istio in kubernetes (二) -- 部署篇
在 Kubernetes 部署 Istio 【demo演示】
可參考官方文檔(https://istio.io/latest/zh/docs/setup/install/) ,以部署1.7.4版本做爲演示,在Mac上安裝linux
基礎環境
- cloud(ali)
- kubernetes(1.16.9)
- istio(1.7.4)
安裝配置
# mkdir istio # cd istio # wget https://github.com/istio/istio/releases/download/1.7.4/istio-1.7.4-osx.tar.gz # ll total 94336 -rw-r--r-- 1 root wheel 45M Nov 9 09:54 istio-1.7.4-osx.tar.gz # tar xf istio-1.7.4-osx.tar.gz # cd istio-1.7.4 # ls LICENSE README.md bin manifest.yaml manifests samples tools # ls bin istioctl # export PATH=$PATH:$PWD/bin # echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/var/root/gitlab/istio/istio/istio-1.7.4/bin # istioctl version no running Istio pods in "istio-system" 1.7.4
部署istio組件
目錄結構
# ll total 48 -rw-r--r-- 1 root wheel 11K Oct 24 07:12 LICENSE -rw-r--r-- 1 root wheel 5.6K Oct 24 07:12 README.md drwxr-x--- 3 root wheel 96B Oct 24 07:12 bin -rw-r----- 1 root wheel 815B Oct 24 07:12 manifest.yaml drwxr-xr-x 6 root wheel 192B Oct 24 07:12 manifests drwxr-xr-x 21 root wheel 672B Oct 24 07:12 samples drwxr-x--- 7 root wheel 224B Oct 24 07:12 tools
能夠看到有4個目錄(bin、manifests、samples、tools)及3個文件(LICENSE、README.md、manifest.yaml)git
其中bin下是istioctl執行程序,manifests是istio相關的主要部署組件,manifest.yaml是當前istio版本(1.7.4)中manifests目錄下各組件的配置和依賴描述,samples是一套istio應用樣例,用來部署測試作功能校驗的,tools是一些工具腳本github
打開README.md發現,主要說了3個點,istio的功能介紹、項目git倉庫、以及問題優化管理原則,並無直接給出安裝使用方法web
In this README: - [Introduction](#introduction) - [Repositories](#repositories) - [Issue management](#issue-management)
istioctl使用
# istioctl -h
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
analyze 分析Istio配置並打印驗證消息
authz (authz是實驗性的。使用「istioctl experimental authz」)
convert-ingress 將入口配置轉換爲Istio VirtualService配置
dashboard 訪問Istio web UI
deregister 取消註冊服務實例
experimental 可能被修改或棄用的實驗性命令
help 關於任何命令的幫助
install 應用Istio清單,在羣集上安裝或從新配置Istio
kube-inject 將特使邊車注入kubernetes pod資源
manifest 與Istio清單相關的命令
operator 與Istio操做員控制器相關的命令
profile 與Istio配置文件相關的命令
proxy-config 從特使處檢索有關代理配置的信息[僅限kube]
proxy-status 檢索網格中每一個特使的同步狀態[僅限kube]
register 註冊加入網格的服務實例(例如VM)
upgrade 升級Istio控制平面就位
validate 驗證Istio策略和規則文件
verify-install 驗證Istio安裝狀態
version 打印出內部版本信息
Flags:
--context string 要使用的kubeconfig上下文的名稱
-h, --help istioctl幫助
-i, --istioNamespace string Istio system命名空間(默認爲「Istio system」)
-c, --kubeconfig string Kubernetes配置文件
-n, --namespace string 配置命名空間
Additional help topics:
istioctl options 顯示istioctl全局選項
Use "istioctl [command] --help" for more information about a command.
從istioctl幫助說明能夠看出,istioctl有不少子命令,通過測試試用發現其中與部署相關的主要有3個(install、manifest、operator):docker
install 應用Istio清單,在羣集上安裝或從新配置Istio manifest 與Istio清單相關的命令 operator 與Istio操做員控制器相關的命令
istio profile
下表中標記爲 X 的組件就是包含在配置文件裏的內容:shell
| 1.5前pod | 做用 | 1.5後pod | 說明 |
|---|---|---|---|
| egressgateway | 對外網關 | √ | 保留 |
| ingressgateway | 對內網關 | √ | 保留 |
| citadel | 證書管理和分發 | ||
| galley | 配置管理中心 | istiod | 合併後保留 |
| pilot | 流量管理中心 | ||
| sidecar-ingector | 邊車代理自動注入 | ||
| polic | Mixer策略管理 | X | 做爲proxy擴展 |
| telemetry | Mixer遙測管理 | X | 做爲proxy擴展 |
| kiali,prometheus,grafana,tracing(jaeger) | 可視化 | √ | 保留 |
標識Istio 功能或組建
https://istio.io/latest/zh/docs/setup/install/istioctl/#customizing-the-configurationapi
istioctl install 部署
istioctl install 是默認部署,按manifests/profile/default.yaml配置部署對應的組件,以下:app
# ll
total 72
-rw-r--r-- 1 root wheel 15K Oct 24 07:12 default.yaml
-rw-r--r-- 1 root wheel 1.8K Oct 24 07:12 demo.yaml
-rw-r--r-- 1 root wheel 320B Oct 24 07:12 empty.yaml
-rw-r--r-- 1 root wheel 219B Oct 24 07:12 minimal.yaml
-rw-r--r-- 1 root wheel 405B Oct 24 07:12 preview.yaml
-rw-r--r-- 1 root wheel 119B Oct 24 07:12 remote.yaml
# istioctl profile list
Istio configuration profiles:
default
demo
empty
minimal
preview
remote
# # istioctl install
This will install the default Istio profile into the cluster. Proceed? (y/N) y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Addons installed
✔ Ingress gateways installed
✔ Installation complete
固然,也可使用-d參數指定某個目錄部署,這裏經過--set 指定manifests/profiles目錄下的某一類配置安裝,以demo爲例less
# ls manifests/profiles/ default.yaml demo.yaml empty.yaml minimal.yaml preview.yaml remote.yaml # istioctl install --set profile=demo Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details. ✔ Istio core installed ✔ Istiod installed ✔ Egress gateways installed ✔ Ingress gateways installed ✔ Installation complete
istioctl manifest 部署
istioctl manifest的使用幫助以下,其安裝主要是經過install子命令來落地的,其安裝執行參數和效果,與直接執行istioctl install是同樣的tcp
# istioctl manifest
The manifest subcommand generates, applies, diffs or migrates Istio manifests.
Usage:
istioctl manifest [command]
Available Commands:
diff Compare manifests and generate diff
generate Generates an Istio install manifest
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for manifest
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
Use "istioctl manifest [command] --help" for more information about a command.
istioctl manifest install --help說明以下:
# istioctl manifest install --help
The install generates an Istio install manifest and applies it to a cluster.
Usage:
istioctl manifest install [flags]
Examples:
# Apply a default Istio installation
istioctl install
# Enable grafana dashboard
istioctl install --set values.grafana.enabled=true
# Generate the demo profile and don't wait for confirmation
istioctl install --set profile=demo --skip-confirmation
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
Flags:
--charts string Deprecated, use --manifests instead.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for install
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.7.0/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.7.0/istio-1.7.0-linux-amd64.tar.gz).
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
-y, --skip-confirmation skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
Global Flags:
--context string The name of the kubeconfig context to use
--dry-run Console/log output only, make no changes.
-c, --kubeconfig string Kubernetes configuration file
具體執行結果以下:
# istioctl manifest install --set profile=demo Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details. ✔ Istio core installed ✔ Istiod installed ✔ Egress gateways installed ✔ Ingress gateways installed ✔ Installation complete
istioctl operator
istioctl operator安裝相對簡單,主要是安裝istioctl的operator,經過init子命令執行,結果以下:
# istioctl operator init Operator controller is already installed in istio-operator namespace, updating. Using operator Deployment image: docker.io/istio/operator:1.6.0 ✔ Istio operator installed ✔ Installation complete
因istio operator已經經過istioctl manifest apply安裝過了,因此提示installed
安裝校驗
istio verify-install (校驗方式一)
首先,經過istioctl manifest generate 命令生成安裝清單的校驗文件,istioctl manifest generate使用說明以下:
# istioctl manifest generate --help
The generate subcommand generates an Istio install manifest and outputs to the console by default.
Usage:
istioctl manifest generate [flags]
Examples:
# Generate a default Istio installation
istioctl manifest generate
# Enable grafana dashboard
istioctl manifest generate --set values.grafana.enabled=true
# Generate the demo profile
istioctl manifest generate --set profile=demo
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
Flags:
--charts string Deprecated, use --manifests instead.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for generate
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.7.0/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.7.0/istio-1.7.0-linux-amd64.tar.gz).
