Kubernetes Service Mesh with Istio
Istio es un poderoso servicio mesh that provides traffic management, seguridad, and observability for microservicios running on Kubernetes. Esta guía cubre istioctl installation, sidecar injection, VirtualServices, DestinationRules, mutual TLS, and Kiali dashboard for visualizing and managing servicio communication in your VPS and baremetal clústers.
Tabla de contenidos
- Service Mesh Overview
- Istio Instalaation
- Sidecar Injection
- Traffic Management
- Security with mTLS
- Kiali Dashboard
- Advanced Scenarios
- Practical Examples
- Conclusion
Malla de servicios Overview
What is Istio?
Istio is a servicio mesh that manages communication between microservicios with:
- Traffic Management: Routing, balanceo de carga, retries
- Security: mTLS, authentication, authorization
- Observability: Metrics, tracing, registro
- Control Plane: Pilot, Citadel, Gallery
Arquitectura
Data Plane: Envoy sidecars in pods
Control Plane: Istiod (unified control plane)
Ingress: Istio Ingress Gateway
Monitoring: Prometheus, Grafana, Jaeger, Kiali
Istio Instalaation
Requisitos previos
- Kubernetes v1.19+
- kubectl configured
- 4GB+ available memory
- 2+ CPU cores
Instalaing istioctl
Descarga istioctl CLI:
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.19.0
export PATH=$PWD/bin:$PATH
istioctl version --remote=false
Instalaing Istio on Kubernetes
# Create namespace
kubectl create namespace istio-system
# Install Istio with demo profile
istioctl install --set profile=demo -y
# Or install with production profile
istioctl install --set profile=production -y
Verifica la instalación:
kubectl get pods -n istio-system
kubectl get svc -n istio-system
Custom Istio Instalaation
Create custom install configuration:
# istio-config.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-controlplane
spec:
profile: production
meshConfig:
accessLogFile: /dev/stdout
enableTracing: true
outboundTrafficPolicy:
mode: ALLOW_ANY
components:
pilot:
k8s:
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
cpu: 2
memory: 4Gi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2
memory: 1024Mi
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2
memory: 1024Mi
Instala:
istioctl install -f istio-config.yaml -y
Sidecar Injection
Automatic Sidecar Injection
Label espacio de nombres for automatic injection:
kubectl label namespace production istio-injection=enabled
Verifica espacio de nombres label:
kubectl get namespace production --show-labels
Manual Sidecar Injection
kubectl apply -f <(istioctl kube-inject -f deployment.yaml)
Sidecar Injection Verification
# Check if sidecar was injected
kubectl get pods -n production -o jsonpath='{.items[0].spec.containers[*].name}'
# Should show: app-container istio-proxy
Disabling Injection per Pod
apiVersion: v1
kind: Pod
metadata:
name: no-sidecar
spec:
annotations:
sidecar.istio.io/inject: "false"
containers:
- name: app
image: myapp:1.0
Traffic Management
VirtualService
Route traffic to specific versions:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews
namespace: production
spec:
hosts:
- reviews
http:
- match:
- uri:
prefix: /reviews/v2
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
weight: 80
- destination:
host: reviews
subset: v2
weight: 20
DestinationRule
Define subsets for routing:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
namespace: production
spec:
host: reviews
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 100
maxRequestsPerConnection: 2
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
Implementación canarias
Gradually shift traffic to new version:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: app
namespace: production
spec:
hosts:
- app.example.com
http:
- match:
- uri:
prefix: /api
route:
- destination:
host: app
subset: stable
weight: 95
- destination:
host: app
subset: canary
weight: 5
- route:
- destination:
host: app
subset: stable
Retry and Timeout Policies
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: api
namespace: production
spec:
hosts:
- api
http:
- route:
- destination:
host: api
port:
number: 8080
retries:
attempts: 3
perTryTimeout: 2s
timeout: 10s
Circuit Breaking
Prevent cascading failures:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: api
namespace: production
spec:
host: api
trafficPolicy:
outlierDetection:
consecutive5xxErrors: 3
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minRequestVolume: 5
Security with mTLS
Enabling mTLS
Create PeerAuthentication for mutual TLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
STRICT: All traffic must be mTLS
PERMISSIVE: Accept both mTLS and plain text
Authorization Policies
Implement AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-policy
namespace: production
spec:
selector:
matchLabels:
app: api
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/web"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
RequestAuthentication
Validate JWT tokens:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: production
spec:
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences: "api"
Kiali Dashboard
Instalaing Kiali
Kiali is included with Istio demo profile. For production:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/kiali.yaml
Accessing Kiali
kubectl port-forward -n istio-system svc/kiali 20000:20000
Access at: http://localhost:20000
Kiali Insights
- Graph: Visualize servicio mesh topology
- Applications: Monitor application metrics
- Workloads: View workload details
- Services: Service configuration and traffic
- Istio Config: Validation of Istio resources
Advanced Scenarios
Egress Gateway
Control outbound traffic:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: egress-gateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "external-api.example.com"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: external-api
namespace: production
spec:
hosts:
- external-api.example.com
gateways:
- istio-system/egress-gateway
http:
- match:
- gateways:
- istio-system/egress-gateway
route:
- destination:
host: external-api.example.com
port:
number: 443
Distributed Tracing
Enable tracing with Jaeger:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/jaeger.yaml
# Port forward to Jaeger
kubectl port-forward -n istio-system svc/jaeger 16686:16686
Access at: http://localhost:16686
Metrics with Prometheus
Prometheus is included for metrics collection:
kubectl port-forward -n istio-system svc/prometheus 9090:9090
Query Istio metrics:
rate(istio_request_total[5m])
histogram_quantile(0.95, istio_request_duration_milliseconds_bucket)
Practical Examples
Ejemplo: Production Istio Configuration
---
# Enable strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
---
# VirtualService for web app
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: web-app
namespace: production
spec:
hosts:
- web-app.example.com
http:
- match:
- uri:
regex: "^/admin.*"
route:
- destination:
host: web-app
subset: v1
timeout: 30s
- route:
- destination:
host: web-app
subset: stable
weight: 90
- destination:
host: web-app
subset: canary
weight: 10
retries:
attempts: 3
perTryTimeout: 10s
---
# DestinationRule with circuit breaking
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: web-app
namespace: production
spec:
host: web-app
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 50
maxRequestsPerConnection: 2
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
subsets:
- name: stable
labels:
version: stable
- name: canary
labels:
version: canary
- name: v1
labels:
version: v1
---
# Authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: web-app
namespace: production
spec:
selector:
matchLabels:
app: web-app
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/*"]
Conclusión
Istio provides comprehensive servicio mesh capabilities for Kubernetes microservicios on VPS and baremetal infrastructure. By implementing traffic management with VirtualServices and DestinationRules, enforcing seguridad with mTLS and AuthorizationPolicies, and leveraging Kiali for observability, you create a resilient and secure microservicios platform. Start with basic sidecar injection and traffic routing, advance to seguridad policies and circuit breaking, then implement advanced features like canary implementacións and distributed tracing. Regular monitoreo through Kiali and proper configuration of mTLS ensures a production-grade servicio mesh.