Installing Istio for Knative

This guide walks you through manually installing and customizing Istio for use with Knative.

If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. If your cloud platform offers a managed Istio installation, the install guide for your specific platform will have those instructions.

Before you begin

You need:

  • A Kubernetes cluster created.
  • istioctl (v1.5.4 or later) installed.

Installing Istio

When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the Installing Istio without sidecar injection instructions. If you’re familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.

You can easily customize your Istio installation with istioctl. The below sections cover a few useful Istio configurations and their benefits.

Choosing an Istio installation

You can install Istio with or without a service mesh:

If you want to get up and running with Knative quickly, we recommend installing Istio without automatic sidecar injection. This install is also recommended for users who don’t need the Istio service mesh, or who want to enable the service mesh by manually injecting the Istio sidecars.

Enter the following command to install Istio:

cat << EOF > ./istio-minimal-operator.yaml
kind: IstioOperator
        autoInject: disabled
      useMCP: false
      # The third-party-jwt is not enabled on all k8s.
      # See:
      jwtPolicy: first-party-jwt

      enabled: true
      enabled: false

      - name: istio-ingressgateway
        enabled: true
      - name: cluster-local-gateway
        enabled: true
          istio: cluster-local-gateway
          app: cluster-local-gateway
            type: ClusterIP
            - port: 15020
              name: status-port
            - port: 80
              name: http2
            - port: 443
              name: https

istioctl manifest apply -f istio-minimal-operator.yaml

Installing Istio with sidecar injection

If you want to enable the Istio service mesh, you must enable automatic sidecar injection. The Istio service mesh provides a few benefits:

  • Allows you to turn on mutual TLS, which secures service-to-service traffic within the cluster.

  • Allows you to use the Istio authorization policy, controlling the access to each Knative service based on Istio service roles.

To automatic sidecar injection, set autoInject: enabled in addition to above operator configuration.

        autoInject: enabled

Using Istio mTLS feature

Since there are some networking communications between knative-serving namespace and the namespace where your services running on, you need additional preparations for mTLS enabled environment.

  • Enable sidecar container on knative-serving system namespace.
kubectl label namespace knative-serving istio-injection=enabled
  • Set PeerAuthentication to PERMISSIVE on knative-serving system namespace.
cat <<EOF | kubectl apply -f -
apiVersion: ""
kind: "PeerAuthentication"
  name: "default"
  namespace: "knative-serving"
    mode: PERMISSIVE

Istio resources

Clean up Istio

See the Uninstall Istio.

What’s next