Enable Istio Proxy Sidecar Injection in Oracle Cloud Native Environment
Introduction
Istio is a service mesh that provides a separate infrastructure layer to handle inter-service communication. Network communication is abstracted from the services themselves and handled by proxies. Istio uses a sidecar design, which means that communication proxies run in their own containers beside every service container. To put Istio automatic sidecar injection into effect, the namespace to be used by an application must be labeled with istio-injection=enabled.
This tutorial uses an existing Highly Available Kubernetes cluster running on Oracle Cloud Native Environment, and has the following modules deployed:
- Kubernetes (
kubernetes) - Oracle Cloud Infrastructure Cloud Controller Manager Module (
oci-ccm)
The starting deployment consists of the following:
- 1 Operator Node
- 3 Control Plane Nodes
- 5 Worker Nodes
It builds upon the labs:
- Deploy Oracle Cloud Native Environment
- Deploy an External Load Balancer with Oracle Cloud Native Environment
- Use OCI Cloud Controller Manager on Oracle Cloud Native Environment
Objectives
This tutorial/lab shows how to install Istio and then enable automatic proxy sidecar injection, and thus take advantage of Istio's features in Oracle Cloud Native Environment.
The following steps will be outlined:
- Install the Istio module.
- Deploy an application without automatic proxy sidecar injection enabled.
- Remove the deployment.
- Enable automatic proxy sidecar injection.
- Deploy the same application again - notice that the pods in the service mesh are executing with an associated Istio sidecar proxy.
Prerequisites
Note: If using the free lab environment these prerequisites are provided as the starting point.
Systems should have:
- A minimum of latest Oracle Linux 8 (x86_64) installed and running the Unbreakable Enterprise Kernel Release 6 (UEK R6).
- Completed the prerequisite steps to install Oracle Cloud Native Environment .
- The Istio module already configured. For more information on deploying the Istio module, see the Oracle Cloud Native Environment Documentation .
Install Istio
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Information: The free lab environment deploys Oracle Cloud Native Environment on the provided nodes, ready for creating environments. This deployment takes approximately 45-50 minutes to finish after launch. Therefore, you might want to step away while this runs and then return to complete the lab.
Open a terminal and connect via ssh to the ocne-operator node.
ssh oracle@<ip_address_of_the_operator-node>Get a list of the module instances.
olcnectl module instances --config-file myenvironment.yamlThe output displays a list of the kubernetes module, the oci-ccm module, and the control plane and worker nodes.
Create the Istio Module
olcnectl module create --environment-name myenvironment --module istio --name myistio --istio-kubernetes-module myclusterInstall the Istio Module
olcnectl module install --environment-name myenvironment --name myistioNote: This takes 3-5 minutes to complete.
Verify Istio is installed and running
Important The
kubectlcommands run from one of the control-plane nodes. The free lab environment installs and configureskubectlon the control plane nodes during deployment.
List the resources created in the
istio-systemnamespace along with the related pod information.ssh ocne-control-01 "kubectl get deployments,pods -n istio-system"Example Output:
NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/grafana 1/1 1 1 17m deployment.apps/istio-egressgateway 2/2 2 2 17m deployment.apps/istio-ingressgateway 2/2 2 2 17m deployment.apps/istiod 2/2 2 2 17m deployment.apps/prometheus-server 1/1 1 1 17m NAME READY STATUS RESTARTS AGE pod/grafana-67f4b94665-wtk6w 1/1 Running 0 17m pod/istio-egressgateway-79c58b7b6d-n9bkf 1/1 Running 0 16m pod/istio-egressgateway-79c58b7b6d-xh7vk 1/1 Running 0 17m pod/istio-ingressgateway-67cfb76cdb-87dkh 1/1 Running 0 16m pod/istio-ingressgateway-67cfb76cdb-jhv56 1/1 Running 0 17m pod/istiod-64c96d75b6-8tzm8 1/1 Running 0 17m pod/istiod-64c96d75b6-gb65q 1/1 Running 0 16m pod/prometheus-server-64469994dc-c9lg8 2/2 Running 0 17mList the services in the
istio-systemnamespace.ssh ocne-control-01 "kubectl get services -n istio-system"Note: The Istio module for Oracle Cloud Native Environment also installs the
grafana,prometheus-server,ingressgatewayandegressgatewaycomponents into in theistio-systemnamespace to be used exclusively by Istio.Example Output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 10.105.133.5 <none> 3000/TCP 19m istio-egressgateway ClusterIP 10.106.32.232 <none> 80/TCP,443/TCP,15443/TCP 19m istio-ingressgateway LoadBalancer 10.106.165.33 130.162.225.139 15021:30466/TCP,80:30302/TCP,443:30633/TCP,15012:32766/TCP,15443:31690/TCP 19m istiod ClusterIP 10.104.186.105 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 19m prometheus-server ClusterIP 10.99.210.8 <none> 9090/TCP 19m
Create a simple NGINX deployment (without Istio automatic proxy sidecar injection enabled)
Create a new deployment named
hello-worldthat runs thenginximage.ssh ocne-control-01 "kubectl create deployment --image container-registry.oracle.com/olcne/nginx:1.17.7 hello-world"
View the Kubernetes pods in the default namespace
List the pods.
