Microk8s puts up its Istio and sails away
Istio almost immediately strikes you as enterprise grade software. Not so much because of the complexity it introduces, but more because of the features it adds to your service mesh. Must-have features packaged together in a coherent framework:
- Traffic Management
- Security Policies
- Telemetry
- Performance Tuning
Since microk8s positions itself as the local Kubernetes cluster developers prototype on, it is no surprise that deployment of Istio is made dead simple. Let’s start with the microk8s deployment itself:
> sudo snap install microk8s --classic
Istio deployment available with:
> microk8s.enable istio
There is a single question that we need to respond to at this point. Do we want to enforce mutual TLS authentication among sidecars? Istio places a proxy to your services so as to take control over routing, security etc. If we know we have a mixed deployment with non-Istio and Istio enabled services we would rather not enforce mutual TLS:
> microk8s.enable istio
Enabling Istio
Enabling DNS
Applying manifest
service/kube-dns created
serviceaccount/kube-dns created
configmap/kube-dns created
deployment.extensions/kube-dns created
Restarting kubelet
DNS is enabled
Enforce mutual TLS authentication (https://bit.ly/2KB4j04) between sidecars? If unsure, choose N. (y/N): y
Believe it or not we are done, Istio v1.0 services are being set up, you can check the deployment progress with:
> watch microk8s.kubectl get all --all-namespaces
We have packaged istioctl
in microk8s for your convenience:
> microk8s.istioctl get all --all-namespaces
NAME KIND NAMESPACE AGE
grafana-ports-mtls-disabled Policy.authentication.istio.io.v1alpha1 istio-system 2mDESTINATION-RULE NAME HOST SUBSETS NAMESPACE AGE
istio-policy istio-policy.istio-system.svc.cluster.local istio-system 3m
istio-telemetry istio-telemetry.istio-system.svc.cluster.local istio-system 3mGATEWAY NAME HOSTS NAMESPACE AGE
istio-autogenerated-k8s-ingress * istio-system 3m
Do not get scared by the amount of services and deployments, everything is under the istio-system
namespace. We are ready to start exploring!
Demo Time!
Istio needs to inject sidecars to the pods of your deployment. In microk8s auto-injection is supported so the only thing you have to label the namespace you will be using with istion-injection=enabled
:
> microk8s.kubectl label namespace default istio-injection=enabled
Let’s now grab the bookinfo
example from the v1.0 Istio release and apply it:
> wget https://raw.githubusercontent.com/istio/istio/release-1.0/samples/bookinfo/platform/kube/bookinfo.yaml
> microk8s.kubectl create -f bookinfo.yaml
The following services should be available soon:
> microk8s.kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) details ClusterIP 10.152.183.33 <none> 9080/TCP kubernetes ClusterIP 10.152.183.1 <none> 443/TCP productpage ClusterIP 10.152.183.59 <none> 9080/TCP ratings ClusterIP 10.152.183.124 <none> 9080/TCP reviews ClusterIP 10.152.183.9 <none> 9080/TCP
We can reach the services using the ClusterIP they have; we can for example get to the productpage
in the above example by pointing our browser to 10.152.183.59:9080
. But let’s play by the rules and follow the official instructions on exposing the services via NodePort:
> wget https://raw.githubusercontent.com/istio/istio/release-1.0/samples/bookinfo/networking/bookinfo-gateway.yaml
> microk8s.kubectl create -f bookinfo-gateway.yaml
To get to the productpage
through ingress we shamelessly copy the example instructions:
> microk8s.kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}'
31380
And our node is the localhost so we can point our browser to http://localhost:31380/productpage
Show me some graphs!
Of course graphs look nice in a blog post, so here you go.
You will need to grab the ClusterIP of the Grafana service:
microk8s.kubectl -n istio-system get svc grafana
Prometheus is also available in the same way.
microk8s.kubectl -n istio-system get svc prometheus
And for traces you will need to look at the jaeger-query
.
microk8s.kubectl -n istio-system get service/jaeger-query
The servicegraph endpoint is available with:
microk8s.kubectl -n istio-system get svc servicegraph
I should stop here. Go and checkout the Istio documentation for more details on how to take advantage of what Istio is offering.
What to keep from this post
- There is great value in Istio. It’s a framework for preparing Kubernetes for the enterprise.
- Microk8s can get you up and running quickly. Drop us a line with what you want to see improved.
- Do not be afraid to fail. A shipwreck can have more value than a sailing ship.