Enable Istio Proxy Sidecar Injection in Oracle Cloud Native Environment

Introduction

Istio is a service mesh that provides a separate infrastructure layer to handle inter-service communication. Network communication is abstracted from the services themselves and is handled by proxies. Istio uses a sidecar design, which means that communication proxies run in their own containers beside every service container. To put automatic sidecar injection into effect, the namespace to be used by an application must be labeled with istio-injection=enabled.

Objectives

This tutorial shows you how to enable automatic proxy sidecar injection, and thus take advantage of Istio’s features in Oracle Cloud Native Environment.

In this tutorial, you deploy an application without automatic proxy sidecar injection enabled. You then enable automatic proxy sidecar injection and deploy the application again. You can then see that the pods in the service mesh are running an Istio sidecar proxy.

Prerequisites

Oracle Cloud Native Environment Release 1.4 deployed, including a Kubernetes cluster. See the tutorials at:

Deploy a Highly Available Oracle Cloud Native Environment

Deploy Oracle Cloud Native Environment

You also need to deploy a service mesh using the Istio module. For more information on deploying the Istio module, see the Oracle Cloud Native Environment Documentation.

Verify Istio is installed and running

On a control plane node, use the following command to show deployments in the istio-system namespace.

kubectl get deployment -n istio-system

The output should look similar to:

NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
grafana                2/2     2            2           2m44s
istio-egressgateway    2/2     2            2           2m48s
istio-ingressgateway   2/2     2            2           2m48s
istiod                 2/2     2            2           3m2s
prometheus-server      2/2     2            2           2m44s

Create a simple NGINX deployment

Use the following command to create a new deployment named hello-world that runs the nginx image.

kubectl create deployment --image container-registry.oracle.com/olcne/nginx:1.17.7 hello-world

View the Kubernetes pods in the default namespace

Use the following command to list the pods.

kubectl get pods

The output should look similar to:

NAME              READY   STATUS    RESTARTS   AGE
hello-world-...   1/1     Running   0          18s

Note that the READY column is 1/1 indicating that Istio automatic proxy sidecar injection is not enabled.

Delete the NGINX deployment

Use the following command to delete the hello-world deployment.

kubectl delete deployments hello-world

Enable automatic proxy sidecar injection

To put automatic sidecar injection into effect, the namespace to be used by an application must be labeled with istio-injection=enabled. The following example labels the default namespace.

kubectl label namespace default istio-injection=enabled

The kubectl get namespace command confirms that the default namespace is labeled properly.

kubectl get namespace -L istio-injection

The output should look similar to:

NAME                           STATUS   AGE   ISTIO-INJECTION
default                        Active   23m   enabled
externalip-validation-system   Active   22m   
istio-system                   Active   19m   
kube-node-lease                Active   23m   
kube-public                    Active   23m   
kube-system                    Active   23m   
kubernetes-dashboard           Active   22m   

You can see the default namespace now includes the ISTIO_INJECTION label.

Create a simple NGINX deployment

Use the following command to create a new deployment named hello-world that runs the nginx image.

kubectl create deployment --image container-registry.oracle.com/olcne/nginx:1.17.7 hello-world

View the Kubernetes pods in the default namespace

Use the kubectl get pods command to list the pods.

kubectl get pods

The output should look similar to:

NAME              READY   STATUS    RESTARTS   AGE
hello-world-...   2/2     Running   0          20s

Note that the READY column is 2/2, indicating that Istio automatic proxy sidecar injection is enabled and that the pods in the mesh are running an Istio sidecar proxy.

Disable automatic proxy sidecar injection

Remove the istio-injection=enabled label from the default namespace by using the kubectl label as shown.

kubectl label namespace default istio-injection-

The kubectl get namespace command confirms that the label is removed from the default namespace.

kubectl get namespace -L istio-injection

The output should look similar to:

NAME                           STATUS   AGE   ISTIO-INJECTION
default                        Active   39m   
externalip-validation-system   Active   38m   
istio-system                   Active   36m   
kube-node-lease                Active   39m   
kube-public                    Active   39m   
kube-system                    Active   39m   
kubernetes-dashboard           Active   38m   

Finally, delete the NGINX deployment.

kubectl delete deployments hello-world

For More Information

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.