[ { "id": "architecture", "title": "Architecture", "url": "/architecture", "category": "Concepts", "keywords": null, "content_html": "

Intro

\n\n

Architecture

\n\n

Istio Architecture

\n\n

Istio control plane is a single process - istiod, which contains three components Pilot, Citadel and Galley. You can bring containers in Kubernetes and virtual machines into the Istio mesh together.

\n\n

\"Istio

\n\n

Components

\n\n

The following figure show the components in Istio mesh.

\n\n

\"Istio

\n\n

Transparent Traffic Hijacking

\n\n

The following figure shows the transparent traffic hijacking and traffic routing in Istio.

\n\n

\"Transparent

\n\n

Note

\n\n\n\n

Data Plane

\n\n

Envoy is the default sidecar proxy in Istio.

\n\n

\"Envoy

\n\n

See Envoy section.

\n\n

Envoy

\n\n

xDS

\n\n

Istiod distributes the proxy configurations to Envoy via xDS protocol.

\n\n

\"xDS\"

", "intro_html": "

Istio concepts.

", "description_html": "", "tags": ["Featured"], "updated": "2022-08-04" },{ "id": "istioctl", "title": "istioctl", "url": "/istioctl", "category": "CLI", "keywords": null, "content_html": "

Intro

\n\n

Istioctl Overview

\n\n

Usage

\n\n

istioctl command line usage overview.

\n\n

\"istioctl

\n\n

experimental/x

\n\n

Experimental commands that may be modified or deprecated.

\n\n

\"istioctl-x\"

\n\n

See Istio docs for details.

\n\n

dashboard/dash/d

\n\n

controlz

\n\n

Open the ControlZ web UI for a pod in the Istio control plane.

\n\n
istioctl dashboard controlz [<type>/]<name>[.<namespace>] [flags]\n
\n\n

Example

\n\n
istioctl d controlz istiod-6bc78ccdb-sgdgh -n istio-system\n
\n\n

You will see the ControlZ UI at http://localhost:9876.

\n\n

envoy

\n\n

Open the Envoy admin dashboard for a sidecar.

\n\n
istioctl dashboard envoy [<type>/]<name>[.<namespace>] [flags]\n
\n\n

Example

\n\n
istioctl d envoy details-v1-7d88846999-ptz54 -n default\n
\n\n

You can see the UI at http://localhost:15000/.

\n\n

grafana

\n\n

Open Istio’s Grafana dashboard.

\n\n
istioctl dashboard grafana [flags]\n
\n\n

Example

\n\n
istioctl d grafana\n
\n\n

You can see the Grafana UI at http://localhost:3000.

\n\n

jaeger

\n\n

Open Istio’s Jaeger dashboard.

\n\n
istioctl dashboard jaeger [flags]\n
\n\n

Jaeger is not installed by default, run the following command to install Jaeger.

\n\n
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/addons/jaeger.yaml\n
\n\n

See Istio docs for details.

\n\n

Example

\n\n
istioctl d jaeger\n
\n\n

you can see the Jaeger UI at http://localhost:16686.

\n\n

kiali

\n\n

Open Istio’s Kiali dashboard.

\n\n
istioctl dashboard kiali [flags]\n
\n\n

Kiali is not installed by default, run the following command to install Kiali.

\n\n
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/addons/kiali.yaml\n
\n\n

See Istio docs for details.

\n\n

Example

\n\n
istioctl d kiali\n
\n\n

You can see the Kiali UI at http://localhost:20001/kiali.

\n\n

prometheus

\n\n

Open Istio’s Prometheus dashboard.

\n\n
istioctl dashboard prometheus [flags]\n
\n\n

Example

\n\n
istioctl d prometheus\n
\n\n

See the Prometheus UI at http://localhost:9090.

\n\n

skywalking

\n\n

Open the Istio dashboard in the SkyWalking UI.

\n\n
istioctl dashboard skywalking [flags]\n
\n\n

SkyWalking is not installed by default, refer to the SkyWalking docs to see how to install.

\n\n

Example

\n\n
istioctl d skywalking\n
\n\n

zipkin

\n\n

Open Istio’s Zipkin dashboard.

\n\n
istioctl dashboard zipkin [flags]\n
\n\n

Zipkin is not installed by default, run the following command to install Zipkin.

