Enabling automatic sidecar injection – Implementing Traffic Management, Security, and Observability with Istio-1

Author
Lisa DiFranco
Created
Updated
Comments
0
Reading time
2 min
Views
158
Categories: Cloud Certifications, Exams of Cloud, Setting up the baseline, Traffic mirroring, Understanding SLIs, SLOs, and SLAs

Since envoy sidecars are the key technology behind Istio’s capabilities, they must be added to your existing pods to enable Istio to manage them. Updating each pod’s configuration to include these sidecars can be challenging. To address this challenge, Istio offers a solution by enabling the automatic injection of these sidecars. To allow automatic sidecar injection on a namespace, we must add a label

– that is, istio-injection: enabled. To do so, we will modify the blog-app.yaml file and add the label to the namespace resource:
apiVersion: v1
kind: Namespace
metadata:
name: blog-app
labels:
istio-injection: enabled

Now, we can commit this resource to Git and push the changes remotely using the following commands:
$ cd ~
$ cp -a ~/modern-devops/ch15/install-istio/blog-app.yaml \ ~/mdo-environments/manifests/blog-app/blog-app.yaml
$ git add –all
$ git commit -m “Enable sidecar injection”
$ git push

In the next Argo CD sync, we will soon find the label attached to the namespace. As soon as the label is applied, we need to restart our deployments and stateful sets, at which point new pods will come up with the injected sidecars. Use the following commands to do so:
$ kubectl -n blog-app rollout restart deploy frontend $ kubectl -n blog-app rollout restart deploy posts
$ kubectl -n blog-app rollout restart deploy users $ kubectl -n blog-app rollout restart deploy reviews $ kubectl -n blog-app rollout restart deploy ratings
$ kubectl -n blog-app rollout restart statefulset mongodb

Now, let’s list the pods in the blog-app namespace using the following command:
$ kubectl get pod -n blog-app
NAME READY STATUS RESTARTS AGE
frontend-759f58f579-gqkp9 2/2 Running 0 109s
mongodb-0 2/2 Running 0 98s
posts-5cdcb5cdf6-6wjrr 2/2 Running 0 108s
ratings-9888d6fb5-j27l2 2/2 Running 0 105s
reviews-55ccb7fbd9-vw72m 2/2 Running 0 106s
users-5dbd56c4c5-stgjp 2/2 Running 0 107s

As we can see, the pods now show two containers instead of one. The extra container is the envoy sidecar. Istio’s installation and setup are complete.

Now that our application has the Istio sidecar injected, we can use Istio ingress to allow traffic to our application, which is currently exposed via a load balancer service.

Using Istio ingress to allow traffic

We need to create a Blog App ingress gateway to associate our application with the Istio ingress gateway. It is necessary for configuring our application to route traffic through the Istio ingress gateway as we want to leverage Istio’s traffic management and security features.

Istio deploys the Istio ingress gateway as a part of the installation process, and it’s exposed on a load balancer by default. To determine the load balancer’s IP address and ports, you can run the following commands:
$ kubectl get svc istio-ingress -n istio-ingress
NAME EXTERNAL-IP PORT(S)
istio-ingress 34.30.247.164 80:30950/TCP,443:32100/TCP

As we can see, Istio exposes various ports on your load balancer, and as our application needs to run on port 80, we can access it using http://:80.

The next step would be to use this ingress gateway and expose our application. For that, we need to create Gateway and VirtualService resources.

Istio gateway is a custom resource definition ( CRD) that helps you define how incoming external traffic can access services in your mesh. It acts as an entry point to your service and a load balancer for incoming traffic. When external traffic arrives at a gateway, it determines how to route it to the appropriate services based on the specified routing rules.

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *