I have installed fresh k8s 1.18.6 on multinode ( 12GB RAM & 4 CPU) on centos-7.8(3.10.0-1127.el7.x86_64) with docker version (19.03.6) & runc version 1.0.0-rc10.
I used calico(3.11.1) network plugin and till here everything worked fine. When i am trying to install istio 1.5.7 on it i am facing issue as below
Issue:
kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE grafana-5f6f8cbf75-lngb7 1/1 Running 0 41s istio-egressgateway-cbd86567c-5x6rk 0/1 ContainerCreating 0 44s istio-ingressgateway-799d5b8875-4ztq8 0/1 ContainerCreating 0 42s istio-tracing-9dd6c4f7c-vv64n 1/1 Running 0 41s istiod-b7d8f955b-mtqgb 0/1 CrashLoopBackOff 5 10m kiali-869c6894c5-pw7sm 1/1 Running 0 41s prometheus-7d697b95b-2rjvn 0/2 ContainerCreating 0 41s
istiod-pod-logs: info No certificates specified, skipping DNS certificate controller info CRD controller watching namespaces "" info Ingress controller watching namespaces "" warn Config Store &{0xc00020c6c0 cluster.local 0xc00026b1e0 0xc000795e00 0xc00079eea0 []} cannot track distribution in aggregate info Adding Kubernetes registry adapter info Service controller watching namespace "" for services, endpoints, nodes and pods, refresh 1m0s info JWT policy is first-party-jwt info Use self-signed certificate as the CA certificate info pkica Failed to get secret (error: Get https://10.96.0.1:443/api/v1/namespaces/istio-system/secrets/istio-ca-secret: dial tcp 10.96.0.1:443: i/o timeout), will create one Error: failed to create discovery service: enableCA: failed to create a self-signed Citadel: failed to create CA due to secret write error error pkica Failed to write secret to CA (error: Post https://10.96.0.1:443/api/v1/namespaces/istio-system/secrets: dial tcp 10.96.0.1:443: i/o timeout). Abort. error failed to create discovery service: enableCA: failed to create a self-signed Citadel: failed to create CA due to secret write error
Istio v1.5 is out of support, as is v1.6 and v1.7 will soon be.
I also don't think v1.5 was ever approved for K8s v1.18.
My suggestion would be to use Istio v1.8 and to disable Calico before attempting to install.
Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.
If you are using istioctl to install, support will be automatically detected. This can be done manually as well, and configured by passing --set values.global.jwtPolicy=third-party-jwt or --set values.global.jwtPolicy=first-party-jwt.
To determine if your cluster supports third party tokens, look for the TokenRequest API. If this returns no response, then the feature is not supported:
kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
There is another stackoverflow case where community member had same problem with 12GB of RAM.
Istio 1.5 has been tested with Kubernetes releases 1.14, 1.15, 1.16.
As you use Kubernetes 1.18.6 version, it might not work with Istio 1.5 version.
So I would recommend to go with this approach:
Install istio with --set values.global.jwtPolicy=first-party-jwt.
1: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
2: https://istio.io/latest/docs/setup/platform-setup/minikube/#installation-steps
3: https://stackoverflow.com/questions/64373346/istioctl-install-fails-with-multiple-timeouts
4: https://istio.io/v1.5/pt-br/docs/setup/getting-started/#platform