How to install Anthos Service Mesh (Istio) on GKE Kubernetes Cluster ?
This tutorial explains step by step procedure to install Anthos Service Mesh version 1.9.1 (Istio) on GKE Cluster.
Pre-requisites – Install Anthos Service Mesh (Istio)
Before you start installing the ASM on GKE cluster make sure that you have satisfied the following pre-requisites.
- Your GKE cluster must have atleast 4 vCPU’s such as e2-standard-4. Anthos Service Mesh requires atleast 8 vCPUS’s.
- Note if the machine type has 4 vCPUs, you should have at least 2 nodes in the cluster. If machine type has 8 vCPU’s then you can have even 1 node in the cluster.
- Therefore make sure that you have created GKE cluster with the required vCPU’s/nodes.
- Then choose CA. Mesh CA is the default one or Citadel as CA for issuing mTLS certificates.
- Activate Cloud Shell and install required tools by running the following command.
$ gcloud components update
- You may get error while running the above command. Just copy the long command displayed and update the gcloud components
$ sudo apt-get update && sudo apt-get –only-upgrade install google-cloud-sdk-cbt google-cloud-sdk-app-engine-grpc google-cloud-sdk-app-engine-python google-cloud-sdk-cloud-build-local google-cloud-sdk-kpt google-cloud-sdk-skaffold google-cloud-sdk google-cloud-sdk-firestore-emulator google-cloud-sdk-pubsub-emulator google-cloud-sdk-app-engine-python-extras google-cloud-sdk-datastore-emulator google-cloud-sdk-app-engine-java google-cloud-sdk-local-extract google-cloud-sdk-kubectl-oidc google-cloud-sdk-app-engine-go google-cloud-sdk-anthos-auth google-cloud-sdk-datalab google-cloud-sdk-spanner-emulator kubectl google-cloud-sdk-minikube google-cloud-sdk-bigtable-emulator google-cloud-sdk-config-connector
- Then download the ASM script and keep it ready for the installation.
Download the ASM 1.9.1 to the current working directory.
$ curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9 > install_asm
Download the SHA-256 of the file to the current working directory.
$ curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9.sha256 > install_asm.sha256
Verify the download.
$ sha256sum -c –ignore-missing install_asm.sha256
install_asm: OK
Execute the following command to make the script executable.
$ chmod +x install_asm
Install Anthos Service Mesh (Istio) on GKE Kubernetes Cluster
After you are done with the pre-requisites follow this section to install Anthos Service Mesh (Powered by Istio) on GKE Kubernetes Cluster.
Export the default project id.
$ export PROJECT_ID=$(gcloud info --format='value(config.project)')
Make sure that you have installation file and asm package in the output directory.
sneppets@cloudshell:~/anthos/anthos-service-mesh (sne5g21)$ ls asm asm-191-1-manifest-raw.yaml install_asm istio-1.9.1-asm.1 asm-191-1-manifest-expanded.yaml asm_kubeconfig install_asm.sha256 istioctl
Run the following command to validate your configuration.
$ ./install_asm \ > --project_id $PROJECT_ID \ > --cluster_name c1 \ > --cluster_location us-central1-c \ > --mode install \ > --output_dir /home/sneppets/anthos/anthos-service-mesh \ > --only_validate install_asm: Setting up necessary files... install_asm: Fetching/writing GCP credentials to kubeconfig file... install_asm: [WARNING]: nc not found, skipping k8s connection verification install_asm: [WARNING]: (Installation will continue normally.) install_asm: Checking installation tool dependencies... install_asm: Getting account information... install_asm: Confirming cluster information for sne5g21/us-central1-c/c1... install_asm: Confirming node pool requirements for sne5g21/us-central1-c/c1... install_asm: Checking Istio installations... install_asm: Checking required APIs... install_asm: Checking for project sne5g21... install_asm: Reading labels for us-central1-c/c1... install_asm: [WARNING]: Cluster label not found - mesh_id=proj-422441510697 install_asm: [ERROR]: One or more required cluster labels were not found. Please label them and retry, or run the script with the '--enable_cluster_labels' flag to allow the script to enable them on your behalf. Alternatively, use --enable_all|-e to allow this tool to handle all dependencies.
