Estimated duration: 60 minutes
In this lab, you will learn how to install and configure Istio, an open source framework for connecting, securing, and managing microservices, on Google Kubernetes Engine, Google's hosted Kubernetes product. You will also deploy an Istio-enabled multi-service application.
- Introduction
- Setup and Requirements
- Prepare your Kubernetes/GKE cluster
- Installing Istio
- Verifying the installation
- Deploying an application
- Use the application
- Dynamically change request routing
- View metrics and tracing
- Monitoring for Istio
- Generating a Service Graph
- Fault Injection
- Security
- Uninstall Istio
- Cleanup resources
- What's next?
Istio is an open source framework for connecting, securing, and managing microservices, including services running on Google Kubernetes Engine (GKE). It lets you create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, without requiring any changes in service code.
You add Istio support to services by deploying a special Envoy sidecar proxy to each of your application's pods in your environment that intercepts all network communication between microservices, configured and managed using Istio'''s control plane functionality.
This codelab shows you how to install and configure Istio on Kubernetes Engine, deploy an Istio-enabled multi-service application, and dynamically change request routing.
If you don't already have a Google Account (Gmail or Google Apps), you must create one. Sign-in to Google Cloud Platform console ( console.cloud.google.com) and create a new project:
Remember the project ID, a unique name across all Google Cloud projects (the name above has already been taken and will not work for you, sorry!). It will be referred to later in this codelab as PROJECT_ID.
Next, you'll need to enable billing in the Developers Console in order to use Google Cloud resources.
Running through this codelab shouldn't cost you more than a few dollars, but it could be more if you decide to use more resources or if you leave them running (see "cleanup" section at the end of this document). Google Kubernetes Engine pricing is documented here.
New users of Google Cloud Platform are eligible for a $300 free trial.
Enable the Kubernetes Engine API:
-
If you CANNOT find this in your project, then Kubernetes APIs are not enabled. Proceed further. Otherwise skip the following steps.
-
Select Google Kubernetes Engine API
-
Enable the API. This step could take 2 or 3 minutes.
While Google Cloud and Kubernetes can be operated remotely from your laptop, in this workshop we will be using Google Cloud Shell, a command line environment running in the Cloud.
This Debian-based virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on the Google Cloud, greatly enhancing network performance and authentication. This means that all you will need for this codelab is a browser (yes, it works on a Chromebook).
To activate Google Cloud Shell, from the developer console simply click the button on the top right-hand side (it should only take a few moments to provision and connect to the environment):
Then accept the terms of service and click the "Start Cloud Shell" link:
Once connected to the cloud shell, you should see that you are already authenticated and that the project is already set to your PROJECT_ID
The requirements for this Istio lab are as follows:
- your cluster should use Kubernetes 1.8.0 or newer, which includes role-based access control (RBAC) support.
- you need to create your cluster with alpha feature support, as Istio makes use of initializers to automatically install the Istio Proxy into every Pod
To create a new cluster that meets these requirements, including alpha features, run the following commands (this assumes that you have correctly set a zone as indicated in the setup) :
gcloud container clusters create hello-istio \
--machine-type=n1-standard-2 \
--num-nodes=6 \
--no-enable-legacy-authorization \
--zone=us-west1-b \
--cluster-version=1.8.8-gke.0
Setup Kubernetes CLI Content:
gcloud container clusters get-credentials hello-istio --zone us-west1-b --project PROJECT_ID
Now, grant cluster admin permissions to the current user. You need these permissions to create the necessary RBAC rules for Istio.
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
If you navigate in the GCP console to Kubernetes clusters you should see a screen similar to this:
Now, let's install Istio. Istio is installed in its own Kubernetes istio-system namespace, and can manage microservices from all other namespaces. The installation includes Istio core components, tools, and samples.
The Istio release page offers download artifacts for several OSs. In our case, with CloudShell we'll be using this command to download and extract the latest release automatically:
curl -L https://git.io/getLatestIstio | sh -
The installation directory contains the following:
- Installation .yaml files for Kubernetes in install/
- Sample applications in samples/
- The istioctl client binary in the bin/ directory. This tool is used when manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.
