- 13 May 2022
- 3 Minutes to read
- PDF
Istio
- Updated on 13 May 2022
- 3 Minutes to read
- PDF
Overview
Istio is an open-source service mesh that integrates with existing distributed applications. It also works as a platform with APIs to integrate into logging and telemetry systems. Traceable provides an agent to integrate with Istio to monitor your system and detect anomalies and attacks. Traceable can also block attacks on your system based on the configurations that you do on the platform. For more information on blocking, see Policies.
The deployment steps assume that a stock deployment of Istio is already available. The deployment assumes an architecture similar to as shown below.
Picture source: Istio documentation - https://istio.io/latest/docs/examples/virtual-machines/
The Istio ingress gateway is running in Istio-system namespace while the other application components run in their namespace. The capture of request and response and blocking is enabled in the Istio gateway.
Before you begin
Before you begin deploying Traceable's tracing agent, make a note of the following. The deployment assumes a stock deployment of Istio is already available.
Verify your Istio deployment. It is a good practice to have your Istio's deployment diagram with you for reference. If you are installing for a demo environment, the control and ingress are in the Istio-system namespace, however, the namespace may vary. Verify where the control plane and ingress are installed by entering the following command:
kubectl get svc -n istio-system
- Modify the Istio networking configuration to use Envoy Filter for authorization
- Make sure that Traceable's platform agent is already installed. For more information on installing, see Platform agent.
- Use the sidecar injector to deploy the traceable module extension (tme). For more information on Traceable module extension, see Annotations and Labels. The
tme
receives data from the Istio module and reports it to traceable-agent. - Point the Envoy filter to the
tme
.
Tracing agent at Istio ingress gateway
Configuring Traceable agent for Istio ingress gateway consists of the following four steps:
- Adding a label to the namespace
- Adding an annotation to the spec in your deployment
- Enabling Envoy filter
- Restart Ingress controller
Step 1 - Add Label
Add traceableai-inject-tme=enabled
label to the istio-system namespace.
kubectl label ns istio-system traceableai-inject-tme=enabled
Step 2 - Add Annotation
Add "tme.traceable.ai/inject:" "true"
annotation to the Istio ingress gateway deployment. Enter the following command:
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"annotations": {"tme.traceable.ai/inject": "true"}}}}}' -n istio-system
Step 3 - Enable Envoy Filter
Add traceableai-istio=enabled
label to the Istio ingress gateway deployment.
If everything has default names, the following command will add the above label to the Istio ingress in istio-system namespace:
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"labels": {"traceableai-istio": "enabled"}}}}}' -n istio-system
Step 4 - Restart Ingress controller
Restart the Ingress controller for the tme
to attach. Enter the following command:
kubectl rollout restart deployment istio-ingressgateway -n istio-system
Verify the deployment
Enter the following command to verify the deployment.
kubectl get pods -n istio-system
Example output
NAME READY STATUS RESTARTS AGE
istio-egressgateway-96cf6b468-87bkf 1/1 Running 0 13m
istio-ingressgateway-7f6bb877-6qhzz 2/2 Running 0 53s
istiod-58c5fdd87b-k9j29 1/1 Running 0 13m
Configure Traceable for Istio service mesh
Configuring Traceable for Istio service mesh consists of two steps:
- You can configure Traceable for Istio service mesh by configuring the Zipkin address to point to the
traceable-agent
. Depending on how Istio is managed, there are three options:- Istioctl without Operator
- Istioctl with Operator
- Helm
- Install Traceable Istio Helm chart
Step 1, option 1 - Istioctl without Operator
If Istio has been installed using istioctl
without the operator then istioctl --set
or -f
has to be used to modify the mesh configuration. Enter the following command to set Zipkin address using istioctl
and --set
flag:
istioctl install --set profile=demo -y --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 --set meshConfig.defaultConfig.tracing.zipkin.address=agent.traceableai:9411
The above command enables tracing, sets tracing sample to 100% and configures the Zipkin address to point to traceable-agent
.
Step 1, option 2 - Istioctl with Operator
You can also configure the Zipkin address using istioctl
and -f
flag with IstioOperator kind custom resource. The -f
flags allows to specify multiple IstioOperator
kinds (CRs), the precedence order is from left to right (lowest to highest).
istioctl install --set profile=demo -y -f istio-traceable.yaml
Run the cat
command:
cat istio-traceable.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
enableTracing: true
defaultConfig:
tracing:
sampling: 100
zipkin:
address: agent.traceableai:9411
Step 1, option 3 - Configure Zipkin via Helm
You can also set the Zipkin address using Helm:
helm [install|upgrade] istiod manifests/charts/istio-control/istio-discovery --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 -n istio-system
Step 2 - Install Traceable Istio helm chart
Enter the following command to install the Traceable Istio helm chart:
helm install traceableai-istio traceableai/traceableai-istio --namespace istio-system
The above command creates an Envoy Filter object in the Ingress controller.
Verify the deployment
Enter the following command to verify the deployment:
kubectl get envoyfilters.networking.istio.io -n istio-system
Example output:
traceableai-istio 104s