Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Master Istio Traffic: VirtualService & DestinationRule

Introduction

In the complex tapestry of modern microservices architectures, simply deploying an application isn’t enough. You need fine-grained control over how traffic flows, how services communicate, and how new versions are rolled out without disrupting users. Enter Istio, the open-source service mesh that empowers you with unparalleled traffic management capabilities. While Kubernetes provides basic service discovery and load balancing, Istio elevates this to a new level, offering features like request routing, traffic shifting, fault injection, and circuit breaking.

At the heart of Istio’s traffic management lie two powerful custom resources: VirtualService and DestinationRule. These resources work in concert to define how requests are routed to your services and what policies are applied to those requests once they reach their destination. Understanding and mastering these two components is crucial for anyone looking to implement advanced traffic control patterns like A/B testing, canary deployments, blue/green deployments, and more resilient service interactions within their Kubernetes cluster. This guide will walk you through the intricacies of VirtualService and DestinationRule, providing practical examples and best practices to unlock Istio’s full potential.

TL;DR Box

Quick summary for the busy engineer:

# Install Istio (if not already installed)
istioctl install --set profile=demo -y

# Label namespace for Istio injection
kubectl label namespace default istio-injection=enabled

# Deploy a sample application (e.g., httpbin)
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/httpbin/httpbin.yaml

# Create a Gateway (if not using an existing one)
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
EOF

# Create a VirtualService to route traffic from the Gateway to the httpbin service
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        port:
          number: 8000
EOF

# Create a DestinationRule to define subsets and traffic policies for httpbin
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin-destinationrule
spec:
  host: httpbin
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
EOF

# Apply a VirtualService for A/B testing (e.g., 90% to v1, 10% to v2)
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        subset: v1
      weight: 90
    - destination:
        host: httpbin
        subset: v2
      weight: 10
EOF

# Access the service via Istio Ingress Gateway
# Find the Ingress IP/Hostname:
# kubectl get svc istio-ingressgateway -n istio-system
# Then curl: curl http://<INGRESS_HOST>/headers

Prerequisites

Before diving into Istio traffic management, ensure you have the following:

  • Kubernetes Cluster: A running Kubernetes cluster (version 1.22 or higher is recommended). You can use Minikube, Kind, or a cloud-managed cluster (EKS, GKE, AKS).
  • kubectl: The Kubernetes command-line tool, configured to connect to your cluster. Refer to the official Kubernetes documentation for installation instructions.
  • istioctl: The Istio command-line tool. Download and install it from the Istio releases page.
  • Basic Kubernetes Knowledge: Familiarity with Deployments, Services, Pods, and Namespaces.
  • Basic Istio Knowledge: An understanding of what a service mesh is and the core components of Istio (Control Plane, Data Plane, Envoys). If you’re new to Istio, consider reading the Istio concepts documentation. For an alternative, more lightweight service mesh approach, you might also be interested in our Istio Ambient Mesh Production Guide.

Step-by-Step Guide

Step 1: Install Istio

First, we need to install Istio into our Kubernetes cluster. For demonstration purposes, we’ll use the demo profile, which provides a good balance of features and resource consumption. This will deploy the Istio control plane components like Pilot, Citadel, Galley, and the Ingress Gateway.

The istioctl command-line tool simplifies the installation process. The --set profile=demo flag configures Istio with a pre-defined set of features suitable for development and testing environments. For production scenarios, you might opt for the default or a custom profile, potentially leveraging advanced features like those discussed in our Cilium WireGuard Encryption article for enhanced network security within your data plane.

istioctl install --set profile=demo -y

Verify

Check if all Istio components are running in the istio-system namespace. Expect to see pods for istiod, istio-ingressgateway, and potentially others depending on the profile.

kubectl get pods -n istio-system

Expected Output:

NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-695d7d7d5d-c6v4f   1/1     Running   0          2m
istiod-7b94d9774d-k5x2r                 1/1     Running   0          2m

Step 2: Deploy a Sample Application

To demonstrate traffic management, we need an application. We’ll use httpbin, a simple HTTP request and response service provided by Istio, and deploy two versions (v1 and v2) to simulate a real-world scenario where you might want to test new features or perform A/B testing. We’ll also label the default namespace for automatic sidecar injection, ensuring our application pods are part of the Istio service mesh.

The httpbin service is excellent for testing as it echoes back request details, allowing us to easily verify routing rules. Observe how the version label is crucial here; it will be used later by our DestinationRule to define subsets.

# Label the default namespace for Istio sidecar injection
kubectl label namespace default istio-injection=enabled

# Deploy httpbin v1
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin-v1
  labels:
    app: httpbin
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
      - name: httpbin
        image: docker.io/kennethreitz/httpbin
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
EOF

# Deploy httpbin v2
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin-v2
  labels:
    app: httpbin
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v2
  template:
    metadata:
      labels:
        app: httpbin
        version: v2
    spec:
      containers:
      - name: httpbin
        image: docker.io/kennethreitz/httpbin
        ports:
        - containerPort: 80
EOF

Verify

Check if the pods are running and if the Istio sidecar (envoy proxy) has been injected.

kubectl get pods -l app=httpbin

Expected Output (note the 2/2 ready containers, indicating sidecar injection):

NAME                           READY   STATUS    RESTARTS   AGE
httpbin-v1-7ddb54d6f-c2x9g     2/2     Running   0          1m
httpbin-v2-69f65d4949-px4m8     2/2     Running   0          1m

Step 3: Create an Istio Gateway

The Gateway resource manages inbound and outbound traffic for the mesh, allowing you to specify a load balancer for traffic entering your cluster. This acts as the entry point for external traffic into your Istio service mesh, similar to how an Ingress controller works in plain Kubernetes, but with the added power of Istio’s traffic management. For a broader perspective on Kubernetes networking, you might find our Kubernetes Gateway API vs Ingress: The Complete Migration Guide insightful.

Here, we configure a simple HTTP gateway that listens on port 80 and accepts traffic for any host ("*"). The selector points to the default Istio Ingress Gateway service.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

kubectl apply -f httpbin-gateway.yaml

Verify

Check if the Gateway resource has been created.

kubectl get gateway httpbin-gateway

Expected Output:

NAME              AGE
httpbin-gateway   30s

Step 4: Introduce VirtualService (Basic Routing)

A VirtualService defines how to route requests to a service within the mesh. It allows you to specify rules based on host, path, headers, and more. In its simplest form, it routes all traffic for a given host to a specific service. This is where you start to define your traffic flow logic, dictating which requests go to which backend services. For more advanced routing, such as applying security policies based on traffic attributes, you can combine this with concepts from our Network Policies Security Guide.

This VirtualService tells the Istio Ingress Gateway (via the gateways field) to route all HTTP requests for any host ("*") to the httpbin service on port 8000.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        port:
          number: 8000

kubectl apply -f httpbin-virtualservice-basic.yaml

Verify

Get the external IP/hostname of the Istio Ingress Gateway and send a request. You should get a response from one of the httpbin pods.

export INGRESS_HOST=$(kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}' || kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
export INGRESS_PORT=$(kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[?(@.name=="http2")].port}' || kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[?(@.name=="http")].port}')
export GATEWAY_URL="$INGRESS_HOST:$INGRESS_PORT"

echo "Accessing httpbin at: $GATEWAY_URL"
curl -s "$GATEWAY_URL/headers" | grep "User-Agent"

Expected Output (the important part is that you get a response):

    "User-Agent": "curl/7.81.0"

Step 5: Define DestinationRule (Subsets and Policies)

A DestinationRule configures the policies that apply to traffic after routing has occurred. It’s typically used to define subsets of a service based on labels, and then apply specific load balancing, connection pooling, or outlier detection policies to those subsets. This is key for advanced traffic management, allowing you to differentiate between versions of your service or apply different policies to different groups of instances.

