Standalone Operator Install

This guide installs Istio using the standalone Istio operator. The only dependencies required are a supported Kubernetes cluster, the kubectl command at the version to match the cluster, and the istioctl command at the desired release version.

To install Istio for production use, we recommend installing with istioctl instead.

Prerequisites

  1. Perform any necessary platform-specific setup.

  2. Check the Requirements for Pods and Services.

  3. Install the istioctl command.

  4. Deploy the Istio operator:

    1. $ istioctl operator init

    This command runs the operator by creating the following resources in the istio-operator namespace:

    • The operator custom resource definition
    • The operator controller deployment
    • A service to access operator metrics
    • Necessary Istio operator RBAC rules

    See the available istioctl operator init flags to control which namespaces the controller and Istio are installed into and the installed Istio image sources and versions.

    You can alternatively deploy the operator using Helm:

    1. $ helm template manifests/charts/istio-operator/ \
    2.   --set hub=docker.io/istio \
    3.   --set tag=1.6.0 \
    4.   --set operatorNamespace=istio-operator \
    5.   --set istioNamespace=istio-system | kubectl apply -f -

    Note that you need to download the Istio release to run the above command.

Install

To install the Istio demo configuration profile using the operator, run the following command:

  1. $ kubectl create ns istio-system
  2. $ kubectl apply -f - <<EOF
  3. apiVersion: install.istio.io/v1alpha1
  4. kind: IstioOperator
  5. metadata:
  6.   namespace: istio-system
  7.   name: example-istiocontrolplane
  8. spec:
  9.   profile: demo
  10. EOF

The controller will detect the IstioOperator resource and then install the Istio components corresponding to the specified (demo) configuration.

The Istio operator controller begins the process of installing Istio within 90 seconds of the creation of the IstioOperator resource. The Istio installation completes within 120 seconds.

You can confirm the Istio control plane services have been deployed with the following commands:

  1. $ kubectl get svc -n istio-system
  2. NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
  3. grafana                     ClusterIP      10.104.1.213     <none>        3000/TCP                                                                     13s
  4. istio-egressgateway         ClusterIP      10.103.243.113   <none>        80/TCP,443/TCP,15443/TCP                                                     17s
  5. istio-ingressgateway        LoadBalancer   10.101.204.227   <pending>     15020:31077/TCP,80:30689/TCP,443:32419/TCP,31400:31411/TCP,15443:30176/TCP   17s
  6. istiod                      ClusterIP      10.96.237.249    <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP                         30s
  7. jaeger-agent                ClusterIP      None             <none>        5775/UDP,6831/UDP,6832/UDP                                                   13s
  8. jaeger-collector            ClusterIP      10.109.244.165   <none>        14267/TCP,14268/TCP,14250/TCP                                                13s
  9. jaeger-collector-headless   ClusterIP      None             <none>        14250/TCP                                                                    13s
  10. jaeger-query                ClusterIP      10.105.128.63    <none>        16686/TCP                                                                    13s
  11. kiali                       ClusterIP      10.102.172.30    <none>        20001/TCP                                                                    13s
  12. prometheus                  ClusterIP      10.102.190.194   <none>        9090/TCP                                                                     13s
  13. tracing                     ClusterIP      10.110.231.250   <none>        80/TCP                                                                       13s
  14. zipkin                      ClusterIP      10.96.63.117     <none>        9411/TCP                                                                     13s
  1. $ kubectl get pods -n istio-system
  2. NAME                                   READY   STATUS    RESTARTS   AGE
  3. grafana-54b54568fc-fk6p5               1/1     Running   0          82s
  4. istio-egressgateway-5444c68db8-9h6dz   1/1     Running   0          87s
  5. istio-ingressgateway-5c68cb968-x7qv9   1/1     Running   0          87s
  6. istio-tracing-9dd6c4f7c-hd9qq          1/1     Running   0          82s
  7. istiod-598984548d-wjq9j                1/1     Running   0          99s
  8. kiali-d45468dc4-4nqdv                  1/1     Running   0          82s
  9. prometheus-6cf46c47fb-tvvkv            2/2     Running   0          82s

Update

Now, with the controller running, you can change the Istio configuration by editing or replacing the IstioOperator resource. The controller will detect the change and respond by updating the Istio installation correspondingly.

For example, you can switch the installation to the default profile with the following command:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: install.istio.io/v1alpha1
  3. kind: IstioOperator
  4. metadata:
  5.   namespace: istio-system
  6.   name: example-istiocontrolplane
  7. spec:
  8.   profile: default
  9. EOF

You can also enable or disable components and modify resource settings. For example, to enable the Grafana component and increase pilot memory requests:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: install.istio.io/v1alpha1
  3. kind: IstioOperator
  4. metadata:
  5.   namespace: istio-system
  6.   name: example-istiocontrolplane
  7. spec:
  8.   profile: default
  9.   components:
  10.     pilot:
  11.       k8s:
  12.         resources:
  13.           requests:
  14.             memory: 3072Mi
  15.   addonComponents:
  16.     grafana:
  17.       enabled: true
  18. EOF

You can observe the changes that the controller makes in the cluster in response to IstioOperator CR updates by checking the operator controller logs:

  1. $ kubectl logs -f -n istio-operator $(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')

Refer to the IstioOperator API for the complete set of configuration settings.

Uninstall

Delete the Istio deployment:

  1. $ kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane

Wait until Istio is uninstalled - this may take some time. Delete the Istio operator:

  1. $ istioctl operator remove

Or:

  1. $ kubectl delete ns istio-operator --grace-period=0 --force

Note that deleting the operator before Istio is fully removed may result in leftover Istio resources. To clean up anything not removed by the operator:

  1. $ istioctl manifest generate | kubectl delete -f -
  2. $ kubectl delete ns istio-system --grace-period=0 --force

See also

Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio

Community partner tooling of Wasm for Istio by Solo.io.

Introducing istiod: simplifying the control plane

Istiod consolidates the Istio control plane components into a single binary.

Declarative WebAssembly deployment for Istio

Configuring Wasm extensions for Envoy and Istio declaratively.

Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio

The future of Istio extensibility using WASM.

Istio in 2020 - Following the Trade Winds

A vision statement and roadmap for Istio in 2020.

DNS Certificate Management

Provision and manage DNS certificates in Istio.