Installing Istio for Knative¶
This guide walks you through manually installing and customizing Istio for use with Knative.
If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need to customize your installation.
Before you begin¶
You need:
- A Kubernetes cluster created.
istioctl
installed.- Knative Serving installed (can also be installed after the Istio).
Supported Istio versions¶
You can view the latest tested Istio version on the Knative Net Istio releases page.
Installing Istio¶
When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the Basic installation with istioctl instructions. If you're familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.
Basic installation with istioctl¶
-
You can easily install and customize your Istio installation with
istioctl
.istioctl install -y
-
To integrate Istio with Knative Serving install the Knative Istio controller by running the command:
kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.15.1/net-istio.yaml
Hint
Make sure to also install Knative Serving and configure DNS.
Forming a service mesh¶
The Istio service mesh provides a few benefits:
-
Allows you to turn on mutual TLS, which secures service-to-service traffic within the cluster.
-
Allows you to use the Istio authorization policy, controlling the access to each Knative service based on Istio service roles.
If you want to use Istio as a service mesh, you must make sure that istio sidecars
are injected to all pods
that should be part of the service mesh. There are two ways to achieve this:
-
Use automatic sidecar injection and set the
istio-injection=enabled
label on allnamespaces
that should be part of the service-mesh -
Use manual sidecar injection on all
pods
that should be part of the service-mesh
Using Istio mTLS feature with Knative¶
Since there are some networking communications between knative-serving namespace and the namespace where your services running on, you need additional preparations for mTLS enabled environment.
Note
It is strongly recommended to use automatic sidecar injection
to avoid manually injection sidecars to all pods
in knative-serving
.
-
Enable sidecar injection on
knative-serving
system namespace.kubectl label namespace knative-serving istio-injection=enabled
-
Set
PeerAuthentication
toPERMISSIVE
on knative-serving system namespace by creating a YAML file using the following template:apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "knative-serving" spec: mtls: mode: PERMISSIVE
-
Apply the YAML file by running the command:
Wherekubectl apply -f <filename>.yaml
<filename>
is the name of the file you created in the previous step.
Configuring the installation¶
Updating the config-istio
configmap to use a non-default local gateway¶
If you create a custom service and deployment for local gateway with a name other than knative-local-gateway
, you
need to update gateway configmap config-istio
under the knative-serving
namespace.
-
Edit the
config-istio
configmap:kubectl edit configmap config-istio -n knative-serving
-
Replace the
local-gateways
field with the custom service. As an example, if you name both the service and deploymentcustom-local-gateway
under the namespaceistio-system
, it should be updated to:local-gateways: | - name: knative-local-gateway namespace: knative-serving service: custom-local-gateway.istio-system.svc.cluster.local
As an example, if both the custom service and deployment are labeled with custom: custom-local-gateway
, not the default
istio: knative-local-gateway
, you must update gateway instance knative-local-gateway
in the knative-serving
namespace:
kubectl edit gateway knative-local-gateway -n knative-serving
Replace the label selector with the label of your service:
istio: knative-local-gateway
For the service mentioned earlier, it should be updated to:
custom: custom-local-gateway
If there is a change in service ports (compared to that of
knative-local-gateway
), update the port info in the gateway accordingly.
Verifying your Istio installation¶
View the status of your Istio installation to make sure the installation was
successful. You can use istioctl
to verify the installation:
istioctl verify-install
Istio resources¶
-
For the official Istio installation guide, see the Istio Kubernetes Getting Started Guide.
-
For the full list of available configs when installing Istio with
istioctl
, see the Istio Installation Options reference.
Clean up Istio¶
See the Uninstall Istio.
What's next¶
- View the Knative Serving documentation.
- Try some Knative Serving code samples.