In this example, we are using two services, httpbin and sleep, deployed under different namespaces. Two of these namespaces, foo and bar, will have the istio sidecar proxy. The third namespace with the legacy name will run the same services without the sidecar proxy.
Make sure the Istio binaries are present in your path. istioctl should be runnable from the command line.
We will look at the services of namespaces by using the following commands:
- Use the following commands to create namespaces (foo, bar, and legacy) and create the httpbin and sleep services in those namespaces:
kubectl create ns foo
kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
kubectl create ns bar
kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n bar
kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n bar
kubectl create ns legacy
kubectl apply -f samples/httpbin/httpbin.yaml -n legacy
kubectl apply -f samples/sleep/sleep.yaml -n legacy
As you can see, the same services are deployed in foo and bar with the sidecar injected, while legacy is not.
- Let's check whether everything is okay:
for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/ip -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}
"; done; done
The preceding command iterates through all reachable combinations. You should see something similar to the following output:
sleep.foo to httpbin.foo: 200 sleep.foo to httpbin.bar: 200 sleep.foo to httpbin.legacy: 200 sleep.bar to httpbin.foo: 200 sleep.bar to httpbin.bar: 200 sleep.bar to httpbin.legacy: 200 sleep.legacy to httpbin.foo: 200 sleep.legacy to httpbin.bar: 200 sleep.legacy to httpbin.legacy: 200
- Ensure that there are no existing policies, as follows:
kubectl get policies.authentication.istio.io --all-namespaces
No resources found.
kubectl get meshpolicies.authentication.istio.io
No resources found.
- Additionally, ensure that there are no destination rules that apply:
kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep "host:"
host: istio-policy.istio-system.svc.cluster.local host: istio-telemetry.istio-system.svc.cluster.local
In the preceding results, there should be no hosts with foo, bar, legacy, or a * wildcard.