Here, we define two subsets for our httpbin service: v1 and v2, corresponding to the version labels we applied to our deployments. Without these subsets, the VirtualService couldn’t explicitly route traffic to specific versions.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin-destinationrule
spec:
  host: httpbin
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  # You can also define default traffic policies for the host here
  # trafficPolicy:
  #  loadBalancer:
  #    simple: ROUND_ROBIN
  #  connectionPool:
  #    tcp:
  #      maxConnections: 100

kubectl apply -f httpbin-destinationrule.yaml

Verify

Check if the DestinationRule resource has been created.

kubectl get destinationrule httpbin-destinationrule

Expected Output:

NAME                      AGE
httpbin-destinationrule   10s

Step 6: Advanced Traffic Routing with VirtualService (A/B Testing/Canary)

Now that we have DestinationRule subsets defined, we can use VirtualService to perform advanced traffic routing. Let’s configure a canary release where 90% of traffic goes to v1 and 10% goes to v2. This is a common pattern for safely introducing new features or updates, allowing you to monitor the new version’s performance and stability before a full rollout.

The weight field in the route section of the VirtualService is crucial for splitting traffic. Istio’s Envoy proxies will automatically distribute requests based on these weights. This capability is fundamental for implementing controlled rollouts and reducing deployment risk. For optimizing the underlying infrastructure resources during such rollouts, tools like Karpenter Cost Optimization can be invaluable.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        subset: v1
      weight: 90
    - destination:
        host: httpbin
        subset: v2
      weight: 10

kubectl apply -f httpbin-virtualservice-canary.yaml

Verify

Repeatedly access the service and observe the X-Powered-By header (which will be Flask for v1 and Express for v2 if you modified the httpbin image, or you can check the pod name). You should see traffic predominantly going to v1, with occasional requests hitting v2.

for i in $(seq 1 20); do curl -s "$GATEWAY_URL/headers" | grep "X-Powered-By" | awk '{print $NF}'; done

Expected Output (you’ll see mostly Flask, some Express if you have a custom httpbin image, or you can check the pod name by adding a header in the httpbin service):

"Flask"
"Flask"
"Flask"
"Express"
"Flask"
...

Note: The default kennethreitz/httpbin image doesn’t expose a version header. To truly differentiate, you’d typically modify the application to return a version-specific header or inspect the pod name in a more advanced setup. For this example, we assume internal metrics or logs would confirm the traffic split.

Step 7: Header-Based Routing with VirtualService

Beyond weighted routing, VirtualService allows for routing based on request headers. This is powerful for A/B testing, internal testing, or routing specific user groups to new features. For instance, you could route all requests from users with a specific cookie or a custom header to a beta version of your service.

Here, we’ll configure the VirtualService to route traffic with a specific header (x-test-header: v2) to the v2 subset, while all other traffic goes to v1. This pattern is often used for internal QA or feature flagging.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - headers:
        x-test-header:
          exact: v2
    route:
    - destination:
        host: httpbin
        subset: v2
  - route:
    - destination:
        host: httpbin
        subset: v1

kubectl apply -f httpbin-virtualservice-header-routing.yaml

Verify

Send requests with and without the custom header. Observe the difference in responses (or pod names if you’ve configured them to return that).

# Request without the header (should go to v1)
curl -s "$GATEWAY_URL/headers" | grep "X-Test-Header"

# Request with the header (should go to v2)
curl -s -H "x-test-header: v2" "$GATEWAY_URL/headers" | grep "X-Test-Header"

Expected Output:

# First curl (no header in response, meaning it went to the default route)
# (empty output or just other headers)

# Second curl (should show the header, indicating it hit the v2 route)
    "X-Test-Header": "v2"

Production Considerations

  • Resource Management: Istio adds overhead. Monitor CPU and memory usage of Envoy proxies and the control plane. Use appropriate profiles (e.g., default or custom profiles) for production. Consider Karpenter for node autoscaling to manage costs effectively.
  • Observability: Integrate Istio with your existing observability stack. Istio natively integrates with Prometheus, Grafana, Kiali, and Jaeger. Use these tools to monitor traffic, track metrics, and troubleshoot issues. For advanced eBPF-based observability, check out our guide on eBPF Observability with Hubble.
  • Security: Leverage Istio’s mTLS (mutual TLS) for secure communication between services. Implement authorization policies to control who can access what. For broader security, consider integrating with tools like Sigstore and Kyverno for supply chain security and policy enforcement.
  • High Availability: Deploy Istio’s control plane components (istiod) with multiple replicas for high availability. Ensure your ingress gateway also has multiple replicas and is backed by a robust load balancer.
  • Testing Strategy: Thoroughly test your VirtualService and DestinationRule configurations in staging environments before deploying to production. Use automated tests to validate routing rules.
  • Configuration Management: Manage your Istio configurations (Gateways, VirtualServices, DestinationRules) as code using GitOps principles.
  • Performance Tuning: Fine-tune Istio’s traffic policies (load balancing, connection pools, outlier detection) within DestinationRule to optimize performance and resilience for your specific services.

Troubleshooting

  1. Issue: Traffic not reaching the service (404, 503 errors).

    Solution: This often indicates an issue with the Gateway or VirtualService configuration.

    1. Verify the Istio Ingress Gateway service is running and accessible: 
      kubectl get svc istio-ingressgateway -n istio-system
    2. Check the Gateway resource for correct port and host configuration: 
      kubectl describe gateway <your-gateway-name>
    3. Validate the VirtualService:
      • Ensure hosts match the incoming requests.
      • Verify gateways link to the correct Gateway.
      • Check the destination.host points to the correct Kubernetes Service name (e.g., httpbin, not httpbin.default.svc.cluster.local).
      • Ensure the destination.port.number matches the service port.
      kubectl describe virtualservice <your-virtualservice-name>
    4. Use istioctl analyze to check for common configuration errors: 
      istioctl analyze
  2. Issue: Traffic not splitting as expected in canary deployments.

    Solution: This points to an issue with the DestinationRule subsets or VirtualService weights.

    1. Verify your DestinationRule subsets are correctly defined and their labels match the actual pod labels of your deployments. 
      kubectl describe destinationrule <your-destinationrule-name>
kubectl get pods -l app=httpbin --show-labels # Check actual pod labels
    2. Ensure the VirtualService is correctly referencing the subset names and weights. 
      kubectl describe virtualservice <your-virtualservice-name>
    3. Check the Envoy proxy logs of the ingress gateway or calling service for routing decisions.
  3. Issue: Header-based routing not working.

    Solution: The match condition in the VirtualService is likely incorrect.

    1. Double-check the header name and value in the VirtualService‘s match.headers section. Ensure exact, prefix, or regex are used correctly. 
      kubectl describe virtualservice <your-virtualservice-name>
    2. Verify that the client is actually sending the header as expected. Use curl -v to see the outgoing request headers.
    3. Ensure the order of http routes in the VirtualService is correct. Istio processes routes in the order they are defined; the first match wins.
  4. Issue: Istio sidecar injection failed or pods are not ready (0/2 containers).

    Solution: Sidecar injection issues prevent pods from joining the mesh.

    1. Verify the namespace is labeled for injection: 
      kubectl get namespace default --show-labels

      It should show istio-injection=enabled. If not, label it: kubectl label namespace default istio-injection=enabled and redeploy your application.

    2. Check the pod’s events for injection errors: 
      kubectl describe pod <your-pod-name>
    3. Ensure istiod (the Istio control plane) is healthy and running. 
      kubectl get pods -n istio-system -l app=istiod
  5. Issue: Application performance degradation after Istio installation.

    Solution: Istio adds a proxy (Envoy) to each pod, which introduces some latency and resource overhead.

    1. Monitor the resource usage (CPU/memory) of your application pods and the Envoy sidecars. Adjust resource requests/limits if necessary.
    2. Review Istio’s performance best practices.
    3. Consider reducing the scope of sidecar injection if not all services require full mesh capabilities (e.g., use manual injection or exclusion annotations). For a more lightweight alternative, consider Istio Ambient Mesh.
    4. Check for excessive logging or tracing configurations that might be impacting performance.

FAQ Section

  1. What is the difference between a Kubernetes Service and an Istio VirtualService?

    A Kubernetes Service provides stable network identity and basic load balancing for a set of pods. It’s a fundamental networking primitive. An Istio VirtualService, on the other hand, operates at a higher level of abstraction, providing advanced traffic management features. It defines how requests are routed to one or more Kubernetes Services (or their subsets) based on various criteria like hosts, paths, headers, and weights. It essentially enhances and extends the capabilities of a Kubernetes Service.

  2. When should I use a VirtualService versus a DestinationRule?

    VirtualService defines how to route traffic to a given service. It specifies the routing rules (e.g., path-based, header-based, weighted routing) and which service (or service subset) should receive the traffic. DestinationRule defines what happens to traffic after it has been routed by a VirtualService. It configures service-level policies like load balancing algorithms, connection pooling, outlier detection, and defines subsets of a service based on labels. They work together: VirtualService routes to a host:subset, and DestinationRule defines those subsets and policies for the host.

  3. Can I use VirtualService and DestinationRule for services outside the mesh?

    You can use VirtualService and DestinationRule to route traffic to services outside the mesh, provided that the traffic originates from within the mesh or passes through an Istio Gateway. For external services, you would typically define a ServiceEntry to register the external service within Istio’s service registry, and then you can define VirtualService and DestinationRule resources for it as you would for an in-mesh service. Refer to the Istio documentation on Egress Gateways for more details.

  4. How do I debug my Istio traffic rules?

    Several tools can help:

    • istioctl analyze: Checks your Istio configuration for common errors.
    • kubectl describe virtualservice/destinationrule/gateway: Provides detailed information about the resource and its status.
    • Kiali: A powerful observability tool that visualizes your service mesh, showing traffic flow, errors, and configurations. It’s often installed with Istio demo profiles.
    • Envoy logs: Access the logs of the Istio Ingress Gateway or the sidecar proxies in your application pods to see how requests are being processed.
    • Tracing (Jaeger/Zipkin): If tracing is enabled, you can trace individual requests through the mesh to identify where delays or incorrect routing occurs.
  5. What are some common traffic management patterns I can implement with VirtualService and DestinationRule?

    You can implement a wide range of patterns, including:

    • A/B Testing: Route a percentage of users or users with specific characteristics to a new version.
    • Canary Deployments: Gradually shift traffic from an old version to a new version.
    • Blue/Green Deployments: Instantly switch all traffic from one version to another.
    • Fault Injection: Introduce delays or abort requests to test service resilience.
    • Timeout and Retry Policies: Configure how long services wait for responses and how many times they retry failed requests.
    • Circuit Breaking: Automatically stop requests to failing services to prevent cascading failures.

Cleanup Commands

To remove the resources created in this guide and uninstall Istio:

# Remove Istio resources

kubectl delete -f httpbin-virtualservice-header-routing.yaml

kubectl delete -f httpbin-destinationrule.yaml

kubectl delete -f httpbin-gateway.yaml


# Remove httpbin application

kubectl delete deployment httpbin-v1 httpbin-v2

kubectl delete service httpbin


# Unlabel the namespace

kubectl label namespace default istio-injection-


# Uninstall Istio

istioctl uninstall --purge -y


# Delete the

Related Posts

OpenCost: Master Kubernetes Costs Now

Introduction In the dynamic world of cloud-native applications, Kubernetes has emerged as the de facto orchestrator for containerized workloads. While Kubernetes offers unparalleled flexibility, scalability,…

Leave a Reply

Your email address will not be published. Required fields are marked *