When deploying Istio on manually provisioned Kubernetes clusters, control plane components frequently fail to initialize due to DNS resolution timeouts and webhook connectivity issues. These problems typically stem from control plane nodes being unable to reach CoreDNS or cluster services from host network contexts.

Prerequisites: DNS and Control Plane Connectivity

Before installing Istio, verify that cluster DNS functions correctly from all control plane nodes. The istiod pod must resolve istiod.istio-system.svc.cluster.local to issue certificates to sidecar proxies. If CoreDNS is unreachable from the host network, expect errors resembling:

failed to create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc.cluster.local on 10.96.0.10:53: read udp 10.244.0.5:48921->10.96.0.10:53: i/o timeout"

Validate DNS functionality by querying cluster services direct from a control plane node:

nslookup kubernetes.default.svc.cluster.local 10.96.0.10

If the control plane runs isolated from the data plane (common in binary deployments where masters lack kube-proxy), ensure the host can route to the service CIDR or deploy a lightweight proxy to bridge connectivity.

Resolving Webhook Timeout Errors

Automatic sidecar injection fails when the API server cannot reach the istiod webhook endpoint. Manifests as:

Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post "https://istiod.istio-system.svc:443/inject?timeout=10s": context deadline exceeded

This indicates the Kubernetes control plane resides outside the pod network. Solutions include:

1. Configure the master as a schedulable node (temporary workaround):

kubectl taint nodes master node-role.kubernetes.io/master:NoSchedule-
kubectl label nodes master node-role.kubernetes.io/worker=

2. Or insure host network access to the service CIDR via CNI plugins or static routes.

Enstalling the Istio CLI

Download the latest stable release and configure shell integration:

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.20.0 sh -
cd istio-1.20.0
export PATH=$PWD/bin:$PATH

Enable command completion for istioctl:

istioctl completion bash > /etc/bash_completion.d/istioctl
source /etc/bash_completion.d/istioctl

If using zsh, replace bash with zsh in the above commands.

Control Plane Installation

Deploy Istio using the demonstration profile for evaluation environments:

istioctl install --set profile=demo -y

Verify component health:

kubectl get pods -n istio-system
kubectl get svc -n istio-system

Expected output shows istiod, istio-ingressgateway, and istio-egressgateway in Running status.

Configuring Sidecar Injection

Enable automatic proxy injection per namespace:

kubectl create namespace production
kubectl label namespace production istio-injection=enabled

Deploy a sample application to validate injection:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sample-app
  namespace: production
spec:
  replicas: 2
  selector:
    matchLabels:
      service: frontend
  template:
    metadata:
      labels:
        service: frontend
        version: v1
    spec:
      containers:
      - name: web-container
        image: httpd:2.4-alpine
        ports:
        - containerPort: 8080
          protocol: TCP

Confirm the sidecar container appears alongside application containers:

kubectl get pods -n production
# Output shows 2/2 READY (application + istio-proxy)

Exposing Services via NodePort

For environments without cloud load balancers, convert the ingress gateway to NodePort:

kubectl patch svc istio-ingressgateway -n istio-system --type='json' \
  -p='[{"op": "replace", "path": "/spec/type", "value":"NodePort"}]'

Retrieve the assigned node ports:

kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}'

Installing Observability Addons

Deploy Prometheus, Grafana, Kiali, and Jaeger from the samples directory:

kubectl apply -f samples/addons/

Wait for pods to initialize:

kubectl rollout status deployment/kiali -n istio-system
kubectl rollout status deployment/prometheus -n istio-system

Access Kiali via port-forward:

kubectl port-forward svc/kiali 20001:20001 -n istio-system

Complete Removal

Uninstall Istio and purge all associated resources:

istioctl uninstall --purge -y
kubectl delete namespace istio-system
kubectl delete -f samples/addons/

Remove leftover webhook configurations if present:

kubectl delete mutatingwebhookconfiguration istio-sidecar-injector
kubectl delete validatingwebhookconfiguration istiod-default-validator