public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-23 21:28:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'staging' into HPA-changes

Browse Source
This commit is contained in:
Denise
2019-06-18 17:40:26 -07:00
committed by GitHub
parent 4caa9bf237 bcaaeea010
commit 7eec4b1c93
7 changed files with 134 additions and 259 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/admin-settings/globalregistry/_index.md
-58
View File
@@ -1,58 +0,0 @@
---
title: Global Registry
weight: 1145
---
_Available as of v2.3.0_
Rancher's Global Registry provides a way to set up a [Harbor](https://github.com/goharbor/harbor) registry to store and manage your docker images. The Global Registry reuses the same SSL certificate of Rancher server so you don't need to prepare additional certificates for it. The CA root certificate is added to every node of managed kubernetes clusters. Therefore, in the case where you're using a private certificate authority, you can use images from the Global Registry without additional configuration of the docker daemon on cluster nodes.
> **Note:** Global Registry is only available in [HA setups]({{< baseurl >}}/rancher/v2.x/en/installation/ha/) with the [`local` cluster enabled]({{< baseurl >}}/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/#import-local-cluster).
## Prerequisites
Depending on the configuration options you use, check the following prerequisites before enabling Global Registry:
- If you use `filesystem` type for docker registry storage, or use `internal` type database or Redis, [persistent volumes]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/volumes-and-storage/) are required in the local cluster.
- If you use `external` type database, you need to create databases in PostgreSQL before registry deployment. You can configure which databases to use in the configuration options.
## Enabling Global Registry
As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/), you can configure Rancher to deploy the Global Registry.
1. From the **Global** view, select **Tools > Global Registry** from the main menu.
1. Enter in your desired configuration options. For detail instructions, follow the [Configuration Options]({{< baseurl >}}/rancher/v2.x/en/admin-settings/globalregistry/harbor/) section.
1. Click **Save**.
**Result:** A Harbor instance will be deployed as an [application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) named `global-registry-harbor` to local cluster's `system` project.
## Disabling Global Registry
To disable the Global Registry:
1. From the **Global** view, select **Tools > Global Registry** from the main menu.
1. Click **Disable registry**, then click the red button again to confirm the disable action.
**Result:** The `global-registry-harbor` application in local cluster's `system` project gets removed. Note that persistent volumes used by the Global Registry will not be removed on disabling, so as to prevent data lost. You need to manually delete relevant volumes in local cluster's `system` project if you want to clean them up.
## Using Global Registry
Once the Global Registry is enabled, you can:
1. Access Harbor UI through the endpoint `<Rancher-Server-URL>/registry`.
1. Use the Rancher server hostname as the registry hostname in image names. For example:
```
docker pull <Rancher-Server-Hostname>/library/busybox:latest
```
1. If Notary is enabled, the endpoint for notary server is `<Rancher-Server-URL>/registry/notary`.
1. Use Global Registry as a private registry in Rancher projects, see [how to use registries]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/registries/).
> **Notes:**
>
>- The authentication of Harbor is independent of Rancher authentication, you should log in to Harbor UI and manage Harbor users for registry account management.
content/rancher/v2.x/en/admin-settings/globalregistry/harbor/_index.md
-101
View File
@@ -1,101 +0,0 @@
---
title: Global Registry Configuration
weight: 1
---
_Available as of v2.3.0-alpha_
While configuring global registry, there are multiple options that can be configured.