\n\n
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/addons/extras/zipkin.yaml\n
\n\n

See Istio docs for details.

\n\n

Example

\n\n
istioctl d zipkin\n
\n\n

You can see the Zipkin UI at http://localhost:9411.

\n\n

Frequently Used Commands

\n\n

install

\n\n

The install command generates an Istio install manifest and applies it to a cluster.

\n\n

Example

\n\n
# Apply a default Istio installation\nistioctl install\n\n# Enable Tracing\nistioctl install --set meshConfig.enableTracing=true\n\n# Generate the demo profile and don't wait for confirmation\nistioctl install --set profile=demo --skip-confirmation\n\n# To override a setting that includes dots, escape them with a backslash (\\).  Your shell may require enclosing quotes.\nistioctl install --set \"values.sidecarInjectorWebhook.injectedAnnotations.container\\.apparmor\\.security\\.beta\\.kubernetes\\.io/istio-proxy=runtime/default\"\n\n# For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\\).\nistioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\\\"false\\\"\n
\n\n

manifest

\n\n

The manifest command generates and diffs Istio manifests.

\n\n

istioctl manifest install

\n\n
# Apply a default Istio installation\nistioctl install\n\n# Enable Tracing\nistioctl install --set meshConfig.enableTracing=true\n\n# Generate the demo profile and don't wait for confirmation\nistioctl install --set profile=demo --skip-confirmation\n\n# To override a setting that includes dots, escape them with a backslash (\\).  Your shell may require enclosing quotes.\nistioctl install --set \"values.sidecarInjectorWebhook.injectedAnnotations.container\\.apparmor\\.security\\.beta\\.kubernetes\\.io/istio-proxy=runtime/default\"\n\n# For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\\).\nistioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\\\"false\\\"\n
\n\n

istioctl manifest generate

\n\n
# Generate a default Istio installation\nistioctl manifest generate\n\n# Enable Tracing\nistioctl manifest generate --set meshConfig.enableTracing=true\n\n# Generate the demo profile\nistioctl manifest generate --set profile=demo\n\n# To override a setting that includes dots, escape them with a backslash (\\).  Your shell may require enclosing quotes.\nistioctl manifest generate --set \"values.sidecarInjectorWebhook.injectedAnnotations.container\\.apparmor\\.security\\.beta\\.kubernetes\\.io/istio-proxy=runtime/default\"\n\n# For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\\).\nistioctl manifest generate --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\\\"false\\\"\n
\n\n

proxy-config/pc

\n\n

A group of commands used to retrieve information about proxy configuration from the Envoy config dump.

\n\n
# Retrieve information about proxy configuration from an Envoy instance.\nistioctl proxy-config <clusters|listeners|routes|endpoints|bootstrap|log|secret> <pod-name[.namespace]>\n
\n\n

Example

\n\n
# Retrieve cluster summary.\nistioctl pc all\n\n# Show a human-readable Istio and Envoy version summary.\nistioctl pc b reviews-v1-55b668fc65-9twc9 -o short\n\n# Retrieve summary about cluster configuration for a given pod from Envoy.\n\nistioctl pc c reviews-v1-55b668fc65-9twc9\n\n# Retrieve full endpoint configuration for a given pod from Envoy.\nistioctl pc ep reviews-v1-55b668fc65-9twc9\n\n# Retrieve summary about listener configuration for a given pod from Envoy.\nistioctl pc l reviews-v1-55b668fc65-9twc9\n\n# Retrieve summary about route configuration for a given pod from Envoy.\nistioctl pc r reviews-v1-55b668fc65-9twc9\n
\n\n

proxy-status/ps

\n\n

Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh.

\n\n

Examples

\n\n
# Retrieve sync status for all Envoys in a mesh\nistioctl proxy-status\n\n# Retrieve sync diff for a single Envoy and Istiod\nistioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system\n\n# Retrieve sync diff between Istiod and one pod under a deployment\nistioctl proxy-status deployment/productpage-v1\n\n# Write proxy config-dump to file, and compare to Istio control plane\nkubectl port-forward -n istio-system istio-egressgateway-59585c5b9c-ndc59 15000 &\ncurl localhost:15000/config_dump > cd.json\nistioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system --file cd.json\n
", "intro_html": "

Istio command line cheatsheet.