- The VERSION configuration file
Change to the istio install directory:
cd ./istio-*
Add the istioctl client to your PATH:
export PATH=$PWD/bin:$PATH
Let's now install Istio's core components. We will install the Istio Auth components which enable mutual TLS authentication between sidecars:
kubectl apply -f install/kubernetes/istio-auth.yaml
This creates the istio-system namespace along with the required RBAC permissions, and deploys Istio-Pilot, Istio-Mixer, Istio-Ingress, Istio-Egress, and Istio-CA (Certificate Authority).
First, ensure the following Kubernetes services are deployed: istio-pilot, istio-mixer, istio-ingress, and istio-egress.
Run the command:
kubectl get svc -n istio-system
OUTPUT:
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingress 10.83.245.171 35.184.245.62 80:32730/TCP,443:30574/TCP 3m
istio-pilot 10.83.251.173 <none> 8080/TCP,8081/TCP 3m
istio-mixer 10.83.244.253 <none> 9091/TCP,9094/TCP,42422/TCP 3m
Then make sure that the corresponding Kubernetes pods are deployed and all containers are up and running: istio-pilot-*, istio-mixer-*, istio-ingress-*, istio-ca-*.
Run the command:
kubectl get pods -n istio-system
OUTPUT:
NAME READY STATUS RESTARTS AGE
istio-ca-3657790228-j21b9 1/1 Running 0 3m
istio-ingress-1842462111-j3vcs 1/1 Running 0 3m
istio-pilot-2275554717-93c43 1/1 Running 0 3m
istio-mixer-2104784889-20rm8 2/2 Running 0 3m
When all the pods are running, you can proceed.
Now Istio is installed and verified, you can deploy one of the sample applications provided with the installation — BookInfo. This is a simple mock bookstore application made up of four services that provide a web product page, book details, reviews (with several versions of the review service), and ratings - all managed using Istio.
You will find the source code and all the other files used in this example in your Istio samples/bookinfo directory. These steps will deploy the BookInfo application's services in an Istio-enabled environment, with Envoy sidecar proxies injected alongside each service to provide Istio functionality.
In this guide we will deploy a simple application that displays information about a book, similar to a single catalog entry of an online book store. Displayed on the page is a description of the book, book details (ISBN, number of pages, and so on), and a few book reviews.
The BookInfo application is broken into four separate microservices:
- productpage. The productpage microservice calls the details and reviews microservices to populate the page.
- details. The details microservice contains book information.
- reviews. The reviews microservice contains book reviews. It also calls the ratings microservice.
- ratings. The ratings microservice contains book ranking information that accompanies a book review.
There are 3 versions of the reviews microservice:
- Version v1 doesn’t call the ratings service.
- Version v2 calls the ratings service, and displays each rating as 1 to 5 black stars.
- Version v3 calls the ratings service, and displays each rating as 1 to 5 red stars.
The end-to-end architecture of the application is shown below.
We deploy our application directly using kubectl create and its regular YAML deployment file. We will inject Envoy containers into your application pods using istioctl:
kubectl create -f <(istioctl kube-inject -f samples/bookinfo/kube/bookinfo.yaml)
Finally, confirm that the application has been deployed correctly by running the following commands:
Run the command:
kubectl get services
OUTPUT:
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details 10.0.0.31 <none> 9080/TCP 6m
kubernetes 10.0.0.1 <none> 443/TCP 21m
productpage 10.0.0.120 <none> 9080/TCP 6m
ratings 10.0.0.15 <none> 9080/TCP 6m
reviews 10.0.0.170 <none> 9080/TCP 6m
Run the command:
kubectl get pods
OUTPUT:
NAME READY STATUS RESTARTS AGE
details-v1-1520924117-48z17 2/2 Running 0 6m
productpage-v1-560495357-jk1lz 2/2 Running 0 6m
ratings-v1-734492171-rnr5l 2/2 Running 0 6m
reviews-v1-874083890-f0qf0 2/2 Running 0 6m
reviews-v2-1343845940-b34q5 2/2 Running 0 6m
reviews-v3-1813607990-8ch52 2/2 Running 0 6m
With Envoy sidecars injected along side each service, the architecture will look like this:
Now that it's deployed, let's see the BookInfo application in action.
