Istio Simple Demo

Couple of personal words …

Dear Readers! In the past I posted posts related to the application security and Keycloak.

I have learned Istio recently and I will happy to share my knowledge.

You will continue to see my Keycloak posts, but you will also enjoy form my DevSecOps posts.

Stay tuned!

What will I cover in the post?

You will understand what is is Istio and then You will deploy a simple demo that show how to use Istio.

What is a service mesh?

Let’s first understand what is a service mesh. A service mesh is an infrastructure layer for making service-to-service communication safe, fast and reliable.

The service mesh allows to add additional capabilities to a micro-services deployment:

  • traffic control
  • failure recovery
  • service discovery
  • load balancing
  • observability
  • security

What is Istio?

Istio is an implementation of a service mesh. Istion is open-source software and created as a collaboration of Google, IBM and Lyft.

Istio provides the very good documentation and I will refer to it during my posts.

Istio Simple Demo

The show time!

During my posts I will use Google Kubernetes Engine (GKE).

The Istio installation is very simple: you just need to select “Enable Istio” during the creation of your GKE cluster.

Istio Bookinfo Demo deployment

The Istio Bookinfo Demo is described here.

Istio automatic sidecar proxy injection

Let’s first configure Istio’s automatic sidecar proxy injection:

kubectl label namespace default istio-injection=enabled

You will see the following output shows the command completed successfully:

namespace/default labeled

Demo deployment

Now, let’s deploy the demo application:

kubectl apply -f

The output shows that the application is deployed successfully:

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created

Demo pods

If we will check the containers deployed in each pod we will see that we have the Istio sidecar proxy deployed in each pod attached to each container:

kubectl get pods --namespace default -o=jsonpath='{range .items[*]}{"\n"}{}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{end}' |\

In our case the list shows the proxy:


Ensure internal access

Run the following command to ensure that the demo application is running:

kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0]}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"

You will see the following output:

<title>Simple Bookstore App</title>

Deploy the ingress gateway

Run the following command to deploy the Istio ingress gateway:

kubectl apply -f

You will see the following output shows the gateway is deployed successfully: created created

Export ingress IP and port and ensure the internal access

Export ingress IP and port:

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?("http2")].port}')

Access using external URL:

curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"

The output is the same as previous, but you access using the external URL:

` <title>Simple Bookstore App</title>

Access to the external URL from a browser

Now we will open the external URL http://${GATEWAY_URL}/productpage in a browser.

And we did it! It works from any browser in a world!

Take Aways

You can take the following take aways from the post:

First of all, you understand what is Istio. Second, to use Istio features you need to deply the Istio sidecar proxy in each pod. Last but not least, you can easy open a web application to to internal access using Istio ingress gateway.

Read my next post to see how to query Istio metrics using the Prometheus add-on!