There was an error which says One or more required cluster labels were not found. Try to run the following command to update labels for your cluster.
$ gcloud container clusters update c1 --zone us-central1-c --update-labels env=dev Updating c1...done. Updated [https://container.googleapis.com/v1/projects/sne5g21/zones/us-central1-c/clusters/c1]. To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-central1-c/c1?project=sne5g21
Run the following command for a new installation. This enables Mesh CA which is the default CA. The –enable-all flag elables all the required Google APIs, set IAM permissions and update your cluster including enabling GKE Workload Identity.
$ ./install_asm \ > --project_id $PROJECT_ID \ > --cluster_name c1 \ > --cluster_location us-central1-c \ > --mode install \ > --enable_all install_asm: Setting up necessary files... --------- --------- install_asm: ...done! install_asm: install_asm: ***************************** client version: 1.9.1-asm.1 control plane version: 1.9.1-asm.1 data plane version: 1.9.1-asm.1 (2 proxies) ---------- ---------- install_asm: Successfully installed ASM.
If you have not registered your cluster already, then you can include –enable-registration flag and re-run the command as showed below.
./install_asm \ --project_id $PROJECT_ID \ --cluster_name c1 \ --cluster_location us-central1-c \ --mode install \ --enable_all \ --enable-registration install_asm: Setting up necessary files... ----- ----- install_asm: [WARNING]: Install mode specified, but 1 existing istiod deployment(s) found. (Expected 0.) Installation may overwrite existing control planes with the same revision. install_asm: Enabling required APIs... install_asm: Registering the cluster as c1... ----- ----- install_asm: Successfully installed ASM.
Deploying / Re-deploying Workloads
Anthos Service Mesh uses sidecar proxies to enhance network security, reliability, and observability.
Note, ASM installation is not complete unless you enable the automatic sidecar proxy injection. Once you enable the auto-injection you need to restart the Pods for any workloads.
To enable automatic sidecar proxy injection, follow the below steps:
Set the current context for kubectl
$ gcloud container clusters get-credentials c1 --zone us-central1-c --project sne5g21
Run the following command to find the revision label on istiod.
$ kubectl -n istio-system get pods -l app=istiod --show-labels NAME READY STATUS RESTARTS AGE LABELS istiod-asm-191-1-f854c9cf6-84lfx 1/1 Running 1 13m app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=f854c9cf6,sidecar.istio.io/inject=false istiod-asm-191-1-f854c9cf6-kqzgm 1/1 Running 0 13m app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=f854c9cf6,sidecar.istio.io/inject=false
In the response, under LABELS note down the value of istiod revision label (asm-191-1). Apply the revision label and remove the istio-injection label if it exists by running the following command.
$ kubectl label namespace mv istio-injection- istio.io/rev=asm-191-1 --overwrite label "istio-injection" not found. namespace/mv labeled
You can ignore the message “istio-injection” not found.
Now, run the following command to perform rolling restart.
$ kubectl rollout restart deployment -n mv
Verify that your Pods are configured to point to the new version of istiod.
$ kubectl get pods -n mv -l istio.io/rev=asm-191-1 NAME READY STATUS RESTARTS AGE kafka-77fb6497c9-4kggx 2/2 Running 0 17s zookeeper-65fcbf6ccb-vqs7l 2/2 Running 0 19s
The following command’s response shows that sidecar proxies are injected automatically in the Kubernetes Pods.
$ kubectl get pods -n mv -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.name}{", "}{end}{end}' |sort
kafka-77fb6497c9-4kggx: kafka, istio-proxy,
zookeeper-65fcbf6ccb-vqs7l: zookeeper, istio-proxy,
That’s it Anthos Service Mesh is installed and setup on GKE cluster. You can deploy/redeploy workloads and start viewing the Anthos Service Mesh Dashboards.
Hope it helped 🙂
- How to Explore Docker Container’s File System ?
- Docker EXPOSE Port only to the Host on Google Cloud
- Get Docker Container’s IP Address from the Host
- Copy Files between Host and Docker Container
- What is ImagePullBackOff status on a Kubernetes pod ?
- Install only mongo shell client and not mongodb ?
- List all Containers running in Kubernetes Pod ?
- How to monitor memory usage of VM in Google Cloud ?