First you need to get the ingress IP and port, as follows:
kubectl get ingress -o wide
OUTPUT:
NAME HOSTS ADDRESS PORTS AGE
gateway * 130.211.10.121 80 3m
Based on this information (Address), set the GATEWAY_URL environment variable:
export GATEWAY_URL=130.211.10.121:80
NOTE : don't forget to append :80
in the GATEWAY_URL
Once you have the address and port, check that the BookInfo app is running with curl:
Run the command:
curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage
OUTPUT:
200
Then point your browser to http://$GATEWAY_URL/productpage to view the BookInfo web page. If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars), since we haven't yet used Istio to control the version routing
The BookInfo sample deploys three versions of the reviews microservice. When you accessed the application several times, you will have noticed that the output sometimes contains star ratings and sometimes it does not. This is because without an explicit default version set, Istio will route requests to all available versions of a service in a random fashion.
We use the istioctl command line tool to control routing, adding a route rule that says all traffic should go to the v1 service. First, confirm there are no route rules installed :
istioctl get routerules -o yaml
No Resouces will be found. Now, create the rule (check out the source yaml file it you'd like to understand how rules are specified) :
Run the command:
istioctl create -f samples/bookinfo/kube/route-rule-all-v1.yaml -n default
OUTPUT:
Created config route-rule/default/productpage-default at revision 136126
Created config route-rule/default/reviews-default at revision 136127
Created config route-rule/default/ratings-default at revision 136128
Created config route-rule/default/details-default at revision 136130
Look at the rule you've just created:
istioctl get routerules -o yaml
Go back to the Bookinfo application (http://$GATEWAY_URL/productpage) in your browser. You should see the BookInfo application productpage displayed. Notice that the productpage is displayed with no rating stars since reviews:v1 does not access the ratings service.
To test reviews:v2, but only for a certain user, let's create this rule:
istioctl create -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml -n default
Check out the route-rule-reviews-test-v2.yaml file to see how this rule is specified :
$ cat samples/bookinfo/kube/route-rule-reviews-test-v2.yaml
OUTPUT:
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: reviews-test-v2
spec:
destination:
name: reviews
precedence: 2
match:
request:
headers:
cookie:
regex: "^(.*?;)?(user=jason)(;.*)?$"
route:
- labels:
version: v2
Look at the rule you've just created :
istioctl get routerule reviews-test-v2 -o yaml
We now have a way to route some requests to use the reviews:v2 service. Can you guess how? (Hint: no passwords are needed) See how the page behaviour changes if you are logged in as no-one and 'jason'.
You can read the documentation page for further details on Istio's request routing.
Once the v2 version has been tested to our satisfaction, we could use Istio to send traffic from all users to v2, optionally in a gradual fashion.
For now, let's clean up the routing rules:
istioctl delete -f samples/bookinfo/kube/route-rule-all-v1.yaml -n default
istioctl delete -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml -n default
Istio-enabled applications can be configured to collect trace spans using, for instance, the popular Zipkin distributed tracing system. Distributed tracing lets you see the flow of requests a user makes through your system, and Istio's model allows this regardless of what language/framework/platform you use to build your application.
First, install the Zipkin addon :
kubectl apply -f install/kubernetes/addons/zipkin.yaml
Istio is now configured to send request information.
Configure port forwarding (works on Google Cloud Shell only):
kubectl port-forward -n istio-system $(kubectl get pod -n istio-system -l app=zipkin -o jsonpath='{.items[0].metadata.name}') 8080:9411 &
Open your browser at http://localhost:9411
Load the Bookinfo application again (http://$GATEWAY_URL/productpage).
Select a trace from the list, and you will now see something similar to the following:
You can see how long each microservice call took, including the Istio checks.
You can read the documentation page for further details on Istio's distributed request tracing.
This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic. As part of this task, you will install the Grafana Istio addon and use the web-based interface for viewing service mesh traffic data.
First, install the Prometheus addon :
kubectl apply -f install/kubernetes/addons/prometheus.yaml
Istio is now configured to send monitoring information to Prometheus.
Next, we install the Grafana addon:
kubectl apply -f install/kubernetes/addons/grafana.yaml
Grafana will be used to visualize the data prometheus.
Configure port forwarding (works on Google shell only):
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 8080:3000 &
Open your browser at http://localhost:3000
Load the Bookinfo application again (http://$GATEWAY_URL/productpage).
