Before you begin

Before you begin a multicluster installation, review the deployment models guide which describes the foundational concepts used throughout this guide.

In addition, review the requirements and perform the initial steps below.

Requirements

Cluster

This guide requires that you have two Kubernetes clusters with any of the supported Kubernetes versions: 1.16, 1.17, 1.18, 1.19.

API Server Access

The API Server in each cluster must be accessible to the other clusters in the mesh. Many cloud providers make API Servers publicly accessible via network load balancers (NLB). If the API Server is not directly accessible, you will have to modify the installation procedure to enable access. For example, the east-west gateway used in the multi-network and primary-remote configurations could also be used to enable access to the API Server.

Environment Variables

This guide will refer to two clusters named cluster1 and cluster2. The following environment variables will be used throughout to simplify the instructions:

VariableDescription
CTX_CLUSTER1The context name in the default Kubernetes configuration file used for accessing the cluster1 cluster.
CTX_CLUSTER2The context name in the default Kubernetes configuration file used for accessing the cluster2 cluster.

For example:

  1. $ export CTX_CLUSTER1=cluster1
  2. $ export CTX_CLUSTER2=cluster2

Configure Trust

A multicluster service mesh deployment requires that you establish trust between all clusters in the mesh. Depending on the requirements for your system, there may be multiple options available for establishing trust. See certificate management for detailed descriptions and instructions for all available options. Depending on which option you choose, the installation instructions for Istio may change slightly.

This guide will assume that you use a common root to generate intermediate certificates for each cluster. Follow the instructions to generate and push a CA certificate secret to both the cluster1 and cluster2 clusters.

If you currently have a single cluster with a self-signed CA (as described in Getting Started), you need to change the CA using one of the methods described in certificate management. Changing the CA typically requires reinstalling Istio. The installation instructions below may have to be altered based on your choice of CA.

Next steps

You’re now ready to install an Istio mesh across multiple clusters. The particular steps will depend on your requirements for network and control plane topology.

Choose the installation that best fits your needs:

For meshes that span more than two clusters, you may need to use more than one of these options. For example, you may have a primary cluster per region (i.e. multi-primary) where each zone has a remote cluster that uses the control plane in the regional primary (i.e. primary-remote).

See deployment models for more information.

See also

Install Multi-Primary

Install an Istio mesh across multiple primary clusters.

Install Multi-Primary on different networks

Install an Istio mesh across multiple primary clusters on different networks.

Install Primary-Remote

Install an Istio mesh across primary and remote clusters.

Install Primary-Remote on different networks

Install an Istio mesh across primary and remote clusters on different networks.

Verify the installation

Verify that Istio has been installed properly on multiple clusters.

Expanding into New Frontiers - Smart DNS Proxying in Istio

Workload Local DNS resolution to simplify VM integration, multicluster, and more.