How to Install and Use Istio with Kubernetes?

Photo of author

By admin

Mesh is an infrastructure layer that helps to connect and manage communication with the application’s microservices. Many developers are working on microservices and the mesh services have evolved to make them even more reliable for managing tasks.

Here comes the role of service mesh like Istio, which simplifies the processes such as routing, traffic configuration, discovery, authentication, and monitoring. The main motive of Istio is to work without any changes in the existing code of service. While working with Kubernetes, one can add a service mesh to the currently running task in a cluster by creating the Istio for particular objects.

Here, you will find the accurate tutorial to install and use the Istio using the Helm package manager in Kubernetes. You can also use the Istio to showcase a demo Node.js application to create a route and virtual service resources.


Some main requirements for installing Istio with kubernetes;

  1. First, you need to enable the Kubernetes 1.10+ cluster. And the cluster should be (RBAC) role-based access control. Any method could be used to create the cluster with at least 8 gb of memory available.
  2. A command-line kubectl should be installed on a development server. It should be configured for connecting to the cluster.
  3. Further, it is important to install Hem on the development server. Triller should be installed on the cluster.
  4. Development server must be installed with Docker. It is essential to add non-root users to the docker group.

Lastly, you need to set-up the Docker Hub account.

Step-by-Step Guide to Install and Use Istio with Kubernetes

Step 1: Packaging the Application

The primary step is to duplicate the node js-image-demo repository. The repository usually contains the codes describing on how to build a NODE.JS Application, which illustrates exactly how to create an image for a Node.js application. You can locate additional details about the treatment itself in the set from Containers to Kubernetes with NODE.JS.

Further, clone the nodejs-image-demo repository right into a directory known as istio_project

git clone istio_project

Navigate to the istio_project folder;

cd istio_project

This director has reports and folders for a shark details application that gives customers standard details regarding sharks. Apart from the application files, the directory includes a Dockerfile and directives for making a Docker image with the application code.

For testing of the application code and Dockerfile work as anticipated. The docker build command will assist to build and tag the image, and then utilize the image to dash a demo container. Making use of the -t flag with docker build will permit you to trail the image with your Docker Hub username to ensure that you may drive it to Docker Hub after its testing.

Create the image with the help of the command mentioned as follows;

docker build -t your_dockerhub_username/node-demo

In the (.), the command states the build context as the current folder. Rename the image as NODE-DEMO. However, you can rename it with any name you want.

After the completion of the building process, create a list of the image with DOCKER IMAGES;

docker images

Then you will find the below output, confirming the image:


your_dockerhub_username/node-demo latest 37f1c2939dbf 5 seconds ago 77.6MB

node 10-alpine 9dfa73010b19 2 days ago

Further, use the DOCKER RUN to make a box based on the image. You can include three flags with the command;

-p: It will publish the slot on the container and map it to a slot on our bunch. Our team will use port 80 on the multitude, yet you can choose a different port if some other process is already running on port 80.

-d: This operates the container in the background.

–name: It will assist in providing the compartment an individualized label.

Now use the below command to create the container:

docker run –name node-demo -p 80:8080 -d your_dockerhub_username/node-demo

Check your running container with docker ps:

docker ps

Then you will get the confirmation that your application is running:


49a67bafc325 your_dockerhub_username/node-demo “docker-entry point.s…”

Then visit your Server’s IP Address to check your setup: http://your_server_ip

After checking your application, stop the running container by using the docker ps command:

docker ps

You now have a functioning graphic that you can pull to manage your app along with Kubernetes and Istio. Next, you can easily carry on putting up Istio along with Helm.

Step 2: Installing Istio with Helm

Istio supplies different installation strategies, and the documentation encourages making use of Helm to make the most of versatility in handling configuration choices.

First, incorporate the Istio launch storehouse with this command:

helm repo add

Then you will get the listed repo:




Further, with the assistance of istio-init chart, install the Istio’s CRDs (custom resource definitions) using the Helm install command;

helm install –name istio-init –namespace istio-system


NAME: istio-init

LAST DEPLOYED: Fri Jun 7 17:13:32 2019

NAMESPACE: istio-system


The following command commits 53 CRDs to the Kube-apiserver. And making it accessible for use in the Istio mesh. It also produces a namespace for the Istio objects known as istio-system and utilizes the –name choice to name the Helm release istio-init. A release of Helm pertains to a specific deployment of a chart with particular configuration choices permitted.

To examine that all of the demanded CRDs have been committed, run the following command:

kubectl get crds | grep ‘\|’ | wc –l

It must have an outcome of 53.

Now you can install the istio Chart successfully. To ensure that the Grafana telemetry add-on is put up with the Chart, we will use the –set grafana.enabled=true configuration alternative along with our helm install. Istio possesses various arrangement profile pages to opt for when mounting with Helm that permits you to personalize the Istio command airplane and information aircraft sidecars.

Then you have to give the command to install the Chart:

helm install –name istio –namespace istio-system –set grafana.enabled=true

To verify the service object with the default account is created, run the command mentioned as follows:

kubectl get svc -n istio-system

The Pods representing these solutions ought to have a STATUS of Running, suggesting that the Pods are tied to nodules in which the compartments connected with the Pods are operating:


grafana-67c69bb567-t8qrg 1/1 Running 0 4m25s

istio-citadel-fc966574d-v5rg5 1/1 Running 0 4m25s

istio-galley-cf776876f-5wc4x 1/1 Running 0 4m25s

istio-ingressgateway-7f497cc68b-c5w64 1/1 Running 0 4m25s

istio-init-crd-10-bxglc 0/1 Completed 0 9m29s

istio-init-crd-11-dv5lz 0/1 Completed 0 9m29s

istio-pilot-785694f946-m5wp2 2/2 Running 0 4m25s

istio-policy-79cff99c7c-q4z5x 2/2 Running 1 4m25s

istio-sidecar-injector-c8ddbb99c-czvwq 1/1 Running 0 4m24s

istio-telemetry-578b6f967c-zk56d 2/2 Running 1 4m25s

prometheus-d8d46c5b5-k5wmg 1/1 Running 0 4m25s

The last step in the Istio installation will permit the development of Envoy proxies, which will be set up as sidecars to solutions running in the Mesh.

Sidecars are generally made use of to incorporate an additional layer of functionality in existing container atmospheres. Istio’s mesh construction depends on communication between Envoy sidecars, which comprise the data aircraft of the net and the components of the control plane. So as for the Mesh to function, our company needs to guarantee that each Pod in the Mesh will also run an Envoy sidecar.

There are a pair of methods for accomplishing this goal: manual sidecar injection and automatic sidecar injection. You can permit automatic sidecar injection by designating the namespace through which we will generate our application objects with the label istio-injection=enabled. It will guarantee that the MutatingAdmissionWebhook controller can easily obstruct the kube-apiserver and conduct a specific activity– in this particular casing, ensuring that each of our function Pods begins along with a sidecar.

Apply the istio-injection=enables names to a namespace with the following command:

kubectl label namespace default istio-injection=enabled

Step 3: Making Application Objects

You can make an application manifest with requirements of service deployment objects, with the Istio mesh in position and configured to inject sidecar Pods. further, each object’s state is explained well in the specifications in a Kubernetes manifest.

The function Service will undoubtedly ensure that the Pods operating in containers continue to be accessible in a dynamic environment. Every pod is made and destroyed, while the Deployment will define the preferred Condition Pods.

Click on the file names node-app.yaml with nano or any other editor:

nano node-app.yaml

Further, add the given code defines the nodejs services:


apiVersion: v1

kind: Service


name: nodejs


app: nodejs



app: nodejs


– name: http

port: 8080

The particular service definition consists of a selector. It will likewise match the pods with the corresponding app: nodejs name.

The addition of specification for the application deployment is done by the service below;. Make sure to replace the image with the containers.

apiVersion: apps/v1

kind: Deployment


name: nodejs


version: v1


replicas: 1



app: nodejs




app: nodejs

version: v1



– name: nodejs

image: your_dockerhub_username/node-demo


– containerPort: 8080

The specifications for this Deployment feature the variety of replicas and a selector that defines which Pods the Deployment will handle. It will also handle the Pods with the app: nodejs tag.

When you are finished editing and enhancing, save the report.

Placing this file at point. We can move further for the editing that consists of the definition for gateway and virtual service objects. It also controls the entrance of traffic and its path once there.

Step 4: Creating Istio Objects

To control access to a bunch and also to transmit data to Services, Kubernetes utilizes Ingress Resources Controllers. Entering Resources specify HTTP regulations and HTTPS routing to cluster Services, while Controllers balance inbound web traffic and route it to the correct Services.

Istio uses various sets of objects to achieve identical ends, though along with some essential variations. Rather than using a Controller to manage website traffic, the Istio mesh uses a Gateway, which works as a bunch balancer that handles outgoing and incoming HTTP/TCP relationships.

The minimal application coating capacities that Kubernetes Ingress Controllers and Resources make available to flock drivers certainly do not feature the performances, including sophisticated transmitting, mapping, and telemetry delivered due to the sidecars in the Istio service mesh.

To allow external visitor traffic into the Mesh and set up direct access to the Node app, we will need to make an Istio Gateway and Virtual Service. Open up a data contact node-istio.yaml for the show:

nano node-istio.yaml

Add the definition for gateway object first:


kind: Gateway


name: nodejs-gateway



istio: ingressgateway


– port:

number: 80

name: http

protocol: HTTP


Aside from supplying a name for this Virtual Service, you can add feature requirements for this source that consist of:

  • A host area that indicates the location. Within this situation, we’re once more utilizing a wildcard value (*) to enable simple access to the treatment in the browser, given that you are not working with a domain name.
  • A gateways field that points out the Gateway through which external demands will be enabled. Within this situation, it’s our nodejs-gateway Gateway.

The HTTP area indicates just how HTTP visitor traffic will be routed.

Save and close the documents when you are finished editing and enhancing them.

Along with your yaml files in location, you can easily make your function Service and Deployment. The Gateway and Virtual Service items will be accessible to your function.

Step 5: Creating application resources and allowing telemetry access

After creating the application application Service and Deployment items, including the Gateway and Virtual Service. Now you can easily generate the request to the application and check the linked data in your Istio Grafana dash panels.

Further, A configure Istio is required for exposing the Grafana add-on to ensure you can access the control panels in your browser.

While working in production or sensitive settings, it is advisable to enable getting HTTPS access.

Considering that you established the –set grafana.enabled=true setup possibility when installing Istio. You possess a Grafana Service and Pod in our istio-system namespace,

Along with those resources presently in place, further you have to generate a virtual service for a Gateway to expose the Grafana add-on.

For manifest open the file:

nano node-grafana.yaml

Enter the following code to the node-grafana.yaml file to create a pathway to display and route the traffic to Grafana service:


kind: Gateway


name: grafana-gateway

namespace: istio-system



istio: ingressgateway


– port:

number: 15031

name: http-grafana

protocol: HTTP


– “*”


kind: VirtualService


name: grafana-vs

namespace: istio-system



– “*”


– grafana-gateway


– match:

– port: 15031


– destination:

host: grafana


number: 3000

Save and exit the file once you are done.

Now run the following command to create Grafana:

kubectl apply -f node-grafana.yaml

The command of kubectl apply will enable a specific configuration to apply to an object while making or updating it.

By entering the following command, you can check the the gateway in the Istio-system;

$ kubectl get gateway -n istio-system

You will get an input like;

Name: Age

Grafana-gateway: 47s

The below command will helps to create the application service and deployment;

kubectl apply -f node-app.yaml

Further check the applications pods after few seconds with the command;

$ kubectl get pods

To inspect the second container as Envoy sidecar, enter the command;

$ kubectl describe pod nodejs-7759fb549f-kmb7x

Then to create an application gateway and Virtual service, run the following command;

kubectl apply -f node-istio.yaml

And for virtual service, by entering the command;

kubectl get virtual service

There should only be the istio-ingressgateway with the TYPE loadbalancer.

At last, now you get the working Node.js application running in an Istio service mesh with Grafana configured and enabled for external accessibility.


In a nutshell, you must have learned to set up Istio using the Helm package manager and used it to reveal a Node.js use Service using Gateway and Virtual Service objects. To reveal the Grafana telemetry add-on, once can configure the Gateway, and the Virtual Service object. This can only be done to check the application’s traffic data.

Leave a Comment