Installing Istio on Amazon EKS (Managed Kubernetes Service)

What is Istio?

Istio is an open-source service mesh-a modernized service networking layer that provides a transparent way to easily and flexibly automate application network processes. It layers transparently onto existing distributed applications. Istio’s core concepts are Traffic Management, Observability, and Security capabilities.

Why use Istio? 

Istio helps organizations run distributed, microservices-based apps anywhere. Istio’s powerful features provide a unified and more efficient way to secure, connect, and monitor Kubernetes services.

  • Service Mesh is the cloud-native counterpart of TCP/IP. It facilitates application network communication, visibility, and security.
  • Istio is the most popular service mesh implementation out there at the moment, relying on Kubernetes but also scalable to virtual machine loads.
  • Istio acts as the network layer of the cloud infrastructure and is transparent to applications.

What is the Istio service mesh used for?

Istio manages traffic flows between services, aggregates data, and reinforces access policies, with few to no changes to the application code. It mitigates deployment complexity as it layers onto existing distributed applications transparently.

Istio empowers load balancing, service-to-service authentication, and monitoring. Istio’s powerful control plane brings crucial features, such as:

  • Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authorization, and authentication.
  • Automatic load balancing.
  • Finely segregated control of traffic behavior with rich routing rules, fault injection, and failovers.
  • A policy layer and configuration API that support access control, rate limits, and quotas.
  • Automatic logs, metrics, and traces for the whole traffic within a cluster, including cluster ingress and egress.

What is the use of Istio in Kubernetes?

Kubernetes is essentially about managing the application lifecycle through declarative configuration, while a service mesh provides inter-application traffic, and improves security management and observability. Once you dispose of an application platform using Kubernetes, the Istio service mesh eases the implementation of load balancing and traffic control for calls between services. 

Istio adjuncts Kubernetes, by increasing its traffic management, security, and observability for cloud-native distributed applications.

3. Install Istio on Kubernetes


Before we start with Istio we need to set up our Kubernetes Cluster.
For this purpose, we will use the Amazon Managed Kubernetes service named – Amazon EKS.

First, we will use AWS CLI.

1 . We have to create Virtual Private Cloud (VPC).
aws cloudformation create-stack \ –region region-code \ –stack-name my-eks-vpc-NAME \ –template-url https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml

2. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. Kubernetes clusters managed by Amazon EKS make calls to other AWS services on your behalf to manage the resources that you use with the service.

  1. Copy the following contents to a file named cluster-role-trust-policy.json.
    { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Service”: “eks.amazonaws.com” }, “Action”: “sts:AssumeRole” } ] }
    Create the role :
    aws iam create-role \ –role-name myAmazonEKSClusterRole \ –assume-role-policy-document file://”cluster-role-trust-policy.json

Attach the role :
aws iam attach-role-policy \ –policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ –role-name myAmazonEKSClusterRole

We have to create our cluster and name it from the AWS Managing console>

This is for the control plane node , then we have to add worker nodes.

Amazon EKS

Adding nodes to the cluster –
Create a managed node group, specifying the subnets and node IAM role that you created in the previous steps.

To create your Amazon EC2 Linux managed node group

  1. Create a node IAM role and attach the required Amazon EKS IAM managed policy to it. The Amazon EKS node kubelet daemon makes calls to AWS APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies.

Copy the following contents to a file named node-role-trust-policy.json.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the node IAM role.

aws iam create-role \
  --role-name myAmazonEKSNodeRole \
  --assume-role-policy-document file://"node-role-trust-policy.json"

Attach the required managed IAM policies to the role.

aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy \
  --role-name myAmazonEKSNodeRole
aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --role-name myAmazonEKSNodeRole
aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --role-name myAmazonEKSNodeRole

We Can add as many noded as we want from Compute, Node Groups Section in our Cluster configuration menu. For the purpose of Istio, we added 2 nodes.

Cluster configuration Kubernetes

After this step, we are ready with cluster configuration.

configuration aws istio

3. Now we are ready for installing Istio

We can use the installation file as follows :
curl -L https://istio.io/downloadIstio | sh –

Then we have to enter it into the folder

cd istio-1.13.1

and then add the path to PATH variable :
export PATH=$PWD/bin:$PATH


We can start with the installation. Run the following command:

$ istioctl install

command istio

Now we are ready with installation.
Then we can run the command
$ kubectl label namespace default istio-injection=enabled

namespace/default labeled

This will instruct Istio to inject the sidecar Envoy proxy in each pod from the default namespace.

We can install Kiali dashboard for visualizing Istio Service Mesh.
kubectl apply -f samples/addons $ kubectl rollout status deployment/kiali -n istio-system

Waiting for deployment “kiali” rollout to finish: 0 of 1 updated replicas are available… deployment “kiali” successfully rolled out

and then
$istio dashboard kiali

Istio dashboard Kiali

Author:

Boyan Kirov, Senior DevOps and Cloud engineer @ ITGix

Leave a Reply

Your email address will not be published.