Installing Istio on GKE

This guide shows you how to get started with Istio on GKE, including installation options for new and existing clusters. You can install the add-on using either the gcloud command line tool or the Google Cloud Platform Console.

Before you start

Take the following steps to enable the Kubernetes Engine API:

1. Visit the Kubernetes Engine page in the Google Cloud Platform Console.
2. Create or select a project.
3. Wait for the API and related services to be enabled. This can take several minutes.
4. Make sure that billing is enabled for your project.
   Learn how to enable billing

Ensure you have the following command line tools installed:

• gcloud is used to create and delete Kubernetes Engine clusters, including creating and updating clusters with the Istio on GKE add-on. gcloud is included in the Google Cloud SDK: follow the instructions to install and initialize it to work with your GCP projects. If you have an existing gcloud installation, verify that it's at least version 208.0.0:

  
  
  
  
  
  
  gcloud version

  Note that you don't have to install gcloud to create a new Istio-enabled cluster, as you can use the Google Cloud Platform Console instead, but it's still useful for managing existing clusters and installing other tools like kubectl.
• kubectl is used to manage Kubernetes, the cluster orchestration system used by GKE. You can install kubectl using gcloud:

  
  
  
  
  
  
  gcloud components install kubectl

Choose a security option

There are two possible default mesh-wide security options to choose from when creating or updating a cluster with Istio on GKE. Which one you choose depends on your initial application needs.

• Strict mTLS: In this security mode, Istio enforces mutual TLS (mTLS) encryption between all services and control plane components in the mesh by default, unless you override it with destination-specific rules. All calls within the mesh are encrypted and services will not accept unencrypted traffic.
• Permissive mTLS: In this security mode, by default Istio allows services in the mesh to accept both encrypted and unencrypted traffic, and all services send unencrypted calls by default. As with strict mTLS, you can override this for specific services. Use this option if you have services that still need to accept unencrypted traffic, for example if you have not fully migrated your services to Istio and have traffic coming from legacy clients outside the mesh. Istio on GKE provides this mode rather than simply installing Istio with no security enabled, as it makes it easier to migrate to strict mTLS later for added security.

You can find out how to update your security defaults and further configure Istio security in Updating security defaults, below.

Creating a cluster with Istio on GKE

We suggest creating at least a 4 node cluster with the 2 vCPU machine type when using this add-on. You can deploy Istio itself with the default GKE new cluster setup but this may not provide enough resources to explore sample applications.
To create a cluster using Istio on GKE:

Console

Command line

More

1. Go to the Kubernetes page in the GCP Console and select Create Cluster.
2. Using the default Standard Cluster dialog, choose your preferred number of nodes and machines, bearing in mind the minimum recommended cluster size for Istio.
3. In the Master Version drop-down, select GKE version 1.10.6 or higher. You must select the latest GKE version for a given Kubernetes version; for example, for 1.10.9, select 1.10.9-gke.7instead of 1.10.9.-gke.5.
4. Select Advanced Options to display additional configuration options, including Istio on GKE.
5. Select Enable Istio (beta).
6. Select the mTLS security mode you want to use for your cluster from the drop-down.
7. Click Create to create your cluster.

To create a GKE cluster with Istio enabled and with mutual TLS enforced by default, run this command, replacing istio-demo with your chosen cluster name:

gcloud beta container clusters create istio-demo --project=$PROJECT_ID \
    --addons=Istio --istio-config=auth=MTLS_STRICT \
    --cluster-version=latest \
    --machine-type=n1-standard-2 \
    --num-nodes=4

Or to create a GKE cluster with Istio enabled and with mTLS in permissive mode:

gcloud beta container clusters create istio-demo --project=$PROJECT_ID \
    --update-addons=Istio=ENABLED --istio-config=auth=MTLS_PERMISSIVE \
    --cluster-version=latest \
    --machine-type=n1-standard-2 \
    --num-nodes=4

Adding Istio on GKE to an existing cluster

If you want to update a cluster with the add-on, you may need to first resize your cluster to ensure that you have enough resources for Istio. As when creating a new cluster, we suggest at least a 4 node cluster with the 2 vCPU machine type.
Your cluster must also be running GKE version 1.10.6 or higher to use the add-on.
To update an existing cluster with the Istio on GKE add-on:

Console

Command line

More

1. Go to the Kubernetes clusters page in the GCP Console and select the cluster you want to update
2. Select Edit.
3. Select Add-ons to display possible add-ons, including Istio on GKE.
4. Select Enabled under Istio (beta)
5. Select the mTLS security mode you want to use for your cluster from the drop-down.
6. Click Save to update your cluster.

To add Istio with mutual TLS enforced by default to an existing cluster, run this command, replacing istio-demo with the cluster name:

$ gcloud beta container clusters update istio-demo --project=$PROJECT_ID \
    --update-addons=Istio=ENABLED --istio-config=auth=MTLS_STRICT

Or to add Istio with mTLS in permissive mode to an existing cluster:

$ gcloud beta container clusters update istio-demo --project=$PROJECT_ID \
    --update-addons=Istio=ENABLED --istio-config=auth=MTLS_PERMISSIVE

Note that the clusters update command may require other parameters, depending on your actual cluster configuration.
If you have an existing application on the cluster, you can find out how to migrate it so it's managed by Istio in the Istio documentation.

Verifying installation

To verify that your Istio on GKE installation was successful:

1. If you've just created rather than updated a cluster, check that it's up and running with a GKE version of 1.10.6 or higher:

   
   
   
   
   
   
   gcloud container clusters list

   Output:

   
   
   
   
   NAME        LOCATION       MASTER_VERSION  MASTER_IP      MACHINE_TYPE   NODE_VERSION   NUM_NODES  STATUS
   istio-demo  us-central1-b  1.11.2-gke.15   35.239.252.38  n1-standard-2  1.11.2-gke.15  4          RUNNING
   

2. Get the credentials for your new cluster so you can interact with it with kubectl.

   
   
   
   
   gcloud container clusters get-credentials istio-demo --project=$PROJECT
   

3. Ensure the following Kubernetes services are deployed: istio-citadel, istio-egressgateway, istio-pilot, istio-ingressgateway, istio-policy, istio-sidecar-injector, and istio-telemetry (you'll also see the other deployed services):

   
   
   
   
   
   
   kubectl get service -n istio-system

   
   
   
   
   NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                                                                   AGE
   istio-citadel              ClusterIP      10.47.245.92    <none>        8060/TCP,9093/TCP                                                                                                         12s
   istio-egressgateway        ClusterIP      10.47.248.129   <none>        80/TCP,443/TCP                                                                                                            12s
   istio-galley               ClusterIP      10.47.248.109   <none>        443/TCP,9093/TCP                                                                                                          12s
   istio-ingressgateway       LoadBalancer   10.47.248.117   <pending>     80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:30221/TCP,8060:32445/TCP,853:30663/TCP,15030:32010/TCP,15031:32633/TCP   12s
   istio-pilot                ClusterIP      10.47.251.133   <none>        15010/TCP,15011/TCP,8080/TCP,9093/TCP                                                                                     12s
   istio-policy               ClusterIP      10.47.255.244   <none>        9091/TCP,15004/TCP,9093/TCP                                                                                               12s
   istio-sidecar-injector     ClusterIP      10.47.240.36    <none>        443/TCP                                                                                                                   12s
   istio-statsd-prom-bridge   ClusterIP      10.47.247.135   <none>        9102/TCP,9125/UDP                                                                                                         12s
   istio-telemetry            ClusterIP      10.47.242.73    <none>        9091/TCP,15004/TCP,9093/TCP,42422/TCP                                                                                     12s
   prometheus                 ClusterIP      10.47.241.188   <none>        9090/TCP                                                                                                                  12s
   

4. Ensure the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-policy-*, istio-telemetry-*, istio-egressgateway-*, istio-ingressgateway-*, istio-sidecar-injector-*, and istio-citadel-*.
   

   
   
   
   
   
   
   kubectl get pods -n istio-system

   
   
   
   
   NAME                                        READY   STATUS      RESTARTS   AGE
   istio-citadel-555d845b65-xfdmj              1/1     Running     0          2d
   istio-cleanup-secrets-8x2pl                 0/1     Completed   0          2d
   istio-egressgateway-667d854c49-9q5dl        1/1     Running     0          2d
   istio-galley-6c9cd5b8bb-4j4jk               1/1     Running     0          2d
   istio-ingressgateway-6c796c5594-f972p       1/1     Running     0          2d
   istio-pilot-77f74fc6f-rpbfj                 2/2     Running     0          2d
   istio-policy-655b87fff-4wbwq                2/2     Running     0          2d
   istio-security-post-install-tm2rm           0/1     Completed   1          2d
   istio-sidecar-injector-668c9fb4db-p6lwt     1/1     Running     0          2d
   istio-statsd-prom-bridge-5b645f6f4d-6pbgf   1/1     Running     0          2d
   istio-telemetry-d9848f498-wf6kh             2/2     Running     0          2d
   prometheus-6b989699d8-l7jxt                 1/1     Running     0          2d
   

Enabling sidecar injection

To let Istio actually manage your services, each service in your application needs to have an Envoy sidecar proxy running in its pod to proxy network traffic between it and other services, and to communicate with the Istio control plane. You can inject these manually by updating your pods' Kubernetes configuration, or (the simpler option) you can use Istio's webhooks-based automatic sidecar injection. By default, Istio sidecar auto-injection is disabled for all namespaces. To enable auto-injection in your-namespace, run:

  kubectl label namespace your-namespace istio-injection=enabled
  

Any running pods must be restarted for the change to take effect, as the sidecar is added at pod creation time. To disable auto-injection in the namespace, remove the label and restart pods to remove their sidecars.
You can find out how to add sidecars manually in Installing the sidecar.