Select a trace from the list, and you will now see something similar to the following:
NOTE: With version 0.5, there is a problem with the service graph build. If you're using 0.5 you cannot complete this lab. Find out which version of istio you're running by:
istioctl version
This task shows you how to generate a graph of services within an Istio mesh. As part of this task, you will install the ServiceGraph addon and use the web-based interface for viewing service graph of the service mesh.
First, install the Service Graph addon :
kubectl apply -f install/kubernetes/addons/servicegraph.yaml
Configure port forwarding (works on Google Cloud Shell only):
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=servicegraph -o jsonpath='{.items[0].metadata.name}') 8080:8088 &
Ppen your browser at http://localhost:8088/dotviz
You will now see something similar to the following:
This task shows how to inject delays and test the resiliency of your application.
Note: This assumes you don’t have any routes set yet. If you’ve already created conflicting route rules for the sample, you’ll need to use replace rather than create in one or both of the following commands.
To test our BookInfo application microservices for resiliency, we will inject a 7s delay between the reviews:v2 and ratings microservices, for user “jason”. Since the reviews:v2 service has a 10s timeout for its calls to the ratings service, we expect the end-to-end flow to continue without any errors.
Create a fault injection rule to delay traffic coming from user “jason” (our test user)
istioctl create -f samples/bookinfo/kube/route-rule-ratings-test-delay.yaml
Run the command:
istioctl get routerule ratings-test-delay -o yaml
You should see the yaml for the routing rule. Allow several seconds to account for rule propagation delay to all pods.
Log in as user “jason”. If the application’s front page was set to correctly handle delays, we expect it to load within approximately 7 seconds. To see the web page response times, open the Developer Tools menu in IE, Chrome or Firefox (typically, key combination Ctrl+Shift+I or Alt+Cmd+I), tab Network, and reload the productpage web page.
You will see that the webpage loads in about 6 seconds. The reviews section will show Sorry, product reviews are currently unavailable for this book.
The reason that the entire reviews service has failed is because our BookInfo application has a bug. The timeout between the productpage and reviews service is less (3s + 1 retry = 6s total) than the timeout between the reviews and ratings service (10s). These kinds of bugs can occur in typical enterprise applications where different teams develop different microservices independently. Istio’s fault injection rules help you identify such anomalies without impacting end users.
Notice that we are restricting the failure impact to user “jason” only. If you login as any other user, you would not experience any delays
Through this task, you will learn how to:
- Verify the Istio mutual TLS Authentication setup
- Manually test the authentication
Verify the cluster-level CA is running:
kubectl get deploy -l istio=istio-ca -n istio-system
OUTPUT:
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
istio-ca 1 1 1 1 1m
Verify AuthPolicy setting in ConfigMap
kubectl get configmap istio -o yaml -n istio-system | grep authPolicy | head -1
Istio mutual TLS authentication is enabled if the line authPolicy: MUTUAL_TLS is uncommented (doesn’t have a #).
We are going to install a sample application into the cluster and try and access the services directly.
- Switch to the sample app folder
git clone https://github.com/srinandan/istio-workshop.git && cd istio-workshop/mtlstest
- Set the PROJECT_ID as the environment variable
export PROJECT_ID=$(gcloud info --format='value(config.project)')
- Edit the Kubernetes configuration file (mtlstest.yaml) and add the PROJECT_ID
vi mtlstest.yaml
change this and add the project id:
image: gcr.io/PROJECT_ID/mtlstest:latest
save the file.
- Build the docker image and push it to GCR (Google Container Repo)
./dockerbuild.sh
NOTE: you may have to run "chmod +x dockerbuild.sh"
- Deploy the app to Kubernetes
./k8ssetup.sh
- Verify the application was deployed successfully
kubectl get pods
OUTPUT:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.59.254.1 <none> 9080/TCP 12m
kubernetes ClusterIP 10.59.240.1 <none> 443/TCP 18m
mtlstest ClusterIP 10.59.253.170 <none> 8080/TCP 7m
productpage ClusterIP 10.59.251.133 <none> 9080/TCP 12m
ratings ClusterIP 10.59.251.105 <none> 9080/TCP 12m
reviews ClusterIP 10.59.250.46 <none> 9080/TCP 12m
NOTE: The cluster IP for the details app. This app is running on port 9080
- Access the mtltest pod
kubectl exec -it mtlstest-bbf7bd6c-9rmwn /bin/bash
- Run cURL to access to the details app
curl -k -v https://details:9080/details/0
OUTPUT:
* About to connect() to 10.59.254.1 port 9080 (#0)
* Trying 10.59.254.1...
* Connected to 10.59.254.1 (10.59.254.1) port 9080 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.
NOTE: If security (mTLS) was NOT enabled on the services, you would have see the output (status 200)
We are now going to access the service with the appropriate keys and certs.
- Get the CA Root Cert, Certificate and Key from Kubernetes secrets
kubectl get secret istio.default -o jsonpath='{.data.root-cert\.pem}' | base64 --decode > root-cert.pem
kubectl get secret istio.default -o jsonpath='{.data.cert-chain\.pem}' | base64 --decode > cert-chain.pem
kubectl get secret istio.default -o jsonpath='{.data.key\.pem}' | base64 --decode > key.pem
- Copy the files to the mtlstest POD
kubectl cp root-cert.pem mtlstest-bbf7bd6c-gfpjk:/tmp -c mtlstest
kubectl cp cert-chain.pem mtlstest-bbf7bd6c-gfpjk:/tmp -c mtlstest
kubectl cp key.pem mtlstest-bbf7bd6c-gfpjk:/tmp -c mtlstest
- Start a bash to the mtlstest POD
kubectl get pods
OUTPUT:
NAME READY STATUS RESTARTS AGE
details-v1-845458947b-4xt2j 2/2 Running 0 5h
mtlstest-bbf7bd6c-gfpjk 2/2 Running 0 45m
productpage-v1-54d4776d48-z8xxv 2/2 Running 0 5h
kubectl exec -it mtlstest-bbf7bd6c-gfpjk /bin/bash
- Move the PEM files to the appropriate folder (/etc/certs - which is the default folder)
mkdir /etc/certs
mv /*.pem /etc/certs/
- Create a new user and group NOTE: Envoy does NOT intercept traffic from "root" user. Therefore we will create a test user
groupadd mtlstest
useradd mtlstest -g mtlstest
- Change to the test user "mtlstest"
su - mtlstest
- Access the application
curl -v http://details:9080/details/0
OUTPUT:
* About to connect() to details port 9080 (#0)
* Trying 10.59.254.1...
* Connected to details (10.59.254.1) port 9080 (#0)
> GET /details/0 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: details:9080
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json
< server: envoy
< date: Mon, 05 Feb 2018 04:44:14 GMT
< content-length: 178
< x-envoy-upstream-service-time: 54
<
* Connection #0 to host details left intact
{"id":0,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}[mtlstest@mtlstest-bbf7bd6c-gfpjk ~]
NOTE:
- You didn't have to specify https when accessing the service.
- Envoy automatically established mTLS between the consumer (mtlstest) and the provider (details)
We saw how an application (mtlstest) was able access the service with the necessary key and cert. Istio also helps you prevent such access. In the application we have, the details application must only be accessed by the productpage application.
We are first going to create a service account for the productpage application. For more information about service accounts, please refer here. Run the command:
kubectl apply -f <(istioctl kube-inject -f bookinfo-add-serviceaccount.yaml)
Output:
serviceaccount "bookinfo-productpage" created
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
deployment "productpage-v1" configured
NOTE: It is safe to ignore this warning.
We are now going to deploy a mixer rule that denies access to other services (services that are not productpage). Review this snippet:
spec:
match: destination.labels["app"] == "details" && source.user != "cluster.local/ns/default/sa/bookinfo-productpage"
actions:
- handler: denyproductpagehandler.denier
instances: [ denyproductpagerequest.checknothing ]
The match string says if the target/destination service is details and the source (service account) is not productpage, then deny access. The term source.user is automatically populated by Envoy during the mTLS handshake. It is the identity of the immediate sender of the request, authenticated by mTLS. Therefore we can trust the value contained within it. Now we will deploy this rule.
istioctl create -f mixer-rule-deny-others.yaml
Output:
Created config denier/default/denyproductpagehandler at revision 165636
Created config checknothing/default/denyproductpagerequest at revision 165637
Created config rule/default/denyproductpage at revision 165638
Now, try to access the service again.
kubectl exec -it mtlstest-bbf7bd6c-gfpjk /bin/bash
su - mtlstest
curl -v http://details:9080/details/0
Output:
* About to connect() to details port 9080 (#0)
* Trying 10.59.254.1...
