Shared control plane (single-network)

Follow this guide to install an Istio multicluster service mesh where the Kubernetes cluster services and the applications in each cluster have the capability to expose their internal Kubernetes network to other clusters.

In this configuration, multiple Kubernetes clusters running a remote configuration connect to a shared Istio control plane. Once one or more remote Kubernetes clusters are connected to the Istio control plane, Envoy can then form a mesh network across multiple clusters.

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN
Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Prerequisites

  • Two or more clusters running a supported Kubernetes version (1.13, 1.14, 1.15).

  • The ability to deploy the Istio control plane on one of the clusters.

  • A RFC1918 network, VPN, or an alternative more advanced network technique meeting the following requirements:

    • Individual cluster Pod CIDR ranges and service CIDR ranges must be unique across the multicluster environment and may not overlap.

    • All pod CIDRs in every cluster must be routable to each other.

    • All Kubernetes control plane API servers must be routable to each other.

  • Helm 2.10 or newer. The use of Tiller is optional.

This guide describes how to install a multicluster Istio topology using the manifests and Helm charts provided within the Istio repository.

Deploy the local control plane

Install the Istio control plane on one Kubernetes cluster.

Install the Istio remote

You must deploy the istio-remote component to each remote Kubernetes cluster. You can install the component in one of two ways:

  1. Use the following command on the remote cluster to install the Istio control plane service endpoints:

    $ istioctl manifest apply \
    --set profile=remote \
    --set values.global.remotePilotAddress=${PILOT_POD_IP} \
    --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
    
  2. The following command example labels the default namespace. Use similar commands to label all the remote cluster’s namespaces requiring automatic sidecar injection.

    $ kubectl label namespace default istio-injection=enabled
    

    Repeat for all Kubernetes namespaces that need to setup automatic sidecar injection.