Search…
Istio
This guide illustrates integrating Traceable into the Istio service mesh. The deployment assumes a stock deployment of Istio is already available.

Overview

Istio is an open-source service mesh that integrates with existing distributed applications. It also works as a platform with APIs to integrate into logging and telemetry systems. Traceable provides an agent to integrate with Istio to monitor your system and detect anomalies and attacks. Traceable can also block attacks on your system based on the configurations that you do on the platform. For more information on blocking, see Protection settings.
The deployment steps assume that a stock deployment of Istio is already available. The deployment assumes an architecture similar to as shown below.
Picture source: Istio documentation - https://istio.io/latest/docs/examples/virtual-machines/
The Istio ingress gateway is running in Istio-system namespace while the other application components run in their namespace. The capture of request and response and blocking is enabled in the Istio gateway. Following is a set of steps to complete for Traceable's tracing agent deployment:
    1.
    Verify your Istio deployment
    2.
    Modify the Istio networking configuration to use Envoy Filter for authorization
    3.
    Deploy a sidecar injector
    4.
    Use the sidecar injector to deploy the traceable module extension (tme). The tme receives data from the Istio module and reports it to traceable-agent.
    5.
    Point the Envoy Filter to the tme.

Deployment

Complete the following steps to deploy Traceable's platform agent and Traceable's Istio tracing agent. It is a good practice to have your Istio's deployment diagram with you for reference. If you are installing for a demo environment, the control and ingress are in the Istio-system namespace, however, the namespace may vary. Verify where the control plane and ingress are installed by entering the following command:
1
kubectl get svc -n istio-system
Copied!
The deployment is supported for Istio 1.7.

Traceable token

Before starting with installation, make sure that you have Traceable's access token. Using your Traceable login credentials, log in to Traceable. Click on Administration (
) > Access Token.
Traceable access token

Traceable Agent

Install

export TOKEN = <Traceable Token> export ENV = <dev,qa,stage,prod>
1
helm repo add traceableai https://helm.traceable.ai
Copied!
1
helm repo update
Copied!
1
helm install --namespace traceableai traceable-agent traceableai/traceable-agent --create-namespace --set token=$TOKEN --set environment=$ENV --set injector.propagationFormats={B3} --set injector.traceReporterType=ZIPKIN
Copied!

Post-Install

Configure the Zipkin address to point to the traceable-agent. Depending on how Istio is managed, there are three options:
    Istioctl
    Operator - By creating Istio CR
    Helm

Configure Zipkin via Istioctl and Operator

If Istio has been installed using istioctl without the operator then istioctl --set or -f has to be used to modify the mesh configuration. If Istio was installed using an operator, then you need to change the IstioOperator custom resource (CR).
    Enter the following command to set Zipkin address using istioctl and --set flag:
1
istioctl install <previously used profile: e.g. --set profile=demo or manifest used to install istio e.g. -f istio.yaml> -y --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 --set meshConfig.defaultConfig.tracing.zipkin.address=traceable-agent.traceableai:9411
Copied!
The above command enables tracing, sets tracing sample to 100% and configures the Zipkin address to point to traceable-agent.
    You can also configure the Zipkin address using istioctl and -f flag with partial Istio CR. The -f flags allows to specify multiple IstioOperator kinds (CRs), the precedence order is from left to right (lowest to highest).
1
istioctl install --set profile=demo -y -f istio-traceable.yaml
Copied!
cat istio-traceable.yaml
1
apiVersion: install.istio.io/v1alpha1
2
kind: IstioOperator
3
spec:
4
meshConfig:
5
enableTracing: true
6
defaultConfig:
7
tracing:
8
sampling: 100
9
zipkin:
10
address: agent.traceableai:9411
Copied!
You can use the above configuration (CR) as a base if you are installing Istio using the Operator method.

Configure Zipkin via Helm

You can also set the Zipkin address using Helm:
1
helm [install|upgrade] istiod manifests/charts/istio-control/istio-discovery --set meshConfig.enableTracing=true --set meshConfig.defaultConfig.tracing.sampling=100 --set meshConfig.defaultConfig.tracing.zipkin.address=traceable-agent.traceableai:9411 -n istio-system
Copied!

Traceable tracing agent

Instrument the gateway

Add Label

Add traceableai-inject-tme=enabled label to the istio-system namespace.
1
kubectl label ns istio-system traceableai-inject-tme=enabled
Copied!

Add Annotation

Add "tme.traceable.ai/inject:" "true" annotation to the Istio ingress spec in your deployment. Enter the following command:
1
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"annotations": {"tme.traceable.ai/inject": "true"}}}}}' -n istio-system
Copied!

Enable Envoy Filter

Add traceableai-istio=enabled label to the Istio ingress pod spec deployment.
If everything has default names, the following command will add the above label to the Istio ingress in istio-system namespace:
1
kubectl patch deployment.apps/istio-ingressgateway -p '{"spec": {"template": {"metadata": {"labels": {"traceableai-istio": "enabled"}}}}}' -n istio-system
Copied!

Install Traceable Istio helm chart

Enter the following command to install the Traceable Istio helm chart:
1
helm install traceableai-istio traceableai/traceableai-istio --namespace istio-system
Copied!
The above command creates an Envoy Filter object in the Ingress controller. Verify by entering the following command:
1
kubectl get envoyfilters.networking.istio.io -n istio-system
Copied!
Example output
1
traceableai-istio 104s
Copied!

Post-Install

Restart Ingress controller

Restart the Ingress controller for the tme to attach. Enter the following command:
1
kubectl rollout restart deployment istio-ingressgateway -n istio-system
Copied!

Verify the deployment

Enter the following command to verify the deployment.
1
kubectl get pods -n istio-system
Copied!
Example output
1
NAME READY STATUS RESTARTS AGE
2
istio-egressgateway-96cf6b468-87bkf 1/1 Running 0 13m
3
istio-ingressgateway-7f6bb877-6qhzz 2/2 Running 0 53s
4
istiod-58c5fdd87b-k9j29 1/1 Running 0 13m
Copied!
Last modified 1mo ago