ssh ocne-control-01 "kubectl get pods"Example Output:
NAME READY STATUS RESTARTS AGE hello-world-85678f8458-4qdzs 1/1 Running 0 94sNote that the
READYcolumn contains1/1confirming that Istio automatic proxy sidecar injection is not enabled.
Delete the NGINX deployment
Delete the
hello-worlddeployment.ssh ocne-control-01 "kubectl delete deployments hello-world"
Enable Istio automatic proxy sidecar injection
To enable Istio automatic sidecar injection, the namespace to be used by an application must be labeled with istio-injection=enabled.
Label the
defaultnamespace toenableIstio sidecar injection.ssh ocne-control-01 "kubectl label namespace default istio-injection=enabled"The output shows the
namespace/default labeled.Confirm the
ISTIO-INJECTIONcolumn shows it has beenenabled.ssh ocne-control-01 "kubectl get namespace -L istio-injection"Example Output:
NAME STATUS AGE ISTIO-INJECTION default Active 25m enabled externalip-validation-system Active 23m istio-system Active 7m33s kube-node-lease Active 25m kube-public Active 25m kube-system Active 25m kubernetes-dashboard Active 22m ocne-modules Active 22m
Create a simple NGINX deployment
Now that Istio sidecar functionality has been enabled, create a new deployment named
hello-worldthat runs thenginximage.ssh ocne-control-01 "kubectl create deployment --image container-registry.oracle.com/olcne/nginx:1.17.7 hello-world"
Confirm the deployment includes an Istio sidecar
List the pods.
ssh ocne-control-01 "kubectl get pods"Example Output:
NAME READY STATUS RESTARTS AGE hello-world-85678f8458-s24zz 2/2 Running 0 105sNote that the
READYcolumn contains2/2, indicating that Istio automatic proxy sidecar injection is enabled and that the pods in the service mesh are running an Istio sidecar proxy.Show details of the pod that confirm that an
istio-proxycontainer is also deployed alongside the application.ssh ocne-control-01 "kubectl describe pods <insert-pod-name-from-get-pods-command-here>"The resultant output confirms that the deployment automatically deploys an Istio sidecar alongside it.
Example Output (Excerpt):
... ... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 82s default-scheduler Successfully assigned default/hello-world-79654ff945-sn9cc to ocne-worker-04 Normal Pulled 82s kubelet Container image "container-registry.oracle.com/olcne/proxyv2:1.19.5" already present on machine Normal Created 82s kubelet Created container istio-init Normal Started 82s kubelet Started container istio-init Normal Pulling 80s kubelet Pulling image "container-registry.oracle.com/olcne/nginx:1.17.7" Normal Pulled 76s kubelet Successfully pulled image "container-registry.oracle.com/olcne/nginx:1.17.7" in 4.921s (4.921s including waiting) Normal Created 76s kubelet Created container nginx Normal Started 76s kubelet Started container nginx Normal Pulled 76s kubelet Container image "container-registry.oracle.com/olcne/proxyv2:1.19.5" already present on machine Normal Created 75s kubelet Created container istio-proxy Normal Started 75s kubelet Started container istio-proxy ...
Disable Istio automatic proxy sidecar injection
Remove Istio sidecar injection in the
defaultnamespace.ssh ocne-control-01 "kubectl label namespace default istio-injection-"The output shows the
namespace/default unlabeled.Confirm the label has been removed from the
defaultnamespace.ssh ocne-control-01 "kubectl get namespace -L istio-injection"Example Output:
NAME STATUS AGE ISTIO-INJECTION default Active 32m externalip-validation-system Active 30m istio-system Active 14m kube-node-lease Active 32m kube-public Active 32m kube-system Active 32m kubernetes-dashboard Active 29m ocne-modules Active 30mDelete the NGINX deployment.
ssh ocne-control-01 "kubectl delete deployments hello-world"
Summary
This completes the demonstration detailing how to enable, and then disable, Istio sidecar injection within Kubernetes namespaces in a Oracle Cloud Native Environment cluster.