AEROBUILD
← Back to category

Step-by-step Istio install guide

A practical, step-by-step guide to installing Istio on Kubernetes, verifying the control plane, and rolling out sidecars safely.

istiokubernetesservice-meshinstallationdevops
2026-01-11

This guide walks you through a clean Istio installation on Kubernetes, with a safe rollout path and quick verification steps.

You’ll learn how to:

  • Install Istio with a recommended profile
  • Verify the control plane is healthy
  • Enable sidecar injection in a namespace
  • Deploy a sample app and validate traffic
  • (Optional) Install observability add-ons
  • Cleanly uninstall when you’re done

Prerequisites

You need:

  • A Kubernetes cluster (local or cloud)
  • kubectl configured to talk to your cluster
  • Cluster admin permissions (for installing Istio)

Recommended versions:

  • Kubernetes 1.25+ (older versions may work, but verify with Istio’s compatibility matrix)

Quick checks:

  • kubectl version --short
  • kubectl get nodes

Step 1: Download and install istioctl

Option A: Using Homebrew (macOS)

brew install istioctl

Option B: Download from Istio releases

  1. Download the release for your OS from the official Istio release page.
  2. Extract it.
  3. Add the bin/ directory to your PATH.

Verify:

istioctl version

Step 2: Precheck your cluster

Istio provides a precheck that catches common issues.

istioctl x precheck

If it reports warnings, fix them before moving forward (especially anything about CNI, Pod Security, or missing permissions).

The default profile is a good starting point for most clusters.

istioctl install --set profile=default -y

What this does:

  • Installs istiod (control plane)
  • Installs base CRDs
  • Enables standard traffic management capabilities

Step 4: Verify Istio control plane is healthy

kubectl get pods -n istio-system

You should see istiod in a Running state.

Also verify:

istioctl verify-install

And check services:

kubectl get svc -n istio-system

Step 5: Create a namespace for your first rollout

Start small. Create a non-critical namespace and enable automatic sidecar injection.

kubectl create namespace istio-demo
kubectl label namespace istio-demo istio-injection=enabled --overwrite

Confirm the label:

kubectl get namespace istio-demo --show-labels

Step 6: Deploy a sample app (Bookinfo)

Istio provides Bookinfo as a standard sample.

kubectl apply -n istio-demo -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml

Wait for pods:

kubectl get pods -n istio-demo

You should see two containers per pod (your app + Envoy sidecar). If you only see one container, injection may not be working.

Step 7: Add an ingress gateway route (Gateway + VirtualService)

Deploy the Bookinfo gateway:

kubectl apply -n istio-demo -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/networking/bookinfo-gateway.yaml

Confirm objects:

kubectl get gateway,virtualservice -n istio-demo

Step 8: Access the app

How you access the app depends on your environment.

If you’re on a cloud cluster with LoadBalancer support

Get the external IP:

kubectl get svc -n istio-system istio-ingressgateway

Look for EXTERNAL-IP, then try:

curl -I http://<EXTERNAL-IP>/productpage

If you’re on a local cluster (or no LoadBalancer)

Use port-forward:

kubectl -n istio-system port-forward svc/istio-ingressgateway 8080:80

Then open:

  • http://localhost:8080/productpage

Step 9 (Optional): Install observability add-ons

Istio integrates well with common observability tools. These are optional, but very useful.

Kiali (service mesh UI)

kubectl apply -n istio-system -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/kiali.yaml

Prometheus (metrics)

kubectl apply -n istio-system -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/prometheus.yaml

Grafana (dashboards)

kubectl apply -n istio-system -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/grafana.yaml

To open Kiali quickly (port-forward):

istioctl dashboard kiali

Step 10: A safe path to production rollout

Avoid a big-bang enablement. A safe approach:

  1. Pick one low-risk namespace.
  2. Enable injection.
  3. Validate traffic and baselines (latency, error rate).
  4. Add simple policies first:
    • timeouts
    • retries
    • basic load balancing
  5. Introduce mTLS carefully:
    • start with PERMISSIVE
    • move to STRICT only after dependencies are compatible

Step 11: Uninstall (clean removal)

Remove Bookinfo resources:

kubectl delete -n istio-demo -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl delete -n istio-demo -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/networking/bookinfo-gateway.yaml

Uninstall Istio:

istioctl uninstall -y --purge

Delete the namespace(s):

kubectl delete namespace istio-system
kubectl delete namespace istio-demo

Final checklist

  • Istio installed: istioctl verify-install
  • Sidecars injected: pods show 2 containers
  • Ingress route working: /productpage loads
  • Observability (optional): Kiali/Prometheus/Grafana running

If you want, tell me what Kubernetes environment you’re using (EKS/GKE/AKS/kind/minikube), and I can tailor the ingress/access steps and best install profile for it.

Need help with DevOps or modernization?

Reach out for DevOps automation, QA automation, Istio service mesh, modernization, and monitoring.

Contact for Services