kubernetes gcp

How to install Anthos Service Mesh (Istio) on GKE Kubernetes Cluster ?

This tutorial explains step by step procedure to install Anthos Service Mesh version 1.9.1 (Istio) on GKE Cluster.

Pre-requisites – Install Anthos Service Mesh (Istio)

Before you start installing the ASM on GKE cluster make sure that you have satisfied the following pre-requisites.

  • Your GKE cluster must have atleast 4 vCPU’s such as e2-standard-4. Anthos Service Mesh requires atleast 8 vCPUS’s.
  • Note if the machine type has 4 vCPUs, you should have at least 2 nodes in the cluster. If machine type has 8 vCPU’s then you can have even 1 node in the cluster.
  • Therefore make sure that you have created GKE cluster with the required vCPU’s/nodes.
  • Then choose CA. Mesh CA is the default one or Citadel as CA for issuing mTLS certificates.
  • Activate Cloud Shell and install required tools by running the following command.

$ gcloud components update

  • You may get error while running the above command. Just copy the long command displayed and update the gcloud components

$ sudo apt-get update && sudo apt-get –only-upgrade install google-cloud-sdk-cbt google-cloud-sdk-app-engine-grpc google-cloud-sdk-app-engine-python google-cloud-sdk-cloud-build-local google-cloud-sdk-kpt google-cloud-sdk-skaffold google-cloud-sdk google-cloud-sdk-firestore-emulator google-cloud-sdk-pubsub-emulator google-cloud-sdk-app-engine-python-extras google-cloud-sdk-datastore-emulator google-cloud-sdk-app-engine-java google-cloud-sdk-local-extract google-cloud-sdk-kubectl-oidc google-cloud-sdk-app-engine-go google-cloud-sdk-anthos-auth google-cloud-sdk-datalab google-cloud-sdk-spanner-emulator kubectl google-cloud-sdk-minikube google-cloud-sdk-bigtable-emulator google-cloud-sdk-config-connector

  • Then download the ASM script and keep it ready for the installation.

Download the ASM 1.9.1 to the current working directory.

$ curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9 > install_asm

Download the SHA-256 of the file to the current working directory.

$ curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9.sha256 > install_asm.sha256

Verify the download.

$ sha256sum -c –ignore-missing install_asm.sha256
install_asm: OK

Execute the following command to make the script executable.

$ chmod +x install_asm

Install Anthos Service Mesh (Istio) on GKE Kubernetes Cluster

After you are done with the pre-requisites follow this section to install Anthos Service Mesh (Powered by Istio) on GKE Kubernetes Cluster.

Export the default project id.

$ export PROJECT_ID=$(gcloud info --format='value(config.project)')

Make sure that you have installation file and asm package in the output directory.

sneppets@cloudshell:~/anthos/anthos-service-mesh (sne5g21)$ ls
asm                               asm-191-1-manifest-raw.yaml  install_asm         istio-1.9.1-asm.1
asm-191-1-manifest-expanded.yaml  asm_kubeconfig               install_asm.sha256  istioctl

Run the following command to validate your configuration.

$ ./install_asm \
>   --project_id $PROJECT_ID \
>   --cluster_name c1 \
>   --cluster_location us-central1-c \
>   --mode install \
>   --output_dir /home/sneppets/anthos/anthos-service-mesh \
>   --only_validate
install_asm: Setting up necessary files...
install_asm: Fetching/writing GCP credentials to kubeconfig file...
install_asm: [WARNING]: nc not found, skipping k8s connection verification
install_asm: [WARNING]: (Installation will continue normally.)
install_asm: Checking installation tool dependencies...
install_asm: Getting account information...
install_asm: Confirming cluster information for sne5g21/us-central1-c/c1...
install_asm: Confirming node pool requirements for sne5g21/us-central1-c/c1...
install_asm: Checking Istio installations...
install_asm: Checking required APIs...
install_asm: Checking for project sne5g21...
install_asm: Reading labels for us-central1-c/c1...
install_asm: [WARNING]: Cluster label not found - mesh_id=proj-422441510697
install_asm: [ERROR]: One or more required cluster labels were not found. Please label them and retry,
or run the script with the '--enable_cluster_labels' flag to allow the script
to enable them on your behalf.
Alternatively, use --enable_all|-e to allow this tool to handle all dependencies.

There was an error which says One or more required cluster labels were not found. Try to run the following command to update labels for your cluster.

$ gcloud container clusters update c1 --zone us-central1-c --update-labels env=dev
Updating c1...done.
Updated [https://container.googleapis.com/v1/projects/sne5g21/zones/us-central1-c/clusters/c1].
To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-central1-c/c1?project=sne5g21

Run the following command for a new installation. This enables Mesh CA which is the default CA. The –enable-all flag elables all the required Google APIs, set IAM permissions and update your cluster including enabling GKE Workload Identity.

$ ./install_asm \
>   --project_id $PROJECT_ID \
>   --cluster_name c1 \
>   --cluster_location us-central1-c \
>   --mode install \
>   --enable_all
install_asm: Setting up necessary files...
install_asm: ...done!
install_asm: *****************************
client version: 1.9.1-asm.1
control plane version: 1.9.1-asm.1
data plane version: 1.9.1-asm.1 (2 proxies)
install_asm: Successfully installed ASM.

If you have not registered your cluster already, then you can include –enable-registration flag and re-run the command as showed below.

./install_asm \
  --project_id $PROJECT_ID \
  --cluster_name c1 \
  --cluster_location us-central1-c \
  --mode install \
  --enable_all \
install_asm: Setting up necessary files...
install_asm: [WARNING]: Install mode specified, but 1 existing istiod deployment(s) found. (Expected 0.)
Installation may overwrite existing control planes with the same revision.
install_asm: Enabling required APIs...
install_asm: Registering the cluster as c1...
install_asm: Successfully installed ASM.

Deploying / Re-deploying Workloads

Anthos Service Mesh uses sidecar proxies to enhance network security, reliability, and observability.

Note, ASM installation is not complete unless you enable the automatic sidecar proxy injection. Once you enable the auto-injection you need to restart the Pods for any workloads.

To enable automatic sidecar proxy injection, follow the below steps:

Set the current context for kubectl

$ gcloud container clusters get-credentials c1 --zone us-central1-c --project sne5g21

Run the following command to find the revision label on istiod.

$ kubectl -n istio-system get pods -l app=istiod --show-labels
NAME                               READY   STATUS    RESTARTS   AGE   LABELS
istiod-asm-191-1-f854c9cf6-84lfx   1/1     Running   1          13m   app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=f854c9cf6,sidecar.istio.io/inject=false
istiod-asm-191-1-f854c9cf6-kqzgm   1/1     Running   0          13m   app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=f854c9cf6,sidecar.istio.io/inject=false

In the response, under LABELS note down the value of istiod revision label (asm-191-1). Apply the revision label and remove the istio-injection label if it exists by running the following command.

$ kubectl label namespace mv  istio-injection- istio.io/rev=asm-191-1 --overwrite
label "istio-injection" not found.
namespace/mv labeled

You can ignore the message “istio-injection” not found.

Now, run the following command to perform rolling restart.

$ kubectl rollout restart deployment -n mv

Verify that your Pods are configured to point to the new version of istiod.

$ kubectl get pods -n mv -l istio.io/rev=asm-191-1
NAME                         READY   STATUS    RESTARTS   AGE
kafka-77fb6497c9-4kggx       2/2     Running   0          17s
zookeeper-65fcbf6ccb-vqs7l   2/2     Running   0          19s

The following command’s response shows that sidecar proxies are injected automatically in the Kubernetes Pods.

$ kubectl get pods -n mv -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.name}{", "}{end}{end}' |sort

kafka-77fb6497c9-4kggx: kafka, istio-proxy,
zookeeper-65fcbf6ccb-vqs7l:     zookeeper, istio-proxy,

That’s it Anthos Service Mesh is installed and setup on GKE cluster. You can deploy/redeploy workloads and start viewing the Anthos Service Mesh Dashboards.

Hope it helped 🙂


Notify of

Inline Feedbacks
View all comments