Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Using Istio

Written by
Updated at May 5, 2025

Istio implements a service mesh, a low-latency infrastructure layer used to process a massive volume of network communications between services in a Managed Service for Kubernetes cluster.

To view Istio usage options:

  1. Install Istio.
  2. Install a test application.
  3. View a service network diagram on the Kiali dashboard.
  4. Route requests.
  5. Simulate a service failure.
  6. Redistribute traffic.
  7. Set up mutual TLS authentication.
  8. View Istio metrics on the Prometheus dashboard.
  9. View Istio metrics on the Grafana dashboard.

If you no longer need the resources you created, delete them.

The support cost includes:

Getting started

  1. Create a Kubernetes cluster and node group.

    1. If you do not have a network yet, create one.

    2. If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.

    3. Create service accounts:

      • Service account with the k8s.clusters.agent and vpc.publicAdmin roles for the folder where the Kubernetes cluster is created. This service account will be used to create the resources required for the Kubernetes cluster.
      • Service account with the container-registry.images.puller role. Nodes will pull the required Docker images from the registry on behalf of this account.

      Tip

      You can use the same service account to manage your Kubernetes cluster and its node groups.

    4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    5. Create a Kubernetes cluster and a node group with at least 6 GB of RAM and the security groups created earlier.

    1. If you do not have Terraform yet, install it.

    2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

    3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

    4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

    5. Download the k8s-cluster.tf cluster configuration file to the same working directory. This file describes:

      • Network.

      • Subnet.

      • Kubernetes cluster.

      • Service account required for the Managed Service for Kubernetes cluster and node group to operate.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    6. Specify the following in the k8s-cluster.tf file:

      • Folder ID.
      • Kubernetes version for the Kubernetes cluster and node groups.
      • At least 6 GB of RAM for your node group. The value must be a multiple of the number of vCPUs.
      • Kubernetes cluster CIDR.
      • Name of the Managed Service for Kubernetes cluster service account.

    7. Check that the Terraform configuration files are correct using this command:

      terraform validate

      If there are any errors in the configuration files, Terraform will point them out.

    8. Create the required infrastructure:

      1. Run this command to view the planned changes:

        terraform plan

        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

        1. Run this command:

          terraform apply

        2. Confirm updating the resources.

        3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  2. Install kubect and configure it to work with the new cluster.

Install Istio

  1. Install Istio from the Yandex Cloud Marketplace application catalog. When installing the application:

    1. Create a new namespace called istio-system.
    2. Install Istio add-ons: Kiali, Prometheus, Grafana, Loki, Jaeger.

  2. Make sure all the pods of Istio and its add-ons have changed their status to Running:

    kubectl get pods -n istio-system

    Result:

    NAME                                    READY   STATUS    RESTARTS   AGE
grafana-75c6d4fcf7-v4sfp                1/1     Running   0          2h
istio-ingressgateway-6496999d57-hdbnf   1/1     Running   0          2h
istiod-665dbb97c9-s6xxk                 1/1     Running   0          2h
jaeger-5468d9c886-x2bq8                 1/1     Running   0          2h
kiali-6854cc8574-26t65                  1/1     Running   0          2h
loki-0                                  1/1     Running   0          2h
prometheus-54f86f6676-vmqqr             2/2     Running   0          2h

Install a test application

  1. Create a new namespace called todoapp:

    kubectl create namespace todoapp

  2. Add the istio-injection label to the todoapp namespace:

    kubectl label namespace todoapp istio-injection=enabled

  3. Install the todoapp test application:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp.yaml -n todoapp

    Result:

    deployment.apps/todoapp-v1 created
deployment.apps/todoapp-v2 created
deployment.apps/recommender-v1 created
deployment.apps/todoapp-redis-v1 created
service/todoapp created
service/recommender created
service/todoapp-redis created

  4. Check the pod status:

    kubectl get pods -n todoapp

    Result:

    NAME                                READY   STATUS    RESTARTS   AGE
recommender-v1-7865c4cfbb-hsp2k     2/2     Running   0          60s
recommender-v1-7865c4cfbb-vqt68     2/2     Running   0          59s
todoapp-redis-v1-dbdf4d44-48952     2/2     Running   0          59s
todoapp-v1-6d4b78b6c9-gfkxd         2/2     Running   0          60s
todoapp-v1-6d4b78b6c9-jc962         2/2     Running   0          60s
todoapp-v2-7dd69b445f-2rznm         2/2     Running   0          60s
todoapp-v2-7dd69b445f-gr4vn         2/2     Running   0          60s

    Make sure all the pods have changed their status to Running and READY=2/2.

  5. Check the status of services:

    kubectl get services -n todoapp

    Result:

    NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
recommender     ClusterIP   10.96.255.93    <none>        80/TCP     80s
todoapp         ClusterIP   10.96.232.143   <none>        80/TCP     80s
todoapp-redis   ClusterIP   10.96.174.100   <none>        6379/TCP   80s

  6. Make sure that the web app is up and running:

    kubectl exec "$(kubectl get pod -l app=recommender -n todoapp -o jsonpath='{.items[0].metadata.name}')" -n todoapp \
   -- curl --silent --show-error todoapp:80 | grep -o "<title>.*</title>"

    Result:

    <title>Todoapp</title>

  7. Publish the app:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp

    Result:

    gateway.networking.istio.io/todoapp-gateway created
virtualservice.networking.istio.io/todoapp-vs created

  8. Get the Ingress gateway IP to access the app:

    kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

  9. To run the web app, paste the obtained IP into the browser address bar.

    Note

    If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

    Each time the page is refreshed, its content will be updated. Depending on the version of the pod processing your request, you will see:

    • Pod version v1: To-do list section.
    • Pod version v2: To-do list section and recommendations section.

View a service network diagram on the Kiali dashboard

  1. Make sure kiali is installed and available in the Managed Service for Kubernetes cluster:

    kubectl get service kiali -n istio-system

    Result:

    NAME    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)              AGE
kiali   ClusterIP   10.96.207.108   <none>        20001/TCP,9090/TCP   15d

  2. Configure kiali port forwarding to the local computer:

    kubectl port-forward service/kiali 8080:20001 -n istio-system

  3. To open the Kiali dashboard, paste http://localhost:8080 into the browser address bar.

    The Kiali dashboard provides various information, such as the service network diagram, Istio configuration, service configuration and status, as well as pod metrics, traces, and logs.

  4. To generate traffic to your test app, play around with it. For example, add a to-do list.

  5. Open the Kiali dashboard, go to Graph, and select the todoapp namespace. You will see a diagram with the test app components running in the Istio service network.

    Tip

    Use the Kiali dashboard to track changes in the next steps of this tutorial. For example, you can see how the display of services or traffic distribution changes.

Route service requests

todoapp pods are deployed in versions v1 and v2 in parallel. When you refresh the test app page, the recommendations panel is sometimes not displayed, as only the todoapp v2 pods make requests to the service and show the results.

Use routing to route users to a specific service version:

  1. Route all requests to v1:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v1.yaml -n todoapp

    Result:

    destinationrule.networking.istio.io/todoapp-dr created
virtualservice.networking.istio.io/todoapp-vs configured

  2. Refresh the test app page several times. Now all requests are handled by the v1 pods. The page only shows the to-do list.

  3. Route all requests to v2:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-route-v2.yaml -n todoapp

    Result:

    destinationrule.networking.istio.io/todoapp-dr unchanged
virtualservice.networking.istio.io/todoapp-vs configured

  4. Refresh the test app page several times. Now all requests are handled by the v2 pods. The page shows the to-do list and recommendations sections.

To cancel routing, run the command below:

kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/todoapp-gateway.yaml -n todoapp

Result:

gateway.networking.istio.io/todoapp-gateway unchanged
virtualservice.networking.istio.io/todoapp-vs configured

Simulate a service failure

With Istio, you can test your app's reliability by simulating service failures.
When accessing recommender, there is a 3-second timeout. If the service does not respond within this time, the recommendations section is not displayed.

You can simulate a failure by specifying a timeout longer than 3 seconds in the VirtualService resource configuration. For example, this code block implements a 50-percent probability of a 5-second delay:

fault:
  delay:
    percentage:
      value: 50.0
    fixedDelay: 5s

To simulate a failure of your test app:

  1. Apply the VirtualService configuration:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp

    Result:

    destinationrule.networking.istio.io/recommender-dr created
virtualservice.networking.istio.io/recommender-vs created

  2. Refresh the test app page several times. When there is a response delay, the recommendations section is not displayed, although the request is handled by the v2 pod. The app handles a failure of recommender correctly.