## General
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Admin Password | The initial password of Harbor admin. Change it from Harbor UI after the registry is ready | Yes | No | n/a
Encryption Key For Harbor | The key used for encryption. Must be a string of 16 chars | No | Yes | n/a
## Registry
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Storage Backend Type | Storage type for images: `filesystem` or `s3`. If `filesystem` is selected, persistent volume is required in your local cluster. | Yes | No | filesystem
Source | Whether to use a storage class to provision a new PV or to use an existing PVC | Yes | Yes | Use a storage class
Storage Class | Specify the storage class used to provision the persistent volume(A storage class is required in the local cluster to use this option) | Yes, when use SC | Yes | The default storage class
Persistent Volume Size | Specify the size of the persistent volume | Yes, when use SC | Yes | 100Gi
Existing Claim | Specify the existing PVC for registry images(An existing PVC is required to use this option) | Yes, when use existing PV | Yes | n/a
Registry CPU Limit | CPU limit for the docker registry workload | Yes | Yes | 1000 (milli CPUs)
Registry Memory Limit | Memory limit for the docker registry workload | Yes | Yes | 2048 (MiB)
Registry CPU Reservation | CPU reservation for the docker registry workload | Yes | Yes | 100 (milli CPUs)
Registry Memory Reservation | Memory reservation for the docker registry workload | Yes | Yes | 256 (MiB)
Registry Node Selector | Select the nodes where the docker registry workload will be scheduled to | No | Yes | n/a
## Database
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Config Database Type | Choose `internal` or `external`. When `internal` is selected, a PostgreSQL workload will be included in the application, and a persistent volume is required for it. When `external` is selected, you can configure an external PostgreSQL. You should create databases for Harbor core service, Clair and Notary before enabling.| Yes | No | internal
Source | Whether to use a storage class to provision a new PV or to use an existing PVC | Yes, when use internal database | Yes | Use a storage class
Storage Class | Specify the storage class used to provision the persistent volume(A storage class is required in the local cluster to use this option) | Yes, when use SC and internal database | Yes | The default storage class
Persistent Volume Size | Specify the size of the persistent volume | Yes, when use SC and internal database | Yes | 5Gi
Existing Claim | Specify the existing PVC for PostgreSQL database(An existing PVC is required to use this option) | Yes, when use existing PV and internal database | Yes | n/a
Database CPU Limit | CPU limit for the database workload | Yes | Yes | 500 (milli CPUs)
Database Memory Limit | Memory limit for the database workload | Yes | Yes | 2048 (MiB)
Database CPU Reservation | CPU reservation for the database workload | Yes | Yes | 100 (milli CPUs)
Database Memory Reservation | Memory reservation for the database workload | Yes | Yes | 256 (MiB)
Database Node Selector | Select the nodes where the database workload will be scheduled to | No (Only shows when use external database) | Yes | n/a
SSL Mode for PostgreSQL | SSL mode used to connect the external database | No (Only shows when use external database) | Yes | disable
Host for PostgreSQL | The hostname for external database | Yes (Only shows when use external database) | Yes | n/a
Port for PostgreSQL | The port for external database | Yes (Only shows when use external database) | Yes | 5432
Username for PostgreSQL | The username for external database | Yes (Only shows when use external database) | Yes | n/a
Password for PostgreSQL | The password for external database | Yes (Only shows when use external database) | Yes | n/a
Core Database | The database used by core service | No (Only shows when use external database) | Yes | registry
Clair Database | The database used by Clair | No (Only shows when use external database) | Yes | clair
Notary Server Database | The database used by Notary server | No (Only shows when use external database) | Yes | notary_server
Notary Signer Database | The database used by Notary signer | No (Only shows when use external database) | Yes | notary_signer
## Redis
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Config Redis Type | Choose `internal` or `external`. When `internal` is selected, a Redis workload will be included in the application, and a persistent volume is required for it. When `external` is selected, you can configure an external Redis. | Yes | No | internal
Source | Whether to use a storage class to provision a new PV or to use an existing PVC | Yes, when use internal Redis | Yes | Use a storage class
Storage Class | Specify the storage class used to provision the persistent volume(A storage class is required in the local cluster to use this option) | Yes, when use SC and internal Redis | Yes | The default storage class
Persistent Volume Size | Specify the size of the persistent volume | Yes, when use SC and internal Redis | Yes | 5Gi
