Note:

Enable Istio Proxy Sidecar Injection in Oracle Cloud Native Environment

Introduction

Istio is a service mesh that provides a separate infrastructure layer for inter-service communication. Network communication is abstracted from the services themselves and handled by proxies. Istio uses a sidecar design, which means that communication proxies run in their own containers beside every service container. An application’s namespace must use the istio-injection=enabled label to have Istio’s automatic sidecar injection take effect.

Objectives

At the end of this tutorial, you should be able to do the following:

Prerequisites

Deploy Oracle Cloud Native Environment

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

  1. Open a terminal on the Luna Desktop.

  2. Clone the linux-virt-labs GitHub project.

    git clone https://github.com/oracle-devrel/linux-virt-labs.git

  3. Change into the working directory.

    cd linux-virt-labs/ocne

  4. Install the required collections.

    ansible-galaxy collection install -r requirements.yml

  5. Deploy the lab environment.

    ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e use_oci_ccm=true

    The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

    Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Cloud Native Environment is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Install Istio

  1. Open a terminal and connect via SSH to the ocne-operator node.

    ssh oracle@<ip_address_of_node>

  2. List the module instances.

    olcnectl module instances --environment-name myenvironment

    The output displays a list showing the Kubernetes and oci-ccm modules, the control plane, and worker nodes. The Istio module requires the oci-ccm module to handle the ingress gateway Load Balancer service type when running on Oracle Cloud Infrastructure.

  3. Create a custom Istio configuration file.

    This file creates the Istio ingress gateway by applying the appropriate Oracle Cloud Infrastructure Cloud Controller Manager (oci-ccm) module annotations to the istio-ingressgateway service. These specific annotations create a private Load balancer with a flexible shape.

    cat << EOF | tee istio-lb.yaml > /dev/null
components:
  ingressGateways:
  - name: istio-ingressgateway
    k8s:
      serviceAnnotations:
        service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None"
        service.beta.kubernetes.io/oci-load-balancer-internal: "true"
        service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
        service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
        service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10"
EOF

  4. Create the Istio Module

    olcnectl module create --environment-name myenvironment --module istio --name myistio --istio-kubernetes-module mycluster --istio-profile=istio-lb.yaml

  5. Install the Istio Module

    olcnectl module install --environment-name myenvironment --name myistio

    Note: This takes 3-5 minutes to complete.

Verify Istio is Running

The Istio module for Oracle Cloud Native Environment installs the grafana, prometheus-server, ingressgateway, and egressgateway components into the istio-system namespace for exclusive use by Istio.

  1. List the resources created in the istio-system namespace and the related pod information.

    ssh ocne-control-01 "kubectl get deployments,pods -n istio-system"

    Example Output:

    NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana                1/1     1            1           17m
deployment.apps/istio-egressgateway    2/2     2            2           17m
deployment.apps/istio-ingressgateway   2/2     2            2           17m
deployment.apps/istiod                 2/2     2            2           17m
deployment.apps/prometheus-server      1/1     1            1           17m

NAME                                        READY   STATUS    RESTARTS   AGE
pod/grafana-67f4b94665-wtk6w                1/1     Running   0          17m
pod/istio-egressgateway-79c58b7b6d-n9bkf    1/1     Running   0          16m
pod/istio-egressgateway-79c58b7b6d-xh7vk    1/1     Running   0          17m
pod/istio-ingressgateway-67cfb76cdb-87dkh   1/1     Running   0          16m
pod/istio-ingressgateway-67cfb76cdb-jhv56   1/1     Running   0          17m
pod/istiod-64c96d75b6-8tzm8                 1/1     Running   0          17m
pod/istiod-64c96d75b6-gb65q                 1/1     Running   0          16m
pod/prometheus-server-64469994dc-c9lg8      2/2     Running   0          17m

  2. List the services in the istio-system namespace.

    ssh ocne-control-01 "kubectl get services -n istio-system"

    Example Output:

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)                                                                      AGE
grafana                ClusterIP      10.105.133.5     <none>            3000/TCP                                                                     19m
istio-egressgateway    ClusterIP      10.106.32.232    <none>            80/TCP,443/TCP,15443/TCP                                                     19m
istio-ingressgateway   LoadBalancer   10.106.165.33    10.0.0.59         15021:30466/TCP,80:30302/TCP,443:30633/TCP,15012:32766/TCP,15443:31690/TCP   19m
istiod                 ClusterIP      10.104.186.105   <none>            15010/TCP,15012/TCP,443/TCP,15014/TCP                                        19m
prometheus-server      ClusterIP      10.99.210.8      <none>            9090/TCP                                                                     19m

    Notice that the istio-ingressgateway is a LoadBalancer Service type. These Service types cause the oci-ccm module to generate a private Load balancer based on the custom configuration we added to the Istio deployment.

Create an NGINX Deployment

  1. Create a new hello-world deployment that runs the nginx image.

    ssh ocne-control-01 "kubectl create deployment --image ghcr.io/oracle/oraclelinux8-nginx:1.20 hello-world"

View the Kubernetes Pods

  1. List the Pods in the default namespace.

    ssh ocne-control-01 "kubectl get pods"

    Example Output:

    NAME                           READY   STATUS    RESTARTS   AGE
hello-world-85678f8458-4qdzs   1/1     Running   0          94s

    Note that the READY column contains 1/1 confirming that Istio automatic proxy sidecar injection is not enabled.

Delete the NGINX Deployment

  1. Delete the deployment.

    ssh ocne-control-01 "kubectl delete deployments hello-world"

Enable Istio Automatic Proxy Sidecar Injection

  1. Create the Istio sidecar injection label for the default namespace.

    ssh ocne-control-01 "kubectl label namespace default istio-injection=enabled"

    The output shows the namespace/default labeled.

  2. Confirm the ISTIO-INJECTION column shows a value of enabled.

    ssh ocne-control-01 "kubectl get namespace -L istio-injection"

    Example Output:

    NAME                           STATUS   AGE     ISTIO-INJECTION
default                        Active   25m     enabled
externalip-validation-system   Active   23m     
istio-system                   Active   7m33s   
kube-node-lease                Active   25m     
kube-public                    Active   25m     
kube-system                    Active   25m     
kubernetes-dashboard           Active   22m     
ocne-modules                   Active   22m

Re-create the NGINX Deployment

  1. Create the hello-world deployment that runs the nginx image.

    ssh ocne-control-01 "kubectl create deployment --image ghcr.io/oracle/oraclelinux8-nginx:1.20 hello-world"

Confirm the Deployment Includes an Istio Sidecar

  1. List the pods.

    ssh ocne-control-01 "kubectl get pods"

    Example Output:

    NAME                           READY   STATUS    RESTARTS   AGE
hello-world-85678f8458-s24zz   2/2     Running   0          105s

    Note that the READYcolumn contains 2/2, indicating that Istio automatic proxy sidecar injection is enabled and that the pods in the service mesh are running an Istio sidecar proxy.

  2. Get the Pod details showing that an istio-proxy container deploys alongside the application.

    ssh ocne-control-01 "kubectl describe pods <insert-pod-name-from-get-pods-command-here>"

    The resultant output confirms that the deployment automatically deploys an Istio sidecar alongside it.

    Example Output (Excerpt):

    ...
...
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  82s                default-scheduler  Successfully assigned default/hello-world-79654ff945-sn9cc to ocne-worker-04
  Normal   Pulled     82s                kubelet            Container image "container-registry.oracle.com/olcne/proxyv2:1.19.5" already present on machine
  Normal   Created    82s                kubelet            Created container istio-init
  Normal   Started    82s                kubelet            Started container istio-init
  Normal   Pulling    80s                kubelet            Pulling image "container-registry.oracle.com/olcne/nginx:1.17.7"
  Normal   Pulled     76s                kubelet            Successfully pulled image "container-registry.oracle.com/olcne/nginx:1.17.7" in 4.921s (4.921s including waiting)
  Normal   Created    76s                kubelet            Created container nginx
  Normal   Started    76s                kubelet            Started container nginx
  Normal   Pulled     76s                kubelet            Container image "container-registry.oracle.com/olcne/proxyv2:1.19.5" already present on machine
  Normal   Created    75s                kubelet            Created container istio-proxy
  Normal   Started    75s                kubelet            Started container istio-proxy
...

Disable Istio Automatic Proxy Sidecar Injection

  1. Remove the Istio sidecar injection in the default namespace.

    ssh ocne-control-01 "kubectl label namespace default istio-injection-"

    The output shows the namespace/default unlabeled.

  2. Confirm the removal of the label from the default namespace.

    ssh ocne-control-01 "kubectl get namespace -L istio-injection"

    Example Output:

    NAME                           STATUS   AGE   ISTIO-INJECTION
default                        Active   32m   
externalip-validation-system   Active   30m   
istio-system                   Active   14m   
kube-node-lease                Active   32m   
kube-public                    Active   32m   
kube-system                    Active   32m   
kubernetes-dashboard           Active   29m   
ocne-modules                   Active   30m

  3. Delete the NGINX deployment.

    ssh ocne-control-01 "kubectl delete deployments hello-world"

Summary

With the clean-up done, the demonstration detailing turning on and off Istio sidecar injection within Kubernetes namespaces in an Oracle Cloud Native Environment cluster is complete.

For More Information

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.