View the README for all information on how to insrtall Istio on PKS
Installing Istio in New Kubernetes Clusters Created by PKS with NSX-T Using Helm
This topic describes how to install Istio in a new Kubernetes cluster created by Pivotal Container Service (PKS) with NSX-T using Helm.
Helm is the package manager for Kubernetes that runs on a local machine with kubectl access to the Kubernetes cluster. For more information, see Using Helm with PKS.
The installation process for Istio involves creating a Helm template from the downloaded Istio files. For more information, see Installation with Helm in the Istio documentation.
These instructions are intended for using Istio for the service mesh layer for new Kubernetes clusters, not for retrofitting clusters with pods that currently exist.
Note: Using Tiller with Helm Install is not recommended at this time.
Before performing the procedures in this topic, you must have installed and configured the following:
- PKS v1.2+
- NSX-T v2.3+
- A PKS plan with at least 1 master and 2 worker nodes
Perform the procedures in the sections below to install Istio on a new Kubernetes cluster created by PKS with NSX-T using Helm.
Step 1: Create a New PKS Cluster
Perform the following steps to create a new PKS cluster that uses a medium load balancer:
-
Ensure that you have defined a network profile that implements a medium load balancer so that there are enough virtual servers and ports. For more information, see Using Network Profiles (NSX-T Only).
-
Log in to the PKS CLI.
-
Run the following command to create a cluster:
pks create-cluster CLUSTER-NAME \
--external-hostname HOSTNAME \
--plan PLAN-NAME \
--num-nodes 3 \
--network-profile NETWORK-PROFILE-NAME
Where:
-
CLUSTER-NAME
is a unique name for your new cluster.
-
HOSTNAME
is your external hostname used for accessing the Kubernetes API.
-
PLAN-NAME
is the name of your PKS plan with at least 1 master and 2 worker nodes.
-
NETWORK-PROFILE-NAME
is the name of the network profile you created that implements a medium load balancer.
For example:
$ pks create-cluster k8s-with-istio \
--external-hostname k8s-with-istio \
--plan large \
--num-nodes 3 \
--network-profile network-profile-medium
For more information about creating clusters, see Creating Clusters.
-
Run the following command to populate your local kubeconfig
with cluster credentials and configuration so that you can use kubectl:
pks get-credentials CLUSTER-NAME
Where CLUSTER-NAME
is the name of your new cluster. For example:
$ pks-cluster-med-lb-istio
Step 2: Download Istio and Helm
Perform the following steps to download Istio and Helm onto the machine with kubectl access to the Kubernetes cluster:
-
Run the following command to download Istio:
curl -L https://git.io/getLatestIstio | sh -
-
Change into the directory of the downloaded Istio package.
-
Run the following command to put the istioctl
command line tool in your PATH
:
export PATH=$PWD/bin:$PATH
-
Run the following command to download Helm:
curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
Step 3: Install Kubernetes CRDs
Run the following command to install Istio’s Custom Resource Definitions (CRDs):
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
Wait a few seconds for the CRDs to be committed in the kube-apiserver.
Step 4: Create and Install Helm Template
Run the following command to render Istio’s core components to a Kubernetes manifest called istio.yaml
:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
Step 5: Install Istio Using the Helm Manifest
Perform the following commands to create a namespace and install Istio via the Helm manifest:
kubectl create namespace istio-system
kubectl apply -f $HOME/istio.yaml
Verify Istio Installation
Perform the procedures in the following sections to verify the installation of Istio on PKS with NSX-T.
Step 1: Ensure Services Are Deployed
Perform the following steps to ensure the correct services are deployed:
-
Run the following command to display the Kubernetes services in the Istio namespace:
kubectl get svc -n istio-system
-
Ensure the following Kubernetes services are deployed:
istio-pilot
istio-ingressgateway
istio-policy
istio-telemetry
prometheus
istio-galley
-
istio-sidecar-injector
(optional)
Step 2: Ensure Pods Are Running
Perform the following steps to ensure the correct pods are running:
-
Run the following command to display the pods in the Istio namespace:
kubectl get pods -n istio-system
-
Ensure the Kubernetes pods corresponding to the services are deployed and that all containers are up and running:
istio-pilot-*
istio-ingressgateway-*
istio-egressgateway-*
istio-policy-*
istio-telemetry-*
istio-citadel-*
prometheus-*
istio-galley-*
-
istio-sidecar-injector-*
(optional)
After installing Istio and verifying the installation, you can deploy a test application.
The Bookinfo application is a standard testing application to verify a successful deployment.
Step 1: Deploy the Bookinfo Application
Perform the following steps to deploy the Bookinfo application:
-
The installation already has automatic sidecar injection enabled on the cluster. Our application is going to be using the default
namespace. This requires the label istio-injection=enabled
be applied to the default
namespace. Run the following command:
kubectl label namespace default istio-injection=enabled
-
Deploy the services. Run the following command:
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
-
Confirm all services and pods are correctly defined and running. Run the following commands to display the services and the pods:
kubectl get services
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details 10.0.0.31 <none> 9080/TCP 6m
kubernetes 10.0.0.1 <none> 443/TCP 7d
productpage 10.0.0.120 <none> 9080/TCP 6m
ratings 10.0.0.15 <none> 9080/TCP 6m
reviews 10.0.0.170 <none> 9080/TCP 6m
kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-1520924117-48z17 2/2 Running 0 6m
productpage-v1-560495357-jk1lz 2/2 Running 0 6m
ratings-v1-734492171-rnr5l 2/2 Running 0 6m
reviews-v1-874083890-f0qf0 2/2 Running 0 6m
reviews-v2-1343845940-b34q5 2/2 Running 0 6m
reviews-v3-1813607990-8ch52 2/2 Running 0 6m
Step 2: Configure Ingress
Now that the Bookinfo services are running, you must make the application accessible outside of your Kubernetes cluster with an Istio gateway.
Since PKS uses NSX-T, you use load balancers instead of NodePort.
Perform the following steps to configure the ingress:
-
Define the ingress gateway for the application. Run the following command:
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
-
Confirm that the gateway has been created. Run the following command:
kubectl get gateway
In the output, look for bookinfo-gateway
. For example:
NAME AGE
bookinfo-gateway 32s
-
Run the following command to determine the NSX-T external load balancer IP and service ports:
kubectl get svc istio-ingressgateway -n istio-system
The output resembles the following:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.100.200.220 100.64.80.23,24.24.24.98 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:30230/TCP,8060:30211/TCP,853:32055/TCP,15030:30556/TCP,15031:31751/TCP 1h
-
Run the following commands to set the ingress IP and ports:
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
-
Run the following command to set the gateway URL:
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
Step 3: Confirm Application Is Running
To confirm that the Bookinfo application is running, run the following command:
curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage
200
You can point your browser to http://$GATEWAY_URL/productpage
to view the Bookinfo web page.
If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars). See the following screenshot for an example:

Perform the following steps to uninstall Istio:
-
Delete Istio with the following command:
kubectl delete -f $HOME/istio.yaml
-
Delete the CRDs with the following command:
kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
#VMwarePivotalContainerService(PKS)#TanzuKubernetesGridIntegrated(TKGI)#NSX#OtherLanguage#Apache2.0