Existing Claim | Specify the existing PVC for Redis(An existing PVC is required to use this option) | Yes, when use existing PV and internal Redis | Yes | n/a
Redis CPU Limit | CPU limit for the Redis workload | Yes | Yes | 500 (milli CPUs)
Redis Memory Limit | Memory limit for the Redis workload | Yes | Yes | 2048 (MiB)
Redis CPU Reservation | CPU reservation for the Redis workload | Yes | Yes | 100 (milli CPUs)
Redis Memory Reservation | Memory reservation for the Redis workload | Yes | Yes | 256 (MiB)
Redis Node Selector | Select the nodes where the Redis workload will be scheduled to | No | Yes | n/a
Host for Redis | The hostname for external Redis | Yes (Only shows when use external Redis) | Yes | n/a
Port for Redis | The port for external Redis | Yes (Only shows when use external Redis) | Yes | 6379
Password for Redis | The password for external Redis | No (Only shows when use external Redis) | Yes | n/a
Jobservice Database Index | The database index for jobservice | Yes (Only shows when use external Redis) | Yes | n/a
Registry Database Index | The database index for docker registry | Yes (Only shows when use external Redis) | Yes | n/a
## Clair
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Enable Clair | Whether or not to enable Clair for vulnerabilities scanning | Yes | Yes | true
Clair CPU Limit | CPU limit for the Clair workload | Yes, when Clair enabled | Yes | 500 (milli CPUs)
Clair Memory Limit | Memory limit for the Clair workload | Yes, when Clair enabled | Yes | 2048 (MiB)
Clair CPU Reservation | CPU reservation for the Clair workload | Yes, when Clair enabled | Yes | 100 (milli CPUs)
Clair Memory Reservation | Memory reservation for the Clair workload | Yes, when Clair enabled | Yes | 256 (MiB)
Clair Node Selector | Select the nodes where the Clair workload will be scheduled to | Yes, when Clair enabled | Yes | n/a
## Notary
Field | Description | Required | Editable | Default
----|-----------------|------------|------------|------------
Enable Notary | Whether or not to enable Notary for [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/). When enabled, the access endpoint to the Notary server is `<Rancher-Server-URL>/registry/notary`. | Yes | Yes | true
Notary Server CPU Limit | CPU limit for the Notary Server workload | Yes, when Notary enabled | Yes | 500 (milli CPUs)
Notary Server Memory Limit | Memory limit for the Notary Server workload | Yes, when Notary enabled | Yes | 2048 (MiB)
Notary Server CPU Reservation | CPU reservation for the Notary Server workload | Yes, when Notary enabled | Yes | 100 (milli CPUs)
Notary Server Memory Reservation | Memory reservation for the Notary Server workload | Yes, when Notary enabled | Yes | 256 (MiB)
Notary Signer CPU Limit | CPU limit for the Notary Signer workload | Yes, when Notary enabled | Yes | 500 (milli CPUs)
Notary Signer Memory Limit | Memory limit for the Notary Signer workload | Yes, when Notary enabled | Yes | 2048 (MiB)
Notary Signer CPU Reservation | CPU reservation for the Notary Signer workload | Yes, when Notary enabled | Yes | 100 (milli CPUs)
Notary Signer Memory Reservation | Memory reservation for the Notary Signer workload | Yes, when Notary enabled | Yes | 256 (MiB)
Notary Node Selector | Select the nodes where the Notary Server and Notary Signer workloads will be scheduled to | No | Yes | n/a
content/rancher/v2.x/en/cluster-admin/tools/istio/_index.md
+62
View File
@@ -0,0 +1,62 @@
---
title: Istio
weight: 5
---
_Available as of v2.3.0-alpha4_
Using Rancher, you can connect, secure, control, and observe services through integration with [Istio](https://istio.io/), a leading open-source service mesh solution. Istio provides behavioral insights and operational control over the service mesh as a whole, offering a complete solution to satisfy the diverse requirements of microservice applications.
## Prerequisites
The required resource allocation for each service is listed in the [configuration options]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/istio/config/). Please review it before attempting to enable Istio.
In larger deployments, it is strongly advised that the infrastructure be placed on dedicated nodes in the cluster.
## Enabling Istio
As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to deploy Istio to your Kubernetes cluster.
1. From the **Global** view, navigate to the cluster that you want to configure Istio for.
1. Select **Tools > Istio** in the navigation bar.
1. Select **Enable** to show the [Istio configuration options]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/istio/config/). Enter in your desired configuration options. Ensure you have enough resources on your worker nodes to enable Istio.
1. Click **Save**.
**Result:** The Istio application, `cluster-istio`, is added as an [application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) to the cluster's `system` project. After the application is `active`, you can start using Istio.
## Using Istio for Metrics Visualization
Once Istio is `active`, you can see visualizations of your Istio service mesh with Kiali, Jaeger, Grafana, and Prometheus, which are all open-source projects that Rancher has integrated with.
