Skip to content

Instantly share code, notes, and snippets.

@zioproto

zioproto/istio-ambient-aks.md

Last active April 13, 2023 13:12
Show Gist options
  • Save zioproto/4d4e58b8ae6135b335d2fdef3df90875 to your computer and use it in GitHub Desktop.
Save zioproto/4d4e58b8ae6135b335d2fdef3df90875 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
istio-ambient-aks.md

Test Istio Ambient on AKS

Create a cluster

Option 1 Azure CNI

az group create --location eastus --name ambient

az aks create \
--location eastus \
--name ambientazcni \
--resource-group ambient \
--network-plugin azure \
--kubernetes-version 1.25.5 \
--node-vm-size Standard_DS3_v2 \
--node-count 2

az aks get-credentials --resource-group ambient --name ambientazcni

Option 2 Azure CNI Overlay

https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay

az feature register --namespace "Microsoft.ContainerService" --name "AzureOverlayPreview"
az feature show --namespace "Microsoft.ContainerService" --name "AzureOverlayPreview"

az group create --location eastus --name ambient

az aks create \
--location eastus \
--name ambientazcnioverlay \
--resource-group ambient \
--network-plugin azure \
--network-plugin-mode overlay --pod-cidr 192.168.0.0/16 \
--kubernetes-version 1.25.5 \
--node-vm-size Standard_DS3_v2 \
--node-count 2

az aks get-credentials --resource-group ambient --name ambientazcnioverlay

Install the Gateway API crd

kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
  { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.6.1" | kubectl apply -f -; }

Install Istio Ambient

Because Istio ambient is not released yet in 1.17.2, we need to use the istioctl from 1.18. We can run it from the istio-testing/istioctl docker container.

docker run -ti --rm -v ~/.kube/config:/config gcr.io/istio-testing/istioctl -c /config install --set profile=ambient --set meshConfig.accessLogFile=/dev/stdout

this is an example output:

 docker run -ti --rm -v ~/.kube/config:/config gcr.io/istio-testing/istioctl -c /config install --set profile=ambient --set meshConfig.accessLogFile=/dev/stdout
This will install the Istio 1.18.0 ambient profile with ["Istio core" "Istiod" "CNI" "Ztunnel"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ztunnel installed
✔ Installation complete                                                                                                                                                   Making this installation the default for injection and validation.

ALTERNATIVE OPTIONAL STEP: Clone the repo, build the containers, install Istio

If you have issues with the pre-built istioctl container, you can build istioctl and all the others Istio component and install them from a specific docker image registry. here the steps:

git clone https://github.com/istio/istio
# use master branch, tested at commit 76c45169acca08dad4599171265a7ae0dab2ea40
cd istio
# Tag to give to the Docker images you will be building
TAG=ambient-aks
# HUB is your username on Dockerhub, or anything else that points to your Docker registry
HUB=zioproto
tools/docker --targets=pilot,proxyv2,app,install-cni,ztunnel --hub=$HUB --tag=$TAG --push
go run ./istioctl/cmd/istioctl install  --set meshConfig.accessLogFile=/dev/stdout --set hub=$HUB --set tag=$TAG --set profile=ambient -y

Install bookinfo and label the dataplane

git clone https://github.com/istio/istio
cd istio
kubectl create namespace bookinfo
kubectl apply -n bookinfo -f samples/bookinfo/platform/kube/bookinfo.yaml

# Apply this Azure specific version for bookinfo-gateway
kubectl apply -f https://gist.githubusercontent.com/zioproto/51942b8bf79efa96a2a90b722fb61a54/raw/b39fc2350dcbe440aae61a5ea1c5776ef376081e/bookinfo-gateway-azure.yaml

kubectl label namespace bookinfo istio.io/dataplane-mode=ambient

Check traffic is encrypted

To check if the traffic is encrypted we are going to:

  1. Find the IP address of the bookinfo-gateway-istio that is exposed by an Azure Load Balancer, with a Kubernetes Service of type Load Balancer in the istio-system namespace

  2. Use curl to generate some traffic.

  3. Use Stern to look at logs of the ztunnel pods.

export INGRESSIP=$(kubectl get service -n istio-system bookinfo-gateway-istio -o json | jq -r ".status.loadBalancer.ingress[].ip")
curl http://$INGRESSIP/productpage
stern -n istio-system ztunnel

Add a L7 Gateway

Deploy a waypoint proxy for the productpage service:

docker run -ti --rm -v ~/.kube/config:/config gcr.io/istio-testing/istioctl -c /config -n bookinfo x waypoint apply --service-account bookinfo-productpage

Because there are no sidecar, when creating this gateway a new Pod will start. You can check this Pod is intercepting traffic with stern:

stern bookinfo-productpage-istio-waypoint -n bookinfo

Now lets do the same for reviews:

docker run -ti --rm -v ~/.kube/config:/config gcr.io/istio-testing/istioctl -c /config -n bookinfo x waypoint apply --service-account bookinfo-reviews

Lets create a VirtualService and a DestinationRule:

kubectl apply -n bookinfo  -f samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
kubectl apply -n bookinfo  -f samples/bookinfo/networking/destination-rule-reviews.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment