Istio on VMware vSphere Kubernetes Service: A Walkthrough

Istio is a powerful open-source service mesh that secures simplifies service-to-service communication in cloud-native applications. It provides traffic management, security, and observability features, making it easier to deploy, manage, and secure microservices at scale. In this blog, we’ll explore how to set up and use Istio on VKS, leveraging its capabilities to enhance the reliability and performance of your Kubernetes workloads.

Prerequisites

First, make sure a supervisor namespace has been created, and a VKS cluster is up and running. For details on how to setup a VKS cluster, consult the official documentation: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-supervisor/8-0/using-tkg-service-with-vsphere-supervisor/provisioning-tkg-service-clusters/workflow-for-provisioning-tkg-clusters-using-kubectl.html

This guide uses VKS version 3.5. For simplicity, we’ll use an Ubuntu (Jammy) VM as our environment (for the VKS cluster spec, see the footnote).

Installation

To begin, we install the Istio on VKS using the bundled add-on package

# Change context to the Supervisor context, for example:
vcf context use supervisor-namespace

# List the available VKS clusters
vcf cluster list -A

# Create an install task
vcf addon install create istio –cluster-name $VKS_CLUSTER -y

Architecturally, Istio offers two paths for the data plane: the traditional sidecar model, which injects a dedicated istio-proxy container in every workload pod, and the newer ambient data plane, which eliminates sidecars in favour of a shared, node-level ztunnel proxy waypoints. We’ll quickly summarise the differences below.

Sidecar

The sidecar architecture can be deployed using the CNI method. This approach eliminates the need for a privileged init container in every workload namespace, enhancing security and compliance. Instead, we only need one privileged namespace (istio-system) and this will be installed as a daemonset (one CNI pod per node). For each scheduled pod, the CNI configures iptables routing rules dynamically. Traffic flows via the envoy proxies between pods.

Ambient

Here, the ztunnel proxy daemonset replaces the Envoy sidecars by operating entirely at the node level. Traffic is transparently intercepted, establishing secure mTLS tunnels to other nodes without requiring any modifications or injected containers within the workloads themselves. This provides a lighter-weight solution compared with the sidecar injection.

Configuration

Now, to configure Istio to use sidecar or ambient we need to update the add-on configuration (as below). In actual fact, we can have both methods enabled simultaneously (both the CNI daemonset and z-tunnel daemonset will be present on all nodes).

cat <<EOF > istio-values-mixed.yaml
istio:
  namespace: “istio-system”
  ambientMode:
    enabled: true
  istioCNI:
    enabled: true
  enableStrictMTLS: true
  meshConfig:
    meshID: “cluster1”
    meshMTLS:
      minProtocolVersion: “TLSV1_3”
    enableDNSProxy: true
EOF

We can then update the add-on package with our values

# Switch to the supervisor context, for example
vcf context use supervisor-namespace

# Update the istio config
vcf addon install update istio \
  –cluster-name $VKS_CLUSTER \
  -f istio-values-mixed.yaml

After applying the manifest, we can observe the status

# Change context to the VKS cluster
vcf context use vks-cluster

# Check the status of the package
kubectl -n vmware-system-tkg describe \
  $(kubectl get pkgi -n vmware-system-tkg -o name | grep istio)

This should give a status similar to below, showing that the reconcile succeeded.

Status:
  Conditions:
    Status:                True
    Type:                  ReconcileSucceeded
  Friendly Description:    Reconcile succeeded
  Last Attempted Version:  1.27.1+vmware.1-vks.1
  Observed Generation:     1
  Version:                 1.27.1+vmware.1-vks.1

Further, we can see that both daemonsets are active

# Check the daemonsets running on the nodes
kubectl -n istio-system get daemonsets.apps
NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            
istio-cni-node   6         6         6       6            6           kubernetes.io/os=linux   
ztunnel          6         6         6       6            6           kubernetes.io/os=linux

The istiod controller actively watches namespace labels to determine the required data plane mode, dynamically pushing the appropriate routing configurations and proxy topologies to the workloads within. We’ll see an example of this below.

Setting up the Demo App

Now we can install the bookinfo sample app from Istio, as per https://istio.io/latest/docs/examples/bookinfo/

First, we create the bookinfo namespace and label it as ‘baseline’ for PSA. Additionally we label the namespace for either sidecar or ambient mode (note the difference in syntax between the labels).

# Create the namespace
kubectl create ns bookinfo

# Explicitly Set PSA to baseline
kubectl label --overwrite ns bookinfo pod-security.kubernetes.io/enforce=baseline

# Label for SIDECAR
kubectl label namespace bookinfo istio-injection=enabled

# Alternatively label for AMBIENT
kubectl label namespace bookinfo istio.io/dataplane-mode=ambient

For the purposes of this blog, we’ll use the sidecar data plane mode.
Next, we apply the demo manifest to install the ‘bookinfo’ demo from Istio

# Apply the bookinfo manifest
kubectl -n bookinfo apply -f \
  https://raw.githubusercontent.com/istio/istio/release-1.29/samples/bookinfo/platform/kube/bookinfo.yaml

Check the app:

# Check that the webpage is being served 
kubectl -n bookinfo exec \
“$(kubectl -n bookinfo get pod -l app=ratings \
  -o jsonpath='{.items[0].metadata.name}’)” \
  -c ratings — curl -sS productpage:9080/productpage | grep title

<title>Simple Bookstore App</title>

Configuring the Gateway for the Demo App

Next we create the Gateway and provide routing for the app. Note that there are two available APIs we can make use of:

– Istio native API ← legacy, soon to be deprecated
– K8s Gateway API ← preferred

We’ll use the latter here. Taking a look at the sample manifest (https://raw.githubusercontent.com/istio/istio/refs/heads/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml):

kubectl apply -f – <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: bookinfo-gateway
  namespace: bookinfo
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: bookinfo-route
  namespace: bookinfo
spec:
  parentRefs:
  - name: bookinfo-gateway
  rules:
  - matches:
    - path:
        type: Exact
        value: /productpage
    - path:
        type: PathPrefix
        value: /static
    - path:
        type: Exact
        value: /login
    - path:
        type: Exact
        value: /logout
    - path:
        type: PathPrefix
        value: /api/v1/products
    backendRefs:
    - name: productpage
      port: 9080
EOF

We notice that the first part defines our gateway using the Kubernetes gateway API, class ‘Istio’ and advertising on port 80. The next section defines the HTTP route and rules that directs traffic from this gateway to the correct endpoint (later we’ll see how we can alter this).

Verifying the App deployment

We check that the pods are running and the status of our gateway:

kubectl -n bookinfo get pods,gtw
NAME                                         READY   STATUS    RESTARTS   AGE
pod/bookinfo-gateway-istio-d5fd87895-gfb2s   1/1     Running   0          4h21m
pod/details-v1-854b9b4878-pwt46              1/1     Running   0          4h24m
pod/productpage-v1-7757f76b8b-95gfb          1/1     Running   0          4h24m
pod/ratings-v1-6f56cd5d86-rx2r2              1/1     Running   0          4h24m
pod/reviews-v1-7557fc776b-m9nnt              1/1     Running   0          4h24m
pod/reviews-v2-8886c5698-4lmpd               1/1     Running   0          4h24m
pod/reviews-v3-59ff766f54-hpl8r              1/1     Running   0          4h24m

NAME                                                 CLASS   ADDRESS        PROGRAMMED   AGE
gateway.gateway.networking.k8s.io/bookinfo-gateway   istio   10.163.44.40   True         4h21m

We can see that the pods are in a healthy state. A gateway of class ‘istio’ has been created and programmed, and an external IP address has been assigned.

Like earlier, we can see that we’re able to access the app – but this time using the gateway IP:

# Confirm access to the webpage via the gw
curl -s $(kubectl -n bookinfo get svc bookinfo-gateway-istio -o \
  jsonpath='{.status.loadBalancer.ingress[0].ip}’)/productpage | grep title

<title>Simple Bookstore App</title>

Opening a browser to http://<IP>:8080/productpage shows our demo app

Observing via the Kiali Dashboard

The Kiali dashboard provides a nice way to visualize our service mesh. To install it, we apply the add-on manifests that come with the Istio install and wait until it’s ready

mkdir ~/istio; cd ~/istio

# Download the Isito package & samples
curl -L https://istio.io/downloadIstio | sh –

# Optionally copy out the Istioctl binary
sudo cp istio*/bin/istioctl /usr/local/bin

# Apply the Istio addons for the Kiali dashboard, etc.
kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system

Note: the dashboard needs a persistent volume, and inherits the default storage class of the cluster, therefore ensure you have a default storage class is set in your VKS definition (see the footnote for an example)

We then create a gateway for Kiali:

kubectl apply -f –<<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: kiali
  namespace: istio-system
spec:
  parentRefs:
  - name: kiali-gateway
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /kiali
    filters:
    - type: RequestHeaderModifier
      requestHeaderModifier:
        add:
        - name: X-Forwarded-Prefix
          value: /kiali
    backendRefs:
    - name: kiali
      port: 20001
EOF

And we obtain the address:

# Get the Kiali dashboard address

kubectl -n istio-system get svc/kiali-gateway-istio
NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                        AGE
kiali-gateway-istio   LoadBalancer   10.111.46.221   10.160.201.136   15021:32357/TCP,80:30201/TCP   6d23h

Opening this in a browser shows the UI:

To see how the data passes through the app, we’ll need to generate some traffic

# Generate some traffic

watch -n 2 \
‘curl -s $(kubectl -n bookinfo \
get svc bookinfo-gateway-istio \
-o jsonpath=”{.status.loadBalancer.ingress[0].ip}”)/productpage’

Navigating to Applications and then selecting the ‘bookinfo’ namespace, then selecting ‘productpage’ (i.e. our homepage) gives us an overview of the traffic flow:

We can see that the homepage references v1 of the site, which has links to details (v1) and reviews (v1, v2, v3). The padlocks show that the traffic is encrypted using mTLS.

Selecting the reviews page we can see that only v2 and v3 flow to ratings, and v1 does not.

In fact, if we look at ratings, we can see this very clearly:

Applying Rules

If we navigate to the bookinfo app website and refresh the page a few times, you will notice that sometimes there is a change in how the stars are rendered: sometimes black, sometimes red, sometimes none. This difference is due to the the different versions, i.e. v1,v2,v3 of the reviews site. As we saw earlier on the dashboard, v1 does not flow to ‘ratings’

With Istio, we are able to declaratively apply a ruleset to affect the http routes, using the gateway api

In order to show this with the bookinfo app, first we must apply the backend service definitions that define each version:

# Apply backend paths to versions

kubectl -n bookinfo apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml

Then we can use the gateway api to apply a rule that ensures only v1 is served:

# Show only v1

kubectl -n bookinfo apply -f – <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: reviews
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: reviews
  rules:
  - backendRefs:
    - name: reviews-v1
      port: 9080
EOF

Back on the dashboard, we can clearly see how this affects the flow. All traffic now only traverses to v1:

And if you refresh the bookinfo website, you’ll see the page without any stars

We can also apply the rules selectively per user. Let’s see this in action:

# For the user ‘jason’ show v3, otherwise show v1

kubectl -n bookinfo apply -f – <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: reviews
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: reviews
  rules:
  - matches:
    - headers:
      - name: end-user
        value: jason
    backendRefs:
    - name: reviews-v3
      port: 9080
  - backendRefs:
    - name: reviews-v1
      port: 9080
EOF

Here, we have created a rule based on ‘end-user’ with a value of ‘jason’ to point to ‘reviews-v3’. Navigating back to our website, we login as user ‘jason’ (any password). Notice now that the red review stars are always present:

Summary

In this blog we saw how we can easily install OSS Istio on VKS. We observed traffic flows and mTLS encryption on the dashboard. Finally we demonstrated how we can manipulate the gateway api to apply rules to direct traffic as needed

Footnote

Below is the spec used to create the VKS cluster

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: vkscluster
  namespace: vks
spec:
  clusterNetwork:
    services:
      cidrBlocks:
        – 10.96.0.0/12
    pods:
      cidrBlocks:
        – 172.168.0.0/16
    serviceDomain: cluster.local
  topology:
    class: builtin-generic-v3.5.0
    version: v1.33.6+vmware.1-fips-vkr.2
    controlPlane:
      replicas: 3
    workers:
      machineDeployments:
        – class: node-pool
          name: worker
          replicas: 3
    variables:
      – name: vmClass
        value: guaranteed-8xlarge
      – name: storageClass
        value: vsan-esa-default-policy-raid5

For the Istio package reference for VKS, visit:
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vsphere-supervisor-services-and-standalone-components/latest/managing-vsphere-kuberenetes-service-clusters-and-workloads/installing-standard-packages-on-tkg-service-clusters/standard-package-reference/istio-package-reference.html

Discover more from VMware Cloud Foundation (VCF) Blog

Subscribe to get the latest posts sent to your email.