Installing Istio for Knative¶
This guide walks you through manually installing and customizing Istio for use with Knative.
If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need to customize your installation.
Before you begin¶
- A Kubernetes cluster created.
- Knative Serving installed (can also be installed after the Istio).
Supported Istio versions¶
You can view the latest tested Istio version on the Knative Net Istio releases page.
When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the Basic installation with istioctl instructions. If you're familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.
Basic installation with istioctl¶
You can easily install and customize your Istio installation with
istioctl install -y
To integrate Istio with Knative Serving install the Knative Istio controller by running the command:
kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.11.0/net-istio.yaml
Forming a service mesh¶
The Istio service mesh provides a few benefits:
Allows you to turn on mutual TLS, which secures service-to-service traffic within the cluster.
Allows you to use the Istio authorization policy, controlling the access to each Knative service based on Istio service roles.
If you want to use Istio as a service mesh, you must make sure that istio sidecars
are injected to all
pods that should be part of the service mesh. There are two ways to achieve this:
Use automatic sidecar injection and set the
istio-injection=enabledlabel on all
namespacesthat should be part of the service-mesh
Use manual sidecar injection on all
podsthat should be part of the service-mesh
Using Istio mTLS feature with Knative¶
Since there are some networking communications between knative-serving namespace and the namespace where your services running on, you need additional preparations for mTLS enabled environment.
It is strongly recommended to use automatic sidecar injection
to avoid manually injection sidecars to all
Enable sidecar injection on
kubectl label namespace knative-serving istio-injection=enabled
PERMISSIVEon knative-serving system namespace by creating a YAML file using the following template:
apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "knative-serving" spec: mtls: mode: PERMISSIVE
Apply the YAML file by running the command:Where
kubectl apply -f <filename>.yaml
<filename>is the name of the file you created in the previous step.
Configuring the installation¶
config-istio configmap to use a non-default local gateway¶
If you create a custom service and deployment for local gateway with a name other than
need to update gateway configmap
config-istio under the
kubectl edit configmap config-istio -n knative-serving
local-gateway.knative-serving.knative-local-gatewayfield with the custom service. As an example, if you name both the service and deployment
custom-local-gatewayunder the namespace
istio-system, it should be updated to:
As an example, if both the custom service and deployment are labeled with
custom: custom-local-gateway, not the default
istio: knative-local-gateway, you must update gateway instance
knative-local-gateway in the
kubectl edit gateway knative-local-gateway -n knative-serving
Replace the label selector with the label of your service:
For the service mentioned earlier, it should be updated to:
If there is a change in service ports (compared to that of
knative-local-gateway), update the port info in the gateway accordingly.
Verifying your Istio installation¶
View the status of your Istio installation to make sure the installation was
successful. You can use
istioctl to verify the installation:
For the official Istio installation guide, see the Istio Kubernetes Getting Started Guide.
For the full list of available configs when installing Istio with
istioctl, see the Istio Installation Options reference.
Clean up Istio¶
See the Uninstall Istio.