Updating security defaults

Switching the default Istio mTLS security mode in a running cluster from Strict to Permissive, or vice versa, uses the same command as adding Istio to a cluster:

Console

Command line

More

1. Go to the Kubernetes clusters page in the GCP Console and select the cluster you want to update
2. Select Edit.
3. Select Add-ons to display possible add-ons, including Istio on GKE.
4. Select the mTLS security mode you want to use for your cluster from the drop-down.
5. Click Save to update your cluster.

To change your cluster to use Istio with mutual TLS enforced by default, run this command, replacing istio-demo with the cluster name:

$ gcloud beta container clusters update istio-demo --project=$PROJECT_ID \
    --update-addons=Istio=ENABLED --istio-config=auth=MTLS_STRICT

Or to change your cluster to mTLS in permissive mode:

$ gcloud beta container clusters update istio-demo --project=$PROJECT_ID \
    --update-addons=Istio=ENABLED --istio-config=auth=MTLS_PERMISSIVE

Be aware that if you enable strict mTLS while you still have services that need to send or receive unencrypted traffic, your application may break! You can find out more about migrating to strict mTLS in Mutual TLS Migration. You can also specify more fine-grained destination-specific authentication policies. Destination-specific authentication policies will always override any global default mTLS setting, even if you switch from Strict to Permissive or vice versa.
You can find out much more about configuring and working with Istio security, including setting up role based authorization, in the Istio site.

Adding Prometheus

An instance of Prometheus is installed by default with Istio on GKE to collect metrics about cluster health for internal Google network operations. This Prometheus service cannot be used for your own service metrics. If you want to install your own Prometheus for metrics collection, install the following manifest (which you may edit as needed before applying):

curl https://storage.googleapis.com/gke-release/istio/release/1.0.3-gke.0/patches/install-prometheus.yaml
 | kubectl apply -n istio-system -f -

Installing this manifest creates a new Prometheus service and deployment called "prometheus-user" to collect user metrics. This Prometheus is entirely under your control and is not managed by Google.

Adding adapters

Istio uses backend adapters that let your services send telemetry information to tools like Stackdriver , Grafana, and ServiceGraph. You can find out more about using these tools in the Istio telemetry documentation and the Stackdriver Monitoring documentation.
The only adapter that Istio on GKE installs for you by default is the Stackdriver adapter. If you need other adapters you can use Helm to install them once your cluster is created as follows:

1. Select the adapter options you want to install.
2. Generate the Istio manifest using Helm, specifying the relevant options when running the Helm tool.
3. Apply only the YAML for the selected adapters to the cluster. If you apply the entire generated manifest you will experience a service disruption.

Enabling Stackdriver tracing and logging

If the Stackdriver Monitoring API is enabled in your project, the Istio Stackdriver adapter is enabled for you as part of Istio on GKE, and Istio service metrics appear in the Metrics Explorer by default. Once you have installed Istio on GKE, you can also enable Stackdriver trace and logging features for your mesh.

Enabling tracing

To enable Stackdriver tracing:

1. Ensure that the Stackdriver Trace API is enabled for your project.
2. Download the manifest.
3. Apply the manifest with the following command:
   

   
   
   
   
   
   
   kubectl apply -f stackdriver-tracing.yaml

Once this feature is enabled, distributed tracing information is visible in the trace viewer. Note that to get the most from distributed tracing, you will need to change your workload to instrument tracing headers. You can find out how to do this in the Istio Distributed Tracing guide.

Enabling logging

To enable Stackdriver logging:

1. Ensure that the Stackdriver Logging API is enabled for your project.
2. Download the manifest.
3. Apply the manifest with the following command:
   

   
   
   
   
   
   
   kubectl apply -f stackdriver-logs.yaml

Once this feature is enabled, exported access logs are visible in the log viewer. See the Stackdriver Logging documentation to find out more about what you can do with the log data, such as exporting logs to BigQuery.

What's next?

• Try installing and exploring the Bookinfo example to see what Istio can do. To get the sample app and the istioctl tool, go to the Istio release page to download the installation file corresponding to the OS where you're running your commands. Then follow the instructions to deploy and test the application (you don't need to deploy Istio itself) in the GKE Installing Istio tutorial.
• Find out lots more about Istio in the open source documentation.
• If you need to remove the Istio add-on from a cluster, see Uninstalling Istio on GKE.