Running Istio Service Mesh on OpenShift is an open platform that provides a uniform way to connect, manage, and secure microservices. This article describes installing and running on OpenShift (>=1.5 as of now) only. If you would like to know more theory I encourage you to read this post by @christianposta

Note that some of the permissions mentioned in this article may be more than what is needed. I plan to do further research and publish another article or comments on this post with accurate permissions in the future. For updates follow me on twitter @debianmaster

Run as Cluster Administrator on Master

oc login -u system:admin

Istio installation requires that you are the cluster-admin; you can use any cluster admin user for this purpose.

Choose a Namespace and Provide Permissions

oc project default
oc adm policy add-scc-to-user anyuid -z default
oc adm policy add-scc-to-user privileged -z default
oc patch scc/privileged --patch {\"allowedCapabilities\":[\"NET_ADMIN\"]}

NET_ADMIN privilege is needed for iptable NAT redirect chains updated by Istio.

Install Istio Service Mesh

git clone
git checkout 0.1.5

Apply Necessary Permissions

oc adm policy add-cluster-role-to-user cluster-admin -z istio-manager-service-account
oc adm policy add-cluster-role-to-user cluster-admin -z istio-ingress-service-account
oc adm policy add-cluster-role-to-user cluster-admin -z default

oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account
oc adm policy add-scc-to-user privileged -z istio-ingress-service-account

oc adm policy add-scc-to-user anyuid -z istio-manager-service-account
oc adm policy add-scc-to-user privileged -z istio-manager-service-account

Many permissions are needed currently, but this may change.  Istio installation creates custom service accounts and they need privileges to be able to create ThirdPartyResources.

Deploying Istio

oc apply -f istio/install/kubernetes/istio.yaml

Install Addons

oc apply -f istio/install/kubernetes/addons/prometheus.yaml
oc apply -f istio/install/kubernetes/addons/grafana.yaml
oc apply -f istio/install/kubernetes/addons/servicegraph.yaml

Deploy Sample App

Install istioctl first

curl -L | sh -
export PATH="$PATH:/Users/YOUR_USERNAME/istio/istio-0.1.5/bin"

Note: Don’t forget to replace with the appropriate value.

Deploy bookInfo App

oc apply -f <(istioctl kube-inject -f istio/samples/apps/bookinfo/bookinfo.yaml)

oc expose svc servicegrap

Test Service Mesh / Using Grafana Pod (or Another Pod)

$ export GRAFANA=$(oc get pods -l app=grafana -o jsonpath={.items[0]})
$ oc exec $GRAFANA -- curl -o /dev/null -s -w "%{http_code}\n" http://istio-ingress/productpage
$ open http://$(oc get routes servicegraph -o jsonpath={})/dotviz


You should see something like this at the end showing the service graph.

See it in action

OpenShift Container Platform, OpenShift Dedicated, OpenShift Online, OpenShift Origin
, , ,

8 Responses to “Running Istio Service Mesh on OpenShift”

  1. debianmaster

    There were some issues when selinux is enabled on openshift cluster for 0.4 version of istio. this has been fixed upstream but not released yet. so temporary fix will be disabling selinux, just fyi

    • mohana balram

      Hi.. I am installing Istio 0.1.6 on openshift 3.3 and ending with Error: Istio configuration not found. Verify istio configmap is installed in namespace default.
      kindly suggest

      • debianmaster

        mohana, you should have at least openshift 3.5 as third party resoruces are not supported in openshift 3.3

  2. Nobuhiro Sue

    Found typo:
    oc expose svc servicegrap
    oc expose svc servicegraph

  3. Chilcano

    Thanks for useful post.
    I’ve implemented partially an Ansible Role to install Istio on OpenShift, but to complete it, I would like to know what is the right way to uninstall and rollback the installation.
    Any idea?

Comments are closed.