To roll back the VirtualService configuration, run this command:

kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-delay.yaml -n todoapp

Result:

destinationrule.networking.istio.io "recommender-dr" deleted
virtualservice.networking.istio.io "recommender-vs" deleted

Redistribute traffic

When upgrading the microservice version, you can redistribute traffic between its versions without affecting the number of application pods. You can manage traffic routes using the weight parameter of the VirtualService resource.

To redistribute traffic in your test app:

  1. Set the weight for v1 and v2 to 50%:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-50.yaml -n todoapp

    Result:

    destinationrule.networking.istio.io/todoapp-dr unchanged
virtualservice.networking.istio.io/todoapp-vs configured

  2. Refresh the test app page several times. The app is handled by the v1 and v2 pod versions in roughly equal proportions.

  3. Increase the weight for v2 to 100%:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/virtualservice-weight-v2-100.yaml -n todoapp

    Result:

    destinationrule.networking.istio.io/todoapp-dr unchanged
virtualservice.networking.istio.io/todoapp-vs configured

  4. Refresh the test app page several times. The app is only handled by the v2 pods.

Set authentication mode using mutual TLS

By default, applications running an Istio sidecar proxy exchange traffic with mutual TLS encryption.

You can configure a strict authentication policy by prohibiting unencrypted traffic from applications that use no Istio sidecar proxy.

To test how your test app runs in different modes:

  1. Create an authentication policy:

    kubectl apply -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp

    Result:

    peerauthentication.security.istio.io/default created

  2. Try creating a pod in the default namespace to test a connection to todoapp:

    kubectl run -i -n default \
   --rm \
   --restart=Never curl \
   --image=curlimages/curl \
   --command \
   -- sh -c 'curl --insecure http://todoapp.todoapp.svc.cluster.local'

    Result:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (56) Recv failure: Connection reset by peer
pod "curl" deleted
pod default/curl terminated (Error)

  3. Delete the authentication policy:

    kubectl delete -f https://raw.githubusercontent.com/yandex-cloud-examples/yc-mk8s-todo-app/main/kube/peerauthentication.yaml -n todoapp

    Result:

    peerauthentication.security.istio.io "default" deleted

  4. Try creating a pod once again:

    kubectl run -i -n default \
   --rm \
   --restart=Never curl \
   --image=curlimages/curl \
   --command \
   -- sh -c 'curl --insecure http://todoapp.todoapp.svc.cluster.local'

    Result:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2658  100  2658    0     0   147k      0 --:--:-- --:--:-- --:--:--  152k
<!DOCTYPE html>
<html lang="ru">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Todoapp</title>
...

View Istio metrics on the Prometheus dashboard

  1. Make sure prometheus is installed and available in the Managed Service for Kubernetes cluster:

    kubectl get service prometheus -n istio-system

    Result:

    NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
prometheus   ClusterIP   10.96.147.249   <none>        9090/TCP   15d

  2. Configure prometheus port forwarding to the local computer:

    kubectl port-forward service/prometheus 9090:9090 -n istio-system

  3. To open the Prometheus dashboard, paste http://localhost:9090 into the address bar of your browser.

  4. Enter the following request in the Expression field:

    istio_requests_total{destination_service="recommender.todoapp.svc.cluster.local"}

  5. Go to the Graph tab. It shows Istio metrics.

View Istio metrics on the Grafana dashboard

  1. Make sure grafana is installed and available in the Managed Service for Kubernetes cluster:

    kubectl get service grafana -n istio-system

    Result:

    NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
grafana   ClusterIP   10.96.205.86   <none>        3000/TCP   15d

  2. Configure grafana port forwarding to the local computer:

    kubectl port-forward service/grafana 3000:3000 -n istio-system

  3. To open the Grafana dashboard, paste http://localhost:3000 into the address bar of your browser.

  4. In the list of dashboards, find and open the Istio Mesh Dashboard. It shows the metrics of requests to your test app's services.

Delete the resources you created

Delete the resources you no longer need to avoid paying for them:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Editing website images using Thumbor
Next
Using HashiCorp Vault to store secrets