Virtual Machine Installation
Follow this guide to deploy Istio and connect a virtual machine to it.
Prerequisites
- Download the Istio release
- Perform any necessary platform-specific setup2
- Check the requirements for Pods and Services3
- Virtual machines must have IP connectivity to the ingress gateway in the connecting mesh, and optionally every pod in the mesh via L3 networking if enhanced performance is desired.
Prepare the guide environment
- Create a virtual machine
Set the environment variables
VM_NAME
,WORK_DIR
,VM_NAMESPACE
, andSERVICE_ACCOUNT
(e.g.,WORK_DIR="${HOME}/vmintegration"
):Create the working directory:
Install the Istio control plane
Install Istio with the installation setting values.global.meshExpansion.enabled: true
.
Create the
IstioOperator
custom resource:Install or upgrade Istio with virtual machine integration features enabled.
Configure the VM namespace
Create the namespace that will host the virtual machine:
Create a serviceaccount for the virtual machine:
Create files to transfer to the virtual machine
Create a Kubernetes token. This example sets the token expire time to 1 hour:
Get the root certificate:
Generate a
cluster.env
configuration file that informs the virtual machine deployment which network CIDR to capture and redirect to the Kubernetes cluster:Optionally configure configure a select set of ports for exposure from the virtual machine. If you do not apply this optional step, all outbound traffic on all ports is sent to the Kubernetes cluster. You may wish to send some traffic on specific ports to other destinations. This example shows enabling ports
3306
and8080
for capture by Istio virtual machine integration and transmission to Kubernetes. All other ports are sent over the default gateway of the virtual machine.Add an IP address that represents Istiod. Replace
${INGRESS_HOST}
with the ingress gateway service of istiod. Revisit Determining the ingress host and ports to set the environment variable${INGRESS_HOST}
.Create
sidecar.env
file to import the required environment variables:
Configure the virtual machine
Run the following commands on the virtual machine you want to add to the Istio mesh:
Securely transfer the files from
"${WORK_DIR}"
to the virtual machine. How you choose to securely transfer those files should be done with consideration for your information security policies. For convenience in this guide, transfer all of the required files to"${HOME}"
in the virtual machine.Update the cache of package updates for your
deb
packaged distro.Upgrade the
deb
packaged distro to ensure all latest security packages are applied.Install the root certificate at
/var/run/secrets/istio
:Install the token at
/var/run/secrets/tokens
:Install the
deb
package containing the Istio virtual machine integration runtime:Install
cluster.env
within the directory/var/lib/istio/envoy/
:Install
sidecar.env
within the directory/var/lib/istio/envoy/
:Add the istiod host to
/etc/hosts
:Install the root certificate in the directory
/var/run/secrets/istio
Transfer ownership of the files in
/etc/certs/
and/var/lib/istio/envoy/
to the Istio proxy:
Start Istio within the virtual machine
Start the Istio agent:
Verify Istio Works Successfully
Check the log in
/var/log/istio/istio.log
. You should see entries similar to the following:
Uninstall
Stop Istio on the virtual machine:
Then, remove the Istio-sidecar package:
To uninstall Istio, run the following command:
The control plane namespace (e.g., istio-system
) is not removed by default.
If no longer needed, use the following command to remove it: