Istio is a service mesh that makes up for the disadvantages of the distributed microservice architecture in O&M, debugging, and security management. It also supports load balancing, service-to-service authentication, and monitoring, all without changes to microservices.

Prerequisites

  • A Container Service for Kubernetes cluster is created. For more information, see Create a Kubernetes cluster.
  • An Alibaba Cloud account or a RAM user account granted with sufficient permissions, for example, a RAM user account granted the custom role cluster-admin, is obtained to log on to Alibaba Cloud. For more information, see Configure RBAC permissions for RAM users.

Background information

  • The version of the Kubernetes cluster is V1.10.4 or later. If you are using a Kubernetes cluster of an earlier version, you must upgrade it to V1.10.4 or later.
  • At least three worker nodes are configured for the Kubernetes cluster.

Procedure

  1. Deploy Istio on the Kubernetes cluster.
    1. Log on to the Container Service console.
    2. In the left-side navigation pane under Container Service - Kubernetes, choose Clusters > Clusters.
    3. Find the target cluster, and then choose More > Deploy Istio in the Actions column.Deploy Istio
    4. Set the parameters described in the following table to deploy Istio.
      Parameter Description
      Cluster The target cluster where Istio is to be deployed.
      Namespace The namespace where Istio is to be deployed.
      Release Name The name of Istio to be deployed.
      Enable Prometheus for Metrics/Logs Collection Specifies whether to enable Prometheus for metrics and logs collection. By default, the check box is selected.
      Enable Grafana for Metrics Display Specifies whether to enable Grafana to display metrics. By default, the check box is selected.
      Enable Automatic Istio Sidecar Injection Specifies whether to enable automatic sidecar injection. By default, the check box is selected.
      Enable Kiali Visualized Service Mesh Specifies whether to enable Kiali for service mesh visualization. By default, the check box is cleared.
      • Username: the username used to access Kiali. Default value: admin.
      • Password: the password used to access Kiali. Default value: admin.
      Tracing Analysis Settings Specifies whether to activate the Tracing Analysis service. To activate the service, select Activate Tracing Analysis (Activate Now), and then click set Endpoint. For example, you can enter an endpoint in the format of http://tracing-analysis-dc-hz.aliyuncs.com/.../api/v1/spans. An endpoint of this format indicates a public network endpoint or an internal network endpoint of the Zipkin API V1. A Zipkin client uses the endpoint to transmit collected data to the Tracing Analysis service.
      Note If you use an internal network endpoint, ensure that your Kubernetes cluster and the Tracing Analysis instance are in the same region to maintain stable network performance.
      Pilot Settings The trace sampling percentage. Value range: 0 to 100. Default value: 1.
      Control Egress Traffic
      • Permitted Addresses for External Access: the range of IP addresses that can be directly accessed by services in the Istio service mesh. By default, this parameter is left unspecified. Use commas (,) to separate multiple IP address ranges.
      • Blocked Addresses for External Access: the range of IP addresses that cannot be directly accessed by services in the Istio service mesh. By default, this IP address range contains the cluster pod CIDR block and service CIDR block. Use commas (,) to separate multiple IP address ranges.
      • All: Select this check box to block all the IP addresses from being accessed.
      Note

      The setting of Permitted Addresses for External Access is prior to that of Blocked Addresses for External Access.

      For example, if an IP address is contained in the values of both parameters, the setting of Permitted Addresses for External Access prevails, and you can directly access this IP address.

    5. Click Deploy Istio.
      At the bottom of the deployment page, you can view the deployment progress and status in real time.View the deployment result
    To verify that Istio is deployed on the target Kubernetes cluster, perform the following operations:
    • At the bottom of the Deploy Istio page, verify that the status of the Deploy Istio step is changed to Deployed.Deployment completed
      • In the left-side navigation pane under Container Service - Kubernetes, choose Applications > Pods to go to the Pods page.
      • Select the cluster and namespace where Istio is deployed to view the pods on which Istio is deployed.View pods
      • In the left-side navigation pane under Container Service - Kubernetes, choose Ingresses and Load Balancing > Services to go to the Services page.
      • Select the cluster and namespace where Istio is deployed to view the IP addresses for accessing the services on which Istio is deployed.IP addresses for accessing the services on which Istio is deployed
  2. Modify the Istio Ingress gateway.
    If you deploy Istio V1.1.4 or later on a Kubernetes cluster, an Ingress gateway can be automatically created. Therefore, we recommend that you upgrade Istio to the latest version. To adjust the configurations of the Ingress gateway, follow these steps:
    1. In the left-side navigation pane under Container Service-Kubernetes, choose Applications > Releases. On the Releases page that appears, click the Helm tab.
    2. In the Actions column of Istio, click Update. On the Update Release page that appears, you can view the Istio settings.
      gateways:
        enabled: true
        ingress:
          - enabled: true
            gatewayName: ingressgateway
            maxReplicas: 5
            minReplicas: 1
            ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                nodePort: 31380
                port: 80
                targetPort: 80
              - name: https
                nodePort: 31390
                port: 443
                targetPort: 0
              - name: tls
                port: 15443
                targetPort: 15443
            replicaCount: 1
            serviceType: LoadBalancer
        k8singress: {}
    3. Modify the settings related to the Ingress gateway, and then click Update.
      Note
      • replicaCount: the number of replicas.
      • ports: the information about enabled ports.
      • serviceType: the service type. Valid values: LoadBalancer, ClusterIP, and NodePort.
      • serviceAnnotations: specifies whether to use a public SLB or an internal SLB, and whether to use an existing SLB or create an SLB. This parameter is valid only when the serviceType parameter is set to LoadBalancer. For more information, see Access services by using SLB.