Istio Ambient on GKE

Deploy cluster

make cluster

Install Istio with ambient mode

By default in GKE, only kube-system has a defined ResourceQuota for the node-critical class. istio-cni and ztunnel both require the node-critical class, check the docs

Create ResourceQuota into istio-system namespace:

kubectl create namespace istio-system
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: gcp-critical-pods
  namespace: istio-system
spec:
  hard:
    pods: 1000
  scopeSelector:
    matchExpressions:
    - operator: In
      scopeName: PriorityClass
      values:
      - system-node-critical
EOF

Install the Kubernetes Gateway API CRDs:

make ambient

Deploy app

Deploy bank of anthos app in 2 different namespaces, one for ambient mode and the other one for sidecar mode:

git clone https://github.com/GoogleCloudPlatform/bank-of-anthos.git
# Namespace bank-of-ambient
make app-ambient
# Namespace bank-of-sidecar
make app-sidecar

Viewing your mesh dashboard

(Optional) Google Monitoring app metrics dashboard:

gcloud monitoring dashboards create --config-from-file=dashboard.json

Deploy Kiali, prometheus, grafana:

kubectl apply -f addons

Access dashboards:

istioctl dashboard kiali

istioctl dashboard grafana

Add the grafana dashboard

Adding application to the mesh

Add the same application to the mesh using sidcecars in a different namespace:

kubectl label namespace bank-of-sidecar istio-injection=enabled

Restart pods:

kubectl -n bank-of-sidecar rollout restart deploy

Add your application to ambient Note that you can apply this label to a namespace or to a single spsecific pod

kubectl label namespace bank-of-ambient istio.io/dataplane-mode=ambient

Deploy Gateway and VirtualService to access the frontend through the IngressGateway:

kubectl apply -f frontend-ingress.yaml -n bank-of-ambient

Check logs of Ztunnel

First install stern in your workstation.

stern ztunnel -n istio-system

Debbug Ztunnel:

istioctl x ztunnel-config workloads

Mesh in action

send traffic:

export GATEWAY_HOST_EXT=$(kubectl get service/istio-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}' -n istio-ingress)
curl http://$GATEWAY_HOST_EXT

Access kiali and see the graph

istioctl dashboard kiali

Deploy the simple sleep service. This will be used to curl our frontend

kubectl apply -f istio-1.22.3/samples/sleep/sleep.yaml -n bank-of-ambient

Create an authorization policy to only allow calls from istio-ingress and sleep service:

kubectl apply -f authorization-policy.yaml

Compare resources consumption. Access grafana dashboard

istioctl dashboard grafana

Waypoint proxies

Install Kubernetes Gateway API CRDs. Waypoint proxies uses Gateway APIs and acts as Gateways.

kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
  { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl apply -f -; }

Enable waypoint proxy

istioctl x waypoint apply --enroll-namespace -n bank-of-ambient --wait

Validate a Pod and a Gateway is created for waypoint proxy

kubectl get pods -n bank-of-ambient
kubectl get gtw -n bank-of-ambient

Autorization policy

kubectl apply -f L7-policy.yaml

Verify the new waypoint proxy is enforcing the authorization policy:

export SLEEP_POD=$(kubectl get pods -n bank-of-ambient -l app=sleep -o 'jsonpath={.items[0].metadata.name}')
kubectl exec -it $SLEEP_POD -n bank-of-ambient -- curl frontend -X DELETE

Performance testing

We will use Fortio, which is a load testing tool developed by Istio.

kubectl apply -f fortio.yaml

Launch Fortio web interface to configure and perform latency tests:

kubectl port-forward svc/fortio 8080:8080

ISTIO_INGRESS=34.147.178.37 bank of sidecar IP: 34.105.185.155