- **Kiali** helps you define, validate, and observe your Istio service mesh. Kiali shows you what services are in your mesh and how they are connected. Kiali includes Jaeger Tracing to provide distributed tracing out of the box.
- **Jaeger** is a distributed tracing system released as open source by Uber Technologies. It is used for monitoring and troubleshooting microservices-based distributed systems.
- **Grafana** is an analytics platform that allows you to query, visualize, alert on and understand your metrics. Grafana lets you visualize data from Prometheus.
- **Prometheus** is a systems monitoring and alerting toolkit.
With Istio enabled, you can:
- Access [Kiali UI](https://www.kiali.io/) by clicking the Kiali UI icon in the Istio page.
- Access [Jaeger UI](https://www.jaegertracing.io/) by clicking the Jaeger UI icon in the Istio page.
- Access [Grafana UI](https://grafana.com/) by clicking the Grafana UI icon in the Istio page.
- Access [Prometheus UI](https://prometheus.io/) by clicking the Prometheus UI icon in the Istio page.
- Go to a project to [view traffic graph, traffic metrics and manage traffic]({{< baseurl >}}/rancher/v2.x/en/project-admin/istio/).
## Leveraging Istio in Projects
After you enable Istio, you can see traphic metrics and a traffic graph on the project level. You can see a traffic graph for all namespaces that have Istio sidecar injection enabled. For more information, refer to [How to Use Istio in Your Project]({{< baseurl >}}/rancher/v2.x/en/project-admin/istio/).
## Disabling Istio
To disable Istio:
1. From the **Global** view, navigate to the cluster that you want to disable Istio for.
1. Select **Tools > Istio** in the navigation bar.
1. Click **Disable Istio**, then click the red button again to confirm the disable action.
**Result:** The `cluster-istio` application in the cluster's `system` project gets removed.
content/rancher/v2.x/en/cluster-admin/tools/service-mesh/istio/_index.md → content/rancher/v2.x/en/cluster-admin/tools/istio/config/_index.md
+17 -3
View File
@@ -1,14 +1,18 @@
---
title: Service Mesh Configuration
title: Istio Configuration
weight: 1
---
_Available as of v2.3.0-alpha_
_Available as of v2.3.0-alpha4_
There are several configuration options for the service mesh.
There are several configuration options for Istio. You can find more information about Istio configuration in the [official Istio documentation](https://istio.io/docs/concepts/what-is-istio).
## PILOT
Pilot provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing (e.g., A/B tests, canary rollouts, etc.), and resiliency (timeouts, retries, circuit breakers, etc.).
For more information on Pilot, refer to the [documentation](https://istio.io/docs/concepts/traffic-management/#pilot-and-envoy).
Option | Description| Required | Default
-------|------------|-------|-------
Pilot CPU Limit | CPU resource limit for the istio-pilot pod.| Yes | 1000
@@ -20,6 +24,8 @@ Pilot Selector | Ability to select the nodes in which istio-pilot pod is deploye
## MIXER
Mixer is a platform-independent component. Mixer enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services. For more information on Mixer, policies and telemetry, refer to the [documentation](https://istio.io/docs/concepts/policies-and-telemetry/).
Option | Description| Required | Default
-------|------------|-------|-------
Mixer Telemetry CPU Limit | CPU resource limit for the istio-telemetry pod.| Yes | 4800
@@ -35,6 +41,8 @@ Mixer Selector | Ability to select the nodes in which istio-policy and istio-tel
## TRACING
Istio-enabled applications can collect trace spans. For more information on distributed tracing with Istio, refer to the [documentation](https://istio.io/docs/tasks/telemetry/distributed-tracing/overview/).
Option | Description| Required | Default
-------|------------|-------|-------
Enable Tracing | Whether or not to deploy the istio-tracing. | Yes | True
@@ -46,6 +54,8 @@ Tracing Selector | Ability to select the nodes in which tracing pod is deployed
## INGRESS GATEWAY
The Istio Gateway allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster. For more information, refer to the [documentation](https://istio.io/docs/tasks/traffic-management/ingress/).
Option | Description| Required | Default
-------|------------|-------|-------
Enable Ingress Gateway | Whether or not to deploy the istio-ingressgateway. | Yes | False
@@ -62,6 +72,8 @@ Ingress Gateway Selector | Ability to select the nodes in which istio-ingressgat
## PROMETHEUS
You can query for Istio metrics using Prometheus. Prometheus is an open-source systems monitoring and alerting toolkit.
Option | Description| Required | Default
-------|------------|-------|-------
Prometheus CPU Limit | CPU resource limit for the Prometheus pod.| Yes | 1000
@@ -73,6 +85,8 @@ Prometheus Selector | Ability to select the nodes in which Prometheus pod is dep
## GRAFANA
You can visualize metrics with Grafana. Grafana is a tool that lets you visualize Istio traffic data.
Option | Description| Required | Default
-------|------------|-------|-------
Enable Grafana | Whether or not to deploy the Grafana.| Yes | True
content/rancher/v2.x/en/cluster-admin/tools/service-mesh/_index.md
-46
View File
@@ -1,46 +0,0 @@
---
title: Service Mesh
weight: 5
---
_Available as of v2.3.0-alpha_
Using Rancher, you can connect, secure, control, and observe services through integration with [Istio](https://istio.io/), a leading open-source service mesh solution. Istio provides behavioral insights and operational control over the service mesh as a whole, offering a complete solution to satisfy the diverse requirements of microservice applications.
## Enabling Service Mesh
As an [administrator]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [cluster owner]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles), you can configure Rancher to deploy Istio to your Kubernetes cluster.
1. From the **Global** view, navigate to the cluster that you want to configure the service mesh for.
1. Select **Tools > Service Mesh** in the navigation bar.
1. Select **Enable** to show the [Service mesh configuration options]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/service-mesh/istio/). Enter in your desired configuration options. Ensure you have enough resources for service mesh and on your worker nodes to enable service mesh.
1. Click **Save**.
**Result:** The Istio application, `cluster-istio`, is added as an [application]({{< baseurl >}}/rancher/v2.x/en/catalog/apps/) to the cluster's `system` project. After the application is `active`, you can start using Istio.
> **Note:** When enabling service mesh, you need to ensure your worker nodes and Istio pod have enough resources. In larger deployments, it is strongly advised that the service mesh infrastructure be placed on dedicated nodes in the cluster.
## Using Service Mesh
Once the service mesh is `active`, you can:
1. Access [Kiali UI](https://www.kiali.io/) by clicking Kiali UI icon in service mesh page.
1. Access [Jaeger UI](https://www.jaegertracing.io/) by clicking Jaeger UI icon in service mesh page.
1. Access [Grafana UI](https://grafana.com/) by clicking Grafana UI icon in service mesh page.
1. Access [Prometheus UI](https://prometheus.io/) by clicking Prometheus UI icon in service mesh page.
1. Go to a project to [view traffic graph, traffic metrics and manage traffic]({{< baseurl >}}/rancher/v2.x/en/project-admin/service-mesh/).
## Disabling Service Mesh
To disable the service mesh:
1. From the **Global** view, navigate to the cluster that you want to disable the service mesh for.
1. Select **Tools > Service Mesh** in the navigation bar.
1. Click **Disable Istio**, then click the red button again to confirm the disable action.
**Result:** The `cluster-istio` application in the cluster's `system` project gets removed.
content/rancher/v2.x/en/project-admin/istio/_index.md
+55
View File
@@ -0,0 +1,55 @@
---
title: How to Use Istio in Your Project
weight: 3528
---
_Available as of v2.3.0-alpha4_
Using Rancher, you can connect, secure, control, and observe services through integration with [Istio](https://istio.io/), a leading open-source service mesh solution. Istio provides behavioral insights and operational control over the service mesh as a whole, offering a complete solution to satisfy the diverse requirements of microservice applications.
Istio requires each pod in the service mesh to run an Istio compatible sidecar. This section describes how to set up Istio sidecar auto injection in the Rancher UI. For more information on the Istio sidecar, refer to the [Istio docs](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/).
>**Prerequisites:**
>
>- [Istio]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/istio/) must be enabled in the cluster.