", "description_html": "", "tags": ["Featured"], "updated": "2022-08-05" },{ "id": "observability", "title": "Observability", "url": "/observability", "category": "Concepts", "keywords": null, "content_html": "

Intro

\n\n

Metrics

\n\n

Prometheus

\n\n

The following figure shows the architecture of Prometheus.

\n\n

\"Prometheus

\n\n

Data model

\n\n
<metric name>{<label name>=<label value>, ...} value\n
\n\n

Example

\n\n
api_http_requests_total{method=\"POST\", handler=\"/messages\"} 300\n
\n\n

Metric types

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
TypesDescriptionExample
CountersA counter is a cumulative metric that represents a single monotonically increasing counter whose value can only increase or be reset to zero on restart.Total requests
GaugesA gauge is a metric that represents a single numerical value that can arbitrarily go up and down.Current active requests
HistogramsA histogram samples observations (usually things like request durations or response sizes) and counts them in configurable buckets. It also provides a sum of all observed values.Upstream request time
\n\n

Targets

\n\n\n\n

Istio Standard Metrics

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
ProtocolNameType
HTTP/HTTP2/gRPCistio_requests_totalcounter
HTTP/HTTP2/gRPCistio_request_duration_millisecondshistogram
HTTP/HTTP2/gRPCistio_request_byteshistogram
HTTP/HTTP2/gRPCistio_response_byteshistogram
HTTP/HTTP2/gRPCistio_request_messages_totalcounter
HTTP/HTTP2/gRPCistio_response_messages_totalcounter
TCPistio_tcp_sent_bytes_totalcounter
TCPistio_tcp_received_bytes_totalcounter
TCPistio_tcp_connections_opened_totalcounter
TCPistio_tcp_connections_closed_totalcounter
\n\n

Visit istio.io for details.

", "intro_html": "

Cheatsheet for observability (Metrics, Tracing and Logging) in Istio.

", "description_html": "", "tags": ["Featured"], "updated": "2022-08-03" },{ "id": "setup", "title": "Setup", "url": "/setup", "category": "Others", "keywords": null, "content_html": "

Intro

\n\n

Basic

\n\n

Supported Kubernetes version

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
VersionCurrently SupportedSupported Kubernetes VersionsTested, but not supported
1.15Yes1.22, 1.23, 1.24, 1.251.16, 1.17, 1.18, 1.19, 1.20, 1.21
1.14Yes1.21, 1.22, 1.23, 1.241.16, 1.17, 1.18, 1.19, 1.20
1.13Yes1.20, 1.21, 1.22, 1.231.16, 1.17, 1.18, 1.19
1.12Yes1.19, 1.20, 1.21, 1.221.16, 1.17, 1.18
1.11Yes1.18, 1.19, 1.20, 1.21, 1.221.16, 1.17
1.10No1.18, 1.19, 1.20, 1.211.16, 1.17, 1.22
1.9No1.17, 1.18, 1.19, 1.201.15, 1.16
1.8No1.16, 1.17, 1.18, 1.191.15
1.7No1.16, 1.17, 1.181.15
\n\n

Visit istio.io for more details.

\n\n

Original CLI

\n\n
export VERSION=1.14.0\ncurl -L https://istio.io/downloadIstio | ISTIO_VERSION=${VERSION} sh -\ncd istio-$VERSION\nexport PATH=$PWD/bin:$PATH\nistioctl install --set profile=demo\n
\n\n

See profile section.

\n\n

GetMesh

\n\n
curl -sL https://istio.tetratelabs.io/getmesh/install.sh | bash\ngetmesh istioctl install --set profile=demo\n
\n\n

Istio Operator

\n\n

Operator

\n\n

demo-profile.yaml

\n\n
apiVersion: v1\nkind: Namespace\nmetadata:\n  name: istio-system\n---\napiVersion: install.istio.io/v1alpha1\nkind: IstioOperator\nmetadata:\n  namespace: istio-system\n  name: demo-istio-install\nspec:\n  profile: demo\n
\n\n

Apply the operator:

\n\n
$ kubectl apply -f demo-profile.yaml  \nnamespace/istio-system created\nistiooperator.install.istio.io/demo-istio-install created\n
\n\n

Visit istio.io for more details.

\n\n

Profile

\n\n

The profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane.

