Fission and Istio Integration

Tutorial for how to integrate Fission with Istio

ta-ching chen

3 minute read



Fission is a framework for serverless functions on Kubernetes. Istio is an open platform to connect, manage, and secure microservice announced by Google, IBM and Lyft. It makes sense to combine them together to provide user more powerful functionalities.

Since this is the very first step for fission to integrate with Istio, there are still couple problems need to be solved. For those interested in trying to integrate fission with istio, following is the set up tutorial.

Test Environment

  • Google Kubernetes Engine: 1.9.2-gke.1 cluster
  • Fission: 0.6.0
  • Istio: 0.6.0

Set Up

Create Kubernetes v1.9+ alpha cluster

Available zone can be found here

$ export ZONE=<zone name>
$ gcloud container clusters create istio-demo-1 \
    --machine-type=n1-standard-2 \
    --num-nodes=1 \
    --no-enable-legacy-authorization \
    --zone=$ZONE \

Grant cluster admin permissions

Grant admin permission for system:serviceaccount:kube-system:default and current user.

# for system:serviceaccount:kube-system:default
$ kubectl create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin --clusterrole cluster-admin

# for current user
$ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)

Set up Istio environment

For Istio 0.6.0 you can follow the installation tutorial below. Or you can follow the latest installation guides on Istio official site: Quick Start and Sidecar Injection.

Download Istio 0.6.0

$ export ISTIO_VERSION=0.6.0
$ curl -L | sh -
$ cd istio-0.6.0/

Apply istio related YAML files

If you want to install istio without enabling mutual TLS authentication:

$ kubectl apply -f install/kubernetes/istio.yaml

Or, enabling mutual TLS authentication between istio-proxy:

$ kubectl apply -f install/kubernetes/istio-auth.yaml

Automatic sidecar (istio-proxy) injection

Please make sure that admissionregistration API is enabled.

$ kubectl api-versions | grep admissionregistration

Install the sidecar injection configmap.

$ ./install/kubernetes/ \
    --service istio-sidecar-injector \
    --namespace istio-system \
    --secret sidecar-injector-certs

$ kubectl apply -f install/kubernetes/istio-sidecar-injector-configmap-release.yaml

Install the sidecar injector

$ cat install/kubernetes/istio-sidecar-injector.yaml | \
     ./install/kubernetes/ > \

$ kubectl apply -f install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml

# Check sidecar injector status
$ kubectl -n istio-system get deployment -listio=sidecar-injector
istio-sidecar-injector   1         1         1            1           26s

Install fission

Set default namespace for helm installation, here we use fission as example namespace.

$ export FISSION_NAMESPACE=fission

Create namespace & add label for Istio sidecar injection.

$ kubectl create namespace $FISSION_NAMESPACE
$ kubectl label namespace $FISSION_NAMESPACE istio-injection=enabled
$ kubectl config set-context $(kubectl config current-context) --namespace=$FISSION_NAMESPACE

Install fission with following command:

$ helm install --namespace $FISSION_NAMESPACE --set enableIstio=true --name istio-demo

Create a function

Set environment

$ export FISSION_ROUTER=$(kubectl --namespace fission get svc router -o=jsonpath='{..ip}')

Let’s create a simple function in Node.js.

Create environment

$ fission env create --name nodejs --image fission/node-env

Create function

// hello.js
module.exports = async function(context) {
    return {
        status: 200,
        body: "Hello, World!\n"
$ fission fn create --name h1 --env nodejs --code hello.js --method GET

Create route

$ fission route create --method GET --url /h1 --function h1

Access function

$ curl http://$FISSION_ROUTER/h1
Hello, World!

Install Add-ons

NOTE: Due to a known issue with Istio 0.6.0, right now the Grafana & Jaeger can only display TCP-level information.

  • Prometheus
$ kubectl apply -f install/kubernetes/addons/prometheus.yaml
$ kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=prometheus -o jsonpath='{.items[0]}') 9090:9090

Web Link:

  • Grafana

Please install Prometheus first.


$ kubectl apply -f install/kubernetes/addons/grafana.yaml
$ kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0]}') 3000:3000

Web Link:

  • Jaeger


$ kubectl apply -n istio-system -f
$ kubectl port-forward -n istio-system $(kubectl get pod -n istio-system -l app=jaeger -o jsonpath='{.items[0]}') 16686:16686

Web Link: http://localhost:16686


comments powered by Disqus