Quick Start with Kubernetes
Istio 1.1 has been tested with these Kubernetes releases: 1.10, 1.11, 1.12.
To install and configure Istio in a Kubernetes cluster, follow these instructions:
Check the Requirements for Pods and Services.
Install Istio’s Custom Resource Definitions via
kubectl apply, and wait a few seconds for the CRDs to be committed in the kube-apiserver:
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
To install Istio’s core components you can choose any of the following four mutually exclusive options described below. However, for a production setup of Istio, we recommend installing with the Helm Chart, to use all the configuration options. This permits customization of Istio to operator specific requirements.
Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
Visit our mutual TLS permissive mode page for more information.
Choose this option for:
- Clusters with existing applications,
- Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services,
- Applications that use liveness and readiness probes,
- Headless services, or
To install Istio with mutual TLS enabled and set to use permissive mode between sidecars:
$ kubectl apply -f install/kubernetes/istio-demo.yaml
In this option, all services, as servers, can accept both plain text and mutual TLS traffic. However, all services, as clients, will send plain text traffic. Visit mutual migration for how to configure clients behavior.
Option 2: Install Istio with default mutual TLS authentication
Use this option only on a fresh Kubernetes cluster where newly deployed workloads are guaranteed to have Istio sidecars installed.
To Install Istio and enforce mutual TLS authentication between sidecars by default:
$ kubectl apply -f install/kubernetes/istio-demo-auth.yaml
Option 3: Render Kubernetes manifest with Helm and deploy with
Follow our setup instructions to
render the Kubernetes manifest with Helm and deploy with
Option 4: Use Helm and Tiller to manage the Istio deployment
Follow our instructions on how to use Helm and Tiller to manage the Istio deployment.
Verifying the installation
To ensure the following Kubernetes services are deployed:
prometheus, and optionally,
istio-sidecar-injector, verify they all have an appropriate
$ kubectl get svc -n istio-system
If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the
<pending>. You will need to access it using the service NodePort, or use port-forwarding instead.
Ensure the corresponding Kubernetes pods are deployed and all containers:
prometheus-*, and, optionally,
istio-sidecar-injector-*, have a
$ kubectl get pods -n istio-system
Deploy your application
You can now deploy your own application or one of the sample applications provided with the installation like Bookinfo.
Note: The application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.
If you started the
you can deploy the application directly using
The Istio-Sidecar-injector will automatically inject Envoy containers into your
application pods. The injector assumes the application pods are running in
namespaces labeled with
$ kubectl label namespace <namespace> istio-injection=enabled $ kubectl create -n <namespace> -f <your-app-spec>.yaml
If you don’t have the Istio-sidecar-injector installed, you must use
to manually inject Envoy containers in your application pods before deploying
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
Uninstall Istio core components
The uninstall deletes the RBAC permissions, the
istio-system namespace, and
all resources hierarchically under it. It is safe to ignore errors for
non-existent resources because they may have been deleted hierarchically.
If you installed Istio with
$ kubectl delete -f install/kubernetes/istio-demo.yaml
If you installed Istio with
$ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
If you installed Istio with Helm, follow the uninstall Istio with Helm steps.
If desired, delete the CRDs:
$ kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
Instructions to download the Istio release.
Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes.
Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.
Example multicluster between IBM Cloud Kubernetes Service & IBM Cloud Private.
Install an Istio mesh across multiple Kubernetes clusters with direct network access to remote pods.
Install an Istio mesh across multiple Kubernetes clusters using Istio Gateway to reach remote pods.