>- To be a part of an Istio service mesh, pods and services in a Kubernetes cluster must satisfy the [Istio Pods and Services Requirements](https://istio.io/docs/setup/kubernetes/prepare/requirements/).
## Istio Sidecar Auto Injection
If an Istio sidecar is not injected into a pod, Istio will not work for that pod. If you enable Istio sidecar auto injection for a namespace, all pods created in the namespace will have an injected Istio sidecar.
In the create and edit namespace page, you can enable or disable [Istio sidecar auto injection](https://istio.io/blog/2019/data-plane-setup/#automatic-injection). When you enable it, Rancher will add `istio-injection=enabled` label to the namespace automatically.
Injection occurs at pod creation time. If the pod has been created before you enable auto injection, you need to kill the running pod and verify that a new pod is created with the injected sidecar.
For information on how to inject the Istio sidecar manually, refer to the [Istio docs](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/).
## View Traffic Graph
Rancher integrates a Kiali graph into the Rancher UI. The Kiali graph provides a powerful way to visualize the topology of your Istio service mesh. It shows you which services communicate with each other.
To see the traffic graph for a particular namespace:
1. From the **Global** view, navigate to the project that you want to view traffic graph for.
1. Select **Istio** in the navigation bar.
1. Select **Traffic Graph** in the navigation bar.
1. Select the namespace. Note: It only shows the namespaces which have the `istio-injection=enabled` label.
## View Traffic Metrics
Istios monitoring features provide visibility into the performance of all your services. To see the Success Rate, Request Volume, 4xx Response Count, Project 5xx Response Count and Request Duration metrics:
1. From the **Global** view, navigate to the project that you want to view traffic metrics for.
1. Select **Istio** in the navigation bar.
1. Select **Traffic Metrics** in the navigation bar.
## Other Istio Features
There are many other [Istio Features](https://istio.io/docs/concepts/what-is-istio/#core-features)
that you can now use in your cluster.
content/rancher/v2.x/en/project-admin/service-mesh/_index.md
-51
View File
@@ -1,51 +0,0 @@
---
title: Service Mesh
weight: 3528
---
_Available as of v2.3.0-alpha_
Using Rancher, you can connect, secure, control, and observe services through integration with [Istio](https://istio.io/), a leading open-source service mesh solution. Istio provides behavioral insights and operational control over the service mesh as a whole, offering a complete solution to satisfy the diverse requirements of microservice applications.
>**Prerequisites:**
>
>- [Service Mesh]({{< baseurl >}}/rancher/v2.x/en/cluster-admin/tools/service-mesh/) must be enabled in the cluster.
>- To be a part of an Istio service mesh, pods and services in a Kubernetes cluster must satisfy the [Istio Pods and Services Requirements](https://istio.io/docs/setup/kubernetes/prepare/requirements/)
## Istio sidecar auto injection
In the create and edit namespace page, you can enable or disable [Istio sidecar auto injection](https://istio.io/blog/2019/data-plane-setup/#automatic-injection). When you enable it, Rancher will add `istio-injection=enabled` label to the namespace automatically.
> **Note:** Injection occurs at pod creation time. If the pod has been created before you enable auto injection. You need to kill the running pod and verify a new pod is created with the injected sidecar.
## View Traffic Graph
Rancher integrates Kiali Graph into the Rancher UI. The Kiali graph provides a powerful way to visualize the topology of your service mesh. It shows you which services communicate with each other.
To see the traffic graph for a particular namespace:
1. From the **Global** view, navigate to the project that you want to view traffic graph for.
1. Select **Service Mesh** in the navigation bar.
1. Select **Traffic Graph** in the navigation bar.
1. Select the namespace. Note: It only shows the namespaces which has `istio-injection=enabled` label.
## View Traffic Metrics
Istios monitoring features provide visibility into the performance of all your services.
To see the Success Rate, Request Volume, 4xx Request Count, Project 5xx Request Count and Request Duration metrics:
1. From the **Global** view, navigate to the project that you want to view traffic metrics for.
1. Select **Service Mesh** in the navigation bar.
1. Select **Traffic Metrics** in the navigation bar.
## Other Istio Features
There are many other [Istio Features](https://istio.io/docs/concepts/what-is-istio/#core-features)
that you can now use in your cluster.