OCP Part 3: Installing Istio

We can describe Istio as a network layer 7 tool to manage connectivity. Definitely it something you want (or even desire) if you‘ve got OpenShift. As of version 3.11 Istio is a technology preview. Once ironed out it will be supported by Red Hat in production environment.

Let’s try to install Istio on OKD.

git clone https://github.com/Maistra/openshift-ansible.git -b maistra-0.7
cd openshift-ansible
cd istio

At first you need to enable special webhooks which override default behaviour of Kubernetes’ API server. They allow to modify creation and validation of objects like deployment, pod, etc. Istio uses these webhooks to inject its intelligent instrumentation.

mv master-config.path /etc/origin/master/
cd /etc/origin/master
cp master-config.yaml master-config.yaml.pre-istio
oc ex config patch master-config.yaml.pre-istio -p "$(cat master-config.patch)" > master-config.yaml.new
echo "Analyze config file if everything is OK"
less master.config.new
mv master-config.yaml.new master-config.yaml
/usr/local/bin/master-restart api
/usr/local/bin/master-restart controllers

OK. Patching is done. Now we need to modify installation files for OKD.

cd ~/openshift-ansible/istio
vi istio_community_operator_template.yaml

You should make sure that file contains:

name: OPENSHIFT_DEPLOYMENT_TYPE
value: origin

Now, let’s adjust cr-full.yaml

apiVersion: "istio.openshift.com/v1alpha1"
kind: "Installation"
metadata:
name: "istio-installation"
namespace: istio-operator
spec:
deployment_type: origin
istio:
authentication: true
community: false
prefix: maistra/
version: 0.7.0
jaeger:
prefix: jaegertracing
version: 1.8.1
elasticsearch_memory: 1Gi
kiali:
username: developer
password: developer
prefix: kiali/
version: v0.11.0
launcher:
...
catalog:
branch: master
...

Jaeger is going to trace your network payloads exchanged by services while Kiali is going to show you paths between networked applications — so basically network flow.

Let’s make it happen:

oc new-project istio-operator
oc new-app -f istio_community_operator_template.yaml --param OPENSHIFT_ISTIO_MASTER_PUBLIC_URL=https://k8s-master:8443 --param OPENSHIFT_RELEASE=v3.11.59

Operator is a cool application which waits for installation configs as a custom resource definition and then manages Istio rollout. Let’s trigger installation.

oc create -f cr-full.yaml
We see some work happening in istio-system namespace
It’s ansible job doing installation
You can check console logs of openshift-ansible
How does the magic work? OpenShift-Ansible-Istio-Installer from its container talks to OpenShift. Installer has got all required credentials.
Check exposed frontends, especially Jaeger and Kiali

In istio-system namespace there is istio-sidecar-injector with config map named istio-sidecar-injector. By default policy is set to disabled and security context contains capability NET_ADMIN and scc privileged. Also istio sidecar must be run under user 1337. This is a serious drawback and probably a reason why Service Mesh is still a technology preview. To enable Istio in selected namespace execute:

oc adm policy add-scc-to-user privileged -z default -n $YOUR_NAMESPACE

Deployment’s yaml should contain inside spec section:

template:
metadata:
annotations:
sidecar.istio.io/inject: "true"

Now we need to enable traffic passthrough via default OpenShift router:

[root@k8s ~]# oc project default
Now using project "default" on server "https://k8s:8443".
[root@k8s ~]# oc adm router --replicas=0
Router "router" service exists
[root@k8s ~]# oc set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true
deploymentconfig.apps.openshift.io/router updated
[root@k8s ~]# oc scale dc/router --replicas=1
deploymentconfig.apps.openshift.io/router scaled
[root@k8s ~]# oc project istio-system
Now using project "istio-system" on server "https://k8s:8443".
[root@k8s ~]# oc expose svc istio-ingressgateway --hostname="www.svcs.k8s" --port=http2 --name=istio-wildcard-ingress --wildcard-policy=Subdomain
route.route.openshift.io/istio-wildcard-ingress exposed

HTTP traffic to *.svcs.k8s will enter default router then istio-wildcard-ingress then your gateway and virtual service. For HTTPS you need additional route:

oc create route edge istio-wildcard-ingress-secure --service=istio-ingressgateway --hostname="www.services.k8s" --port=http2 --wildcard-policy=Subdomain --insecure-policy='Redirect'

Example definitions:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: msa-gateway
namespace: msa
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: micro-svc-virtual
namespace: msa
spec:
hosts:
- "micro-svc.svcs.k8s"
gateways:
- msa-gateway
http:
- match:
route:
- destination:
host: micro-svc-service
port:
number: 8181

What’s next? https://istio.io/docs/reference/config/istio.networking.v1alpha3/

Cloud Security Engineer