-o, --output string Manifest output directory path.
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
Global Flags:
--context string The name of the kubeconfig context to use
--dry-run Console/log output only, make no changes.
-c, --kubeconfig string Kubernetes configuration file
經過istioctl manifest generate把按demo配置的部署,生成對應的安裝校驗清單,並保存在當前目錄下的test-demo.yaml文件中
# istioctl manifest generate --set profile=demo > test-demo.yaml
而後經過istio verify-install校驗,校驗安裝成功,詳細以下:
# istioctl verify-install -f test-demo.yaml CustomResourceDefinition: adapters.config.istio.io.default checked successfully CustomResourceDefinition: attributemanifests.config.istio.io.default checked successfully CustomResourceDefinition: authorizationpolicies.security.istio.io.default checked successfully CustomResourceDefinition: destinationrules.networking.istio.io.default checked successfully CustomResourceDefinition: envoyfilters.networking.istio.io.default checked successfully CustomResourceDefinition: gateways.networking.istio.io.default checked successfully CustomResourceDefinition: handlers.config.istio.io.default checked successfully CustomResourceDefinition: httpapispecbindings.config.istio.io.default checked successfully CustomResourceDefinition: httpapispecs.config.istio.io.default checked successfully CustomResourceDefinition: instances.config.istio.io.default checked successfully CustomResourceDefinition: istiooperators.install.istio.io.default checked successfully CustomResourceDefinition: peerauthentications.security.istio.io.default checked successfully CustomResourceDefinition: quotaspecbindings.config.istio.io.default checked successfully CustomResourceDefinition: quotaspecs.config.istio.io.default checked successfully CustomResourceDefinition: requestauthentications.security.istio.io.default checked successfully CustomResourceDefinition: rules.config.istio.io.default checked successfully CustomResourceDefinition: serviceentries.networking.istio.io.default checked successfully CustomResourceDefinition: sidecars.networking.istio.io.default checked successfully CustomResourceDefinition: templates.config.istio.io.default checked successfully CustomResourceDefinition: virtualservices.networking.istio.io.default checked successfully CustomResourceDefinition: workloadentries.networking.istio.io.default checked successfully ServiceAccount: istio-egressgateway-service-account.istio-system checked successfully ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully ServiceAccount: istio-reader-service-account.istio-system checked successfully ServiceAccount: istiod-service-account.istio-system checked successfully ClusterRole: istio-reader-istio-system.default checked successfully ClusterRole: istiod-istio-system.default checked successfully ClusterRoleBinding: istio-reader-istio-system.default checked successfully ClusterRoleBinding: istiod-pilot-istio-system.default checked successfully ValidatingWebhookConfiguration: istiod-istio-system.default checked successfully EnvoyFilter: metadata-exchange-1.6.istio-system checked successfully EnvoyFilter: metadata-exchange-1.7.istio-system checked successfully EnvoyFilter: stats-filter-1.6.istio-system checked successfully EnvoyFilter: stats-filter-1.7.istio-system checked successfully EnvoyFilter: tcp-metadata-exchange-1.6.istio-system checked successfully EnvoyFilter: tcp-metadata-exchange-1.7.istio-system checked successfully EnvoyFilter: tcp-stats-filter-1.6.istio-system checked successfully EnvoyFilter: tcp-stats-filter-1.7.istio-system checked successfully ConfigMap: istio.istio-system checked successfully ConfigMap: istio-sidecar-injector.istio-system checked successfully MutatingWebhookConfiguration: istio-sidecar-injector.default checked successfully Deployment: istio-egressgateway.istio-system checked successfully Deployment: istio-ingressgateway.istio-system checked successfully Deployment: istiod.istio-system checked successfully PodDisruptionBudget: istio-egressgateway.istio-system checked successfully PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully PodDisruptionBudget: istiod.istio-system checked successfully Role: istio-egressgateway-sds.istio-system checked successfully Role: istio-ingressgateway-sds.istio-system checked successfully Role: istiod-istio-system.istio-system checked successfully RoleBinding: istio-egressgateway-sds.istio-system checked successfully RoleBinding: istio-ingressgateway-sds.istio-system checked successfully RoleBinding: istiod-istio-system.istio-system checked successfully Service: istio-egressgateway.istio-system checked successfully Service: istio-ingressgateway.istio-system checked successfully Service: istiod.istio-system checked successfully Checked 21 custom resource definitions Checked 2 Istio Deployments Istio is installed successfully
查看資源狀態(校驗方式二)
