page several times. Now, the v1 pods process all requests. The page only shows the to-do list panel.

3. Route all requests to v2:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v2.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

4. Refresh the test app page several times. Now, the v2 pods process all requests. The page shows the to-do list and recommendations panels.

To cancel routing, run this command:

kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp

Result:

gateway.networking.istio.io/todoapp-gateway unchanged
virtualservice.networking.istio.io/todoapp-vs configured

Simulate a service failureSimulate a service failure

With Istio, you can test your app's reliability by simulating service failures.
When accessing recommender, there is a 3-second timeout. If the service does not respond within this time, the recommendations panel is not shown.

You can simulate a failure by specifying a timeout longer than 3 seconds in the VirtualService resource configuration. For example, this code section implements a 50-percent probability of a 5-second delay:

fault:
  delay:
    percentage:
      value: 50.0
    fixedDelay: 5s

To simulate a failure of your test app:

1. Apply the VirtualService configuration:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/recommender-dr created
   virtualservice.networking.istio.io/recommender-vs created
   

2. Refresh the test app page several times. When a response delay occurs, the recommendations panel does not show up, even though the v2 pod is handling the request. The app correctly handles a recommender failure.

To roll back the VirtualService configuration, run this command:

kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp

Result:

destinationrule.networking.istio.io "recommender-dr" deleted
virtualservice.networking.istio.io "recommender-vs" deleted

Redistribute trafficRedistribute traffic

When upgrading the microservice version, you can redistribute traffic between its versions without affecting the number of application pods. You can manage traffic routes using the weight parameter for the VirtualService resource.

To redistribute traffic in your test app:

1. Set the weight for v1 and v2 to 50%:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-50.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

2. Refresh the test app page several times. The app is handled by the v1 and v2 pods in roughly equal proportions.

3. Increase the weight for v2 to 100%:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-100.yaml -n todoapp
   

   Result:

   destinationrule.networking.istio.io/todoapp-dr unchanged
   virtualservice.networking.istio.io/todoapp-vs configured
   

4. Refresh the test app page several times. The app is only handled by the v2 pods.

Set up mutual TLS authenticationSet up mutual TLS authentication

By default, applications with Istio sidecars communicate securely using mutual TLS.

You can configure a strict authentication policy, disallowing unencrypted traffic from applications without Istio sidecars.

To test your test app in different modes:

1. Set up an authentication policy:

   kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp
   

   Result:

   peerauthentication.security.istio.io/default created
   

2. Try creating a pod in the default namespace to test a connection to todoapp:

   kubectl run -i -n default \
      --rm \
      --restart=Never curl \
      --image=curlimages/curl \
      --command \
      -- sh -c 'curl --insecure http://todoapp.todoapp.svc.cluster.local'
   

   Result:

     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
     0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   curl: (56) Recv failure: Connection reset by peer
   pod "curl" deleted
   pod default/curl terminated (Error)
   

3. Delete the authentication policy:

   kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp
   

   Result:

   peerauthentication.security.istio.io "default" deleted
   

4. Try creating a pod once again:

   kubectl run -i -n default \
      --rm \
      --restart=Never curl \
      --image=curlimages/curl \
      --command \
      -- sh -c 'curl --insecure http://todoapp.todoapp.svc.cluster.local'
   

   Result:

     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100  2658  100  2658    0     0   147k      0 --:--:-- --:--:-- --:--:--  152k
   <!DOCTYPE html>
   <html lang="ru">
   <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
       <title>Todoapp</title>
   ...
   

View Istio metrics on the Prometheus dashboardView Istio metrics on the Prometheus dashboard

1. Make sure prometheus is installed and available in your Managed Service for Kubernetes cluster:

   kubectl get service prometheus -n istio-system
   

   Result:

   NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
   prometheus   ClusterIP   10.96.147.249   <none>        9090/TCP   15d
   

2. Set up prometheus port forwarding to your local computer:

   kubectl port-forward service/prometheus 9090:9090 -n istio-system
   

3. To open the Prometheus dashboard, paste http://localhost:9090 into the address bar of your browser.

4. Enter the following request in the Expression field:

   istio_requests_total{destination_service="recommender.todoapp.svc.cluster.local"}
   

5. Go to the Graph tab showing Istio metrics.

View Istio metrics on the Grafana dashboardView Istio metrics on the Grafana dashboard

1. Make sure grafana is installed and available in your Managed Service for Kubernetes cluster:

   kubectl get service grafana -n istio-system
   

   Result:

   NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
   grafana   ClusterIP   10.96.205.86   <none>        3000/TCP   15d
   

2. Set up grafana port forwarding to your local computer:

   kubectl port-forward service/grafana 3000:3000 -n istio-system
   

3. To open the Grafana dashboard, paste http://localhost:3000 into the address bar of your browser.

4. In the list of dashboards, find and open the Istio Mesh Dashboard. It shows request metrics for your test app's services.

Delete the resources you createdDelete the resources you created

Delete the resources you no longer need to avoid paying for them: