Installing Istio (Not Anthos Service Mesh) on GKE Autopilot
GKE Autopilot is a mode of operation in Google Kubernetes Engine (GKEin which Google manages your cluster configuration, including your nodes, scaling, security, and other preconfigured settings. Autopilot clusters are optimized to run most production workloads and provision compute resources based on your Kubernetes manifests.
Previously, it was not feasible to install Istio or LinkerD on Autopilot clusters due to the disabled CAP_NET_ADMIN Linux capability, which helps reduce the security attack surface. The only available option for running a service mesh in GKE Autopilot was Anthos Service Mesh.
GKE Autopilot now supports the deployment of custom service meshes and provides the option to enable the NET_ADMIN capability on Autopilot clusters. This allows for the utilization of service meshes and other opt-in use cases.
In this blog, we will delve into the process of enabling the optional Linux capability and installing Istio in a GKE Autopilot cluster.
Prerequisites
- GKE cluster version 1.27 and later.
- gcloud CLI
- Kubectl
Setup a GKE autopilot cluster with NET_ADMIN Linux capability
Set up the environment variables.
export PROJECT_ID="Your-project-id"
export REGION = "Your-region" #ex: europe-west1 Create a new GKE cluster and use --workload-policies=allow-net-admin when you create or update an existing cluster to enable NET_ADMIN capability.
gcloud container clusters create-auto autopilot-istio-example \
--region=$REGION \
--release-channel=regular \
--cluster-version=1.27.2-gke.1200 \
--workload-policies=allow-net-admin \
--project=$PROJECT_ID
Install istio
- Connect to the cluster
gcloud container clusters get-credentials autopilot-istio-demo \
--region=$REGION\
--project=$PROJECT_ID- Download the latest version of istio.
curl -L https://istio.io/downloadIstio | sh -
cd istio-<<VERSION>>
- Install istio with the
democonfiguration profile.
./bin/istioctl install --set profile=demo -y
- Verify the installation and ensure the istio components are running without any errors.
#verify the pod status
kubectl get pods -n istio-system
#verify service status and ensure an external LB is created for istio-ingressgateway
kubectl get svc -n istio-system
Deploy sample application
- Enable istio sidecar injection to
defaultnamespace
kubectl label namespace default istio-injection=enabled- Use the below template to deploy a sample application in
defaultnamespace with all the required istio resources.
cat <<EOF | kubectl apply -f -
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-default-gateway
namespace: istio-system
spec:
selector:
app: istio-ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- "autopilot.istio.example" #example host
gateways:
- istio-system/istio-default-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
EOF- Verify the pod status and ensure the istio-proxy sidecar container is successfully auto-injected.
kubectl get pods
kubectl get pod -o="custom-columns=NAME:.metadata.name,INIT-CONTAINERS:.spec.initContainers[*].name,CONTAINERS:.spec.containers[*].name"
Test the endpoint with sample requests.
curl -v -H "Host: autopilot.istio.example" \
http://<<ISTIO-INGRESS-GATEWAY-LB-IP>>
Conclusion
In this blog post, we have explored how to enable NET_ADMIN and install Istio on a GKE Autopilot cluster. By following the steps in this post, you can deploy Istio on your Autopilot cluster and take advantage of the benefits of a service mesh.