* Connected to details (10.59.254.1) port 9080 (#0)
> GET /details/0 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: details:9080
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< content-length: 67
< content-type: text/plain
< date: Tue, 06 Feb 2018 01:03:05 GMT
< server: envoy
< x-envoy-upstream-service-time: 35
<
* Connection #0 to host details left intact
PERMISSION_DENIED:denyproductpagehandler.denier.default:Not allowed
Learn more about the design principles behind Istio’s automatic mTLS authentication between all services in this blog
Here's how to uninstall Istio.
kubectl delete -f samples/bookinfo/kube/bookinfo.yaml
OUTPUT:
service 'details' deleted
deployment 'details-v1' deleted
service 'ratings' deleted
deployment 'ratings-v1' deleted
service 'reviews' deleted
deployment 'reviews-v1' deleted
deployment 'reviews-v2' deleted
deployment 'reviews-v3' deleted
service 'productpage' deleted
deployment 'productpage-v1' deleted
kubectl delete -f install/kubernetes/istio-auth.yaml
For the current release, uninstalling Istio core components also deletes the RBAC permissions, the istio-system namespace, and hierarchically all resources under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.
Through this task, you will learn how to enable JWT validation on specific services in the mesh.
In this step we will enable the JWT policy on the details service. Take a look at the details-jwt.yaml file.
The first section is defining how to enable the JWT
apiVersion: config.istio.io/v1alpha2
kind: EndUserAuthenticationPolicySpec
metadata:
labels:
app: details
name: details-auth
spec:
jwts:
- issuer: "https://xxxx"
jwks_uri: "http://xxxx"
forwardJwt: true
There are two critical pieces here:
- The Issuer, every JWT token must match the issuer specified here
- The jwks_url, this is an endpoint to where JSON Web Key based public keys are hosted. Here is an example from Google. These public keys are used to verify the JWT.
The second setion contains the list of services to enable this feature:
apiVersion: config.istio.io/v1alpha2
kind: EndUserAuthenticationPolicySpecBinding
metadata:
name: details-auth-binding
namespace: default
spec:
policies:
- name: details-auth
namespace: default
services:
- name: details
namespace: default
Now, apply the policy
kubectl apply -f jwttest/details-jwt.yaml
OUTPUT:
enduserauthenticationpolicyspec "details-auth" created
enduserauthenticationpolicyspecbinding "details-auth-binding" created
It takes a couple of minutes for the policy to be deployed.
- Once you have waited, login to the mtlstest pod
kubectl exec -it mtlstest-bbf7bd6c-9rmwn /bin/bash
- Switch to mtlstest user and test
su - mtlstest
curl -v http://details:9080/details/0
OUTPUT:
* About to connect() to details port 9080 (#0)
* Trying 10.19.240.254...
* Connected to details (10.19.240.254) port 9080 (#0)
> GET /details/0 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: details:9080
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< content-length: 29
< content-type: text/plain
< date: Mon, 19 Mar 2018 18:13:25 GMT
< server: envoy
< x-envoy-upstream-service-time: 7
<
* Connection #0 to host details left intact
Required JWT token is missing
This is expected, we did not pass a JWT token.
In addition to uninstalling Istio, you should also delete the Kubernetes cluster created in the setup phase (to save on cost and to be a good cloud citizen):
gcloud container clusters delete hello-istio
OUTPUT
The following clusters will be deleted. - [hello-istio] in [west1-b]
Do you want to continue (Y/n)? Y
Deleting cluster hello-istio...done. Deleted [https://container.googleapis.com/v1/projects/codelab-test/zones/us-central1-f/clusters/hello-istio].
Of course, you can also delete the entire project but you would lose any billing setup you have done (disabling project billing first is required). Additionally, deleting a project will only stop all billing after the current billing cycle ends.
The Istio site contains guides and samples with fully working example uses for Istio that you can experiment with. These include:
- Intelligent Routing: this example shows how to use Istio's various traffic management capabilities with BookInfo, and is a particularly good next step from this tutorial.
- In-Depth Telemetry: this example demonstrates how to get uniform metrics, logs, and traces across BookInfo's services using Istio Mixer and the Istio sidecar proxy.