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
componentdefaultdemominimalpreview
egress gateway   
ingress gateway 
istiod
\n\n

Except the profiles above, there are external and empty profile that will not install any component list within the table.

\n\n

Resources Limiting

\n\n

Sidecar

\n\n

Using the various resource annotations that Istio supports to control sidecar behavior.

\n\n\n\n

See the details of sidecar annotations.

\n\n

Checklist

\n\n

Install distroless images

\n\n
istioctl install --set tag=1.xx.x-distroless\n
\n\n

Replace 1.xx.x with the right version number.

\n\n

Platforms

\n\n\n\n

Automatic namespace level sidecar injection

\n\n
kubectl label <namespace> default istio-injection=enabled\n
\n\n

Others

\n\n", "intro_html": "

Cheatsheet for installing the Istio control plane on Kubernetes.

", "description_html": "", "tags": ["Featured"], "updated": "2022-03-17" },{ "id": "traffic-management", "title": "Traffic Management", "url": "/traffic-management", "category": "Resources", "keywords": null, "content_html": "

Intro

\n\n

Resources

\n\n\n\n

Gateway

\n\n

Sample

\n\n

sample/traffic-management/gateway.yaml

\n\n
apiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n  name: bookinfo-gateway\nspec:\n  selector:\n    istio: ingressgateway\n  servers:\n  - port:\n      number: 80\n      name: http\n      protocol: HTTP\n    hosts:\n    - \"bookinfo/*\"\n
\n\n

After creating the Gateway, you also need to create a VirtualService to bind to it.

\n\n

Fields

\n\n

The interpretation of the fields in the sample.

\n\n\n\n

VirtualService

\n\n

Sample

\n\n

sample/resources/virtualservice.yaml

\n\n
apiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n  name: bookinfo\nspec:\n  hosts:\n  - \"*\"\n  gateways:\n  - bookinfo-gateway\n  http:\n  - match:\n    - uri:\n        exact: /productpage\n    - uri:\n        prefix: /static\n    - uri:\n        exact: /login\n    - uri:\n        exact: /logout\n    - uri:\n        prefix: /api/v1/products\n    route:\n    - destination:\n        host: productpage\n        port:\n          number: 9080\n        subset: v1\n
\n\n

This VirtualService is bound to the Gateway above. VirtualService and DestinationRule are the basic configuration that affect the traffic routing.

\n\n

Fileds

\n\n

The interpretation of the fields in the sample.

\n\n\n\n

Visit istio.io for more details.

\n\n

DestinationRule

\n\n

Sample

\n\n

sample/resources/destinationrule.yaml

\n\n
apiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n  name: productpage\nspec:\n  host: productpage.bookinfo.svc.cluster.local\n  trafficPolicy:\n    loadBalancer:\n      simple: LEAST_CONN\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n
\n\n

Fileds

\n\n

The interpretation of the fields in the sample.

\n\n\n\n

Visit istio.io for more details.

\n\n

WorkloadEntry

\n\n

Sample

\n\n

sample/resources/workloadentry.yaml

\n\n
apiVersion: networking.istio.io/v1alpha3\nkind: WorkloadEntry\nmetadata:\n  name: details-we\nspec:\n  serviceAccount: details-legacy\n  address: 2.2.2.2\n  labels:\n    app: details-legacy\n    instance-id: vm1\n
\n\n

Fields

\n\n

The interpretation of the fields in the sample.

\n\n\n\n

WorkloadGroup

\n\n

Samples

\n\n

sample/resources/workloadgroup.yaml

\n\n
apiVersion: networking.istio.io/v1alpha3\nkind: WorkloadGroup\nmetadata:\n  name: details-wg\nspec:\n  metadata:\n    labels:\n      app.kubernetes.io/name: details\n  template:\n    ports:\n      http: 8080\n    serviceAccount: default\n  probe:\n    initialDelaySeconds: 5\n    timeoutSeconds: 3\n    periodSeconds: 4\n    successThreshold: 3\n    failureThreshold: 3\n
\n\n

Fields

\n\n

The interpretation of the fields in the sample.

\n\n\n\n

Visit istio.io for more details.

", "intro_html": "

Traffic management API configurations.

", "description_html": "", "tags": ["Featured"], "updated": "2022-03-25" } ]