Skip to content

m-wrona/k8s-istio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

devops

devops

 
 

exercises

exercises

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

k8s-istio

Service mesh exercises using Istio and Kubernetes

ISTIO

ISTIO related stuff can be found in devops/istio directory.

ISTIO - Install

  1. Install custom resource definitions for Istio
kubectl apply -f devops/istio/crds.yaml
  1. Create namespace for Istio
kubectl create namespace istio-system
  1. Install Istio
kubectl apply -f devops/istio/istio.yaml

ISTIO - Uninstall

kubectl delete namespace istio-system

or

kubectl delete -f devops/istio

ISTIO - commands

  1. Checking stats
kubectl exec -it $POD  -c istio-proxy  -- sh -c 'curl localhost:15000/stats' | grep httpbin | grep pending

Sample app

Sample app is based on ISTIO example.

All services have been split into separate file can be found in devops/bookinfo directory.

Sample app - deployment

  1. Pre-requsite

a) enable side-car auto-injection for proper namespace

 kubectl label namespace default istio-injection=enabled
  1. Make a deployment to K8s
kubectl apply -f devops/bookinfo
  1. Check gateway info
kubectl get gateway
  1. Check destination rules
kubectl get destinationrules

Sample app - removing

kubectl delete -f devops/bookinfo

Sample app - checking access to service

Description how to check your service address can be found here.

  1. Minikube
export INGRESS_HOST=$(minikube ip)
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

and then

curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage

TLS

Global TLS exervice

  1. Create namespaces with auto-injection
kubectl create namespace foo
kubectl label namespace foo istio-injection=enabled
kubectl create namespace bar
kubectl label namespace bar istio-injection=enabled
kubectl create namespace legacy
  1. Check security rules
kubectl get policies.authentication.istio.io --all-namespaces
kubectl get meshpolicies.authentication.istio.io
kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep "host:"

Expected output:

    host: istio-policy.istio-system.svc.cluster.local
    host: istio-telemetry.istio-system.svc.cluster.local
  1. Checking certs
kubectl exec ${pod_id} -it -c istio-proxy -- ls /etc/certs

Documentation

About

Service mesh exercises using Istio & Kubernetes

Topics

kubernetes canary-deployment service-mesh canary-release istio

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages