Kubernetes Service Mesh with Istio
Istio is a powerful service mesh that provides traffic management, security, and observability for microservices running on Kubernetes. This guide covers istioctl installation, sidecar injection, VirtualServices, DestinationRules, mutual TLS, and Kiali dashboard for visualizing and managing service communication in your VPS and baremetal clusters.
Table of Contents
- Service Mesh Overview
- Istio Installation
- Sidecar Injection
- Traffic Management
- Security with mTLS
- Kiali Dashboard
- Advanced Scenarios
- Practical Examples
- Conclusion
Service Mesh Overview
What is Istio?
Istio is a service mesh that manages communication between microservices with:
- Traffic Management: Routing, load balancing, retries
- Security: mTLS, authentication, authorization
- Observability: Metrics, tracing, logging
- Control Plane: Pilot, Citadel, Gallery
Architecture
Data Plane: Envoy sidecars in pods
Control Plane: Istiod (unified control plane)
Ingress: Istio Ingress Gateway
Monitoring: Prometheus, Grafana, Jaeger, Kiali
Istio Installation
Prerequisites
- Kubernetes v1.19+
- kubectl configured
- 4GB+ available memory
- 2+ CPU cores
Installing istioctl
Download istioctl CLI:
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.19.0
export PATH=$PWD/bin:$PATH
istioctl version --remote=false
Installing Istio on Kubernetes
# Create namespace
kubectl create namespace istio-system
# Install Istio with demo profile
istioctl install --set profile=demo -y
# Or install with production profile
istioctl install --set profile=production -y
Verify installation:
kubectl get pods -n istio-system
kubectl get svc -n istio-system
Custom Istio Installation
Create custom install configuration:
# istio-config.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-controlplane
spec:
profile: production
meshConfig:
accessLogFile: /dev/stdout
enableTracing: true
outboundTrafficPolicy:
mode: ALLOW_ANY
components:
pilot:
k8s:
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
cpu: 2
memory: 4Gi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2
memory: 1024Mi
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2
memory: 1024Mi
Install:
istioctl install -f istio-config.yaml -y
Sidecar Injection
Automatic Sidecar Injection
Label namespace for automatic injection:
kubectl label namespace production istio-injection=enabled
Verify namespace label:
kubectl get namespace production --show-labels
Manual Sidecar Injection
kubectl apply -f <(istioctl kube-inject -f deployment.yaml)
Sidecar Injection Verification
# Check if sidecar was injected
kubectl get pods -n production -o jsonpath='{.items[0].spec.containers[*].name}'
# Should show: app-container istio-proxy
Disabling Injection per Pod
apiVersion: v1
kind: Pod
metadata:
name: no-sidecar
spec:
annotations:
sidecar.istio.io/inject: "false"
containers:
- name: app
image: myapp:1.0
Traffic Management
VirtualService
Route traffic to specific versions:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews
namespace: production
spec:
hosts:
- reviews
http:
- match:
- uri:
prefix: /reviews/v2
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 80
- destination:
host: reviews
subset: v2
weight: 20
DestinationRule
Define subsets for routing:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
namespace: production
spec:
host: reviews
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 100
maxRequestsPerConnection: 2
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
Canary Deployments
Gradually shift traffic to new version:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: app
namespace: production
spec:
hosts:
- app.example.com
http:
- match:
- uri:
prefix: /api
route:
- destination:
host: app
subset: stable
weight: 95
- destination:
host: app
subset: canary
weight: 5
- route:
- destination:
host: app
subset: stable
Retry and Timeout Policies
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: api
namespace: production
spec:
hosts:
- api
http:
- route:
- destination:
host: api
port:
number: 8080
retries:
attempts: 3
perTryTimeout: 2s
timeout: 10s
Circuit Breaking
Prevent cascading failures:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: api
namespace: production
spec:
host: api
trafficPolicy:
outlierDetection:
consecutive5xxErrors: 3
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minRequestVolume: 5
Security with mTLS
Enabling mTLS
Create PeerAuthentication for mutual TLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
STRICT: All traffic must be mTLS
PERMISSIVE: Accept both mTLS and plain text
Authorization Policies
Implement AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-policy
namespace: production
spec:
selector:
matchLabels:
app: api
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/web"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
RequestAuthentication
Validate JWT tokens:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: production
spec:
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences: "api"
Kiali Dashboard
Installing Kiali
Kiali is included with Istio demo profile. For production:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/kiali.yaml
Accessing Kiali
kubectl port-forward -n istio-system svc/kiali 20000:20000
Access at: http://localhost:20000
Kiali Insights
- Graph: Visualize service mesh topology
- Applications: Monitor application metrics
- Workloads: View workload details
- Services: Service configuration and traffic
- Istio Config: Validation of Istio resources
Advanced Scenarios
Egress Gateway
Control outbound traffic:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: egress-gateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "external-api.example.com"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: external-api
namespace: production
spec:
hosts:
- external-api.example.com
gateways:
- istio-system/egress-gateway
http:
- match:
- gateways:
- istio-system/egress-gateway
route:
- destination:
host: external-api.example.com
port:
number: 443
Distributed Tracing
Enable tracing with Jaeger:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/jaeger.yaml
# Port forward to Jaeger
kubectl port-forward -n istio-system svc/jaeger 16686:16686
Access at: http://localhost:16686
Metrics with Prometheus
Prometheus is included for metrics collection:
kubectl port-forward -n istio-system svc/prometheus 9090:9090
Query Istio metrics:
rate(istio_request_total[5m])
histogram_quantile(0.95, istio_request_duration_milliseconds_bucket)
Practical Examples
Example: Production Istio Configuration
---
# Enable strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
---
# VirtualService for web app
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: web-app
namespace: production
spec:
hosts:
- web-app.example.com
http:
- match:
- uri:
regex: "^/admin.*"
route:
- destination:
host: web-app
subset: v1
timeout: 30s
- route:
- destination:
host: web-app
subset: stable
weight: 90
- destination:
host: web-app
subset: canary
weight: 10
retries:
attempts: 3
perTryTimeout: 10s
---
# DestinationRule with circuit breaking
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: web-app
namespace: production
spec:
host: web-app
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 50
maxRequestsPerConnection: 2
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
subsets:
- name: stable
labels:
version: stable
- name: canary
labels:
version: canary
- name: v1
labels:
version: v1
---
# Authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: web-app
namespace: production
spec:
selector:
matchLabels:
app: web-app
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/*"]
Conclusion
Istio provides comprehensive service mesh capabilities for Kubernetes microservices on VPS and baremetal infrastructure. By implementing traffic management with VirtualServices and DestinationRules, enforcing security with mTLS and AuthorizationPolicies, and leveraging Kiali for observability, you create a resilient and secure microservices platform. Start with basic sidecar injection and traffic routing, advance to security policies and circuit breaking, then implement advanced features like canary deployments and distributed tracing. Regular monitoring through Kiali and proper configuration of mTLS ensures a production-grade service mesh.