查看istio 的CRD
查看istio相關的CRD是否正常建立,經過命令能夠查看到與istio相關的crd很是多,在demo模式下共有21個,詳細以下:
# kubectl get crd|grep istio adapters.config.istio.io 2020-11-09T11:03:47Z attributemanifests.config.istio.io 2020-11-09T11:03:47Z authorizationpolicies.security.istio.io 2020-11-09T11:03:47Z destinationrules.networking.istio.io 2020-11-09T11:03:47Z envoyfilters.networking.istio.io 2020-11-09T11:03:47Z gateways.networking.istio.io 2020-11-09T11:03:47Z handlers.config.istio.io 2020-11-09T11:03:47Z httpapispecbindings.config.istio.io 2020-11-09T11:03:47Z httpapispecs.config.istio.io 2020-11-09T11:03:47Z instances.config.istio.io 2020-11-09T11:03:47Z istiooperators.install.istio.io 2020-11-09T11:03:47Z peerauthentications.security.istio.io 2020-11-09T11:03:47Z quotaspecbindings.config.istio.io 2020-11-09T11:03:47Z quotaspecs.config.istio.io 2020-11-09T11:03:47Z requestauthentications.security.istio.io 2020-11-09T11:03:47Z rules.config.istio.io 2020-11-09T11:03:47Z serviceentries.networking.istio.io 2020-11-09T11:03:47Z sidecars.networking.istio.io 2020-11-09T11:03:47Z templates.config.istio.io 2020-11-09T11:03:47Z virtualservices.networking.istio.io 2020-11-09T11:03:47Z workloadentries.networking.istio.io 2020-11-09T11:03:47Z # kubectl get crd|grep istio|wc -l 21
查看operator狀態
查看istio operator是否正常運行,istio operator是運行在另一個命名空間(istio-operator )下的,具體以下:
# kubectl get all -n istio-operator NAME READY STATUS RESTARTS AGE pod/istio-operator-76f79b96dd-hbfcx 1/1 Running 0 30m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/istio-operator ClusterIP 10.0.80.13 <none> 8383/TCP 30m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/istio-operator 1/1 1 1 30m NAME DESIRED CURRENT READY AGE replicaset.apps/istio-operator-76f79b96dd 1 1 1 30m
其中pod和service都正常
查看istio operator維護配置狀況
經過執行kubectl get IstioOperator -n istio-system -o yaml,查看對應status,能夠看到istio-operator維護的各個組件運行狀況,均爲HEALTHY狀態
status:
componentStatus:
Base:
status: HEALTHY
EgressGateways:
status: HEALTHY
IngressGateways:
status: HEALTHY
Pilot:
status: HEALTHY
status: HEALTHY
查看命名空間istio-system的全部資源狀態
能夠看到3個pod(istio-egressgateway、istio-ingressgateway、istiod即pilot),以及對應的3個service,均是正常,以下:
# kubectl get all -n istio-system NAME READY STATUS RESTARTS AGE pod/istio-egressgateway-695f5944d8-jjbmn 1/1 Running 0 20m pod/istio-ingressgateway-5c697d4cd7-2qvlf 1/1 Running 0 20m pod/istiod-77544cd464-mkhhz 1/1 Running 0 9m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/istio-egressgateway ClusterIP 10.0.80.2 <none> 80/TCP,443/TCP,15443/TCP 20m service/istio-ingressgateway LoadBalancer 4x.xxx.xxx.xx <pending> 15021:31437/TCP,80:31135/TCP,443:31445/TCP,31400:30539/TCP,15443:31470/TCP 20m service/istiod ClusterIP 10.0.80.201 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 9m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/istio-egressgateway 1/1 1 1 20m deployment.apps/istio-ingressgateway 1/1 1 1 20m deployment.apps/istiod 1/1 1 1 9m
這是根據.../manifests/profiles/demo.yaml配置下指定的component部署的deployment(istio-egressgateway、istio-ingressgateway、istiod即pilot),部份內容截取以下:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
components:
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
service:
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
- port: 31400
targetPort: 31400
name: tcp
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
pilot:
k8s:
env:
- name: PILOT_TRACE_SAMPLING
value: "100"
resources:
requests:
cpu: 10m
memory: 100Mi
如果按默認安裝,則使用.../manifests/profiles/default.yaml,會經過component指定部署更多deployment(istio-egressgateway、istiod即pilot),固然你也能夠經過istioctl install --set component.telemetry.enabled=true來配置/manifests/profiles/default.yaml,而後經過istioctl install安裝telemetry
卸載:
經過istioctl manifest generate生成對應的安裝清單,而後刪除,命令:istioctl manifest generate | kubectl delete -f -
詳細demo以下:
# istioctl manifest generate --set profile=demo |kubectl delete -f - customresourcedefinition.apiextensions.k8s.io "adapters.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "attributemanifests.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "authorizationpolicies.security.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "destinationrules.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "envoyfilters.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "gateways.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "handlers.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "httpapispecbindings.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "httpapispecs.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "instances.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "istiooperators.install.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "peerauthentications.security.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "quotaspecbindings.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "quotaspecs.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "requestauthentications.security.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "rules.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "serviceentries.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "sidecars.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "templates.config.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "virtualservices.networking.istio.io" deleted customresourcedefinition.apiextensions.k8s.io "workloadentries.networking.istio.io" deleted serviceaccount "istio-egressgateway-service-account" deleted serviceaccount "istio-ingressgateway-service-account" deleted serviceaccount "istio-reader-service-account" deleted serviceaccount "istiod-service-account" deleted clusterrole.rbac.authorization.k8s.io "istio-reader-istio-system" deleted clusterrole.rbac.authorization.k8s.io "istiod-istio-system" deleted clusterrolebinding.rbac.authorization.k8s.io "istio-reader-istio-system" deleted clusterrolebinding.rbac.authorization.k8s.io "istiod-pilot-istio-system" deleted validatingwebhookconfiguration.admissionregistration.k8s.io "istiod-istio-system" deleted configmap "istio" deleted configmap "istio-sidecar-injector" deleted mutatingwebhookconfiguration.admissionregistration.k8s.io "istio-sidecar-injector" deleted deployment.apps "istio-egressgateway" deleted deployment.apps "istio-ingressgateway" deleted deployment.apps "istiod" deleted poddisruptionbudget.policy "istio-egressgateway" deleted poddisruptionbudget.policy "istio-ingressgateway" deleted poddisruptionbudget.policy "istiod" deleted role.rbac.authorization.k8s.io "istio-egressgateway-sds" deleted role.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted role.rbac.authorization.k8s.io "istiod-istio-system" deleted rolebinding.rbac.authorization.k8s.io "istio-egressgateway-sds" deleted rolebinding.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted rolebinding.rbac.authorization.k8s.io "istiod-istio-system" deleted service "istio-egressgateway" deleted service "istio-ingressgateway" deleted service "istiod" deleted
把資源清理乾淨後,刪除命名空間istio-system
# kubectl get all -n istio-system No resources found in istio-system namespace. # kubectl delete ns istio-system namespace "istio-system" deleted
API Gateway VS Service Mesh
istio/kong和istio交互.md
如何爲服務網格選擇入口網關
istio/如何爲服務網格選擇入口網關.md
安裝istio【自定義組件】
# istioctl profile --help # 與Istio配置文件相關的命令
...
Available Commands:
diff 區分兩個Istio配置文件
dump 轉儲Istio配置文件
list 列出可用的Istio配置文件
...
查看內置的demo profile
# istioctl profile dump demo
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
addonComponents:
istiocoredns:
enabled: false
components:
base:
enabled: true
cni:
enabled: false
...
- 說明:
- addonComponents:表示要安裝的第三方組件,這裏顯示:istiocoredns不默認安裝,grafana\kiali\prometheus\tracing默認安裝;
- components:表示istio內部組件,這裏顯示,cni不默認安裝。
- istioctl manifest apply --set profile=demo --set addonComponents.istiocoredns.enabled=true --set components.citadel.enabled=true --set components.cni.enabled=true
# istioctl manifest --help ... Available Commands: diff 比較清單並生成差別 generate 生成Istio安裝清單 install 應用Istio清單,在羣集上安裝或從新配置Istio ...
生成kubernetes manifests yaml 文件
# istioctl manifest generate --help generate子命令生成一個Istio安裝清單,並在默認狀況下輸出到控制檯。 Usage: istioctl manifest generate [flags] Examples: # 生成默認的Istio安裝 istioctl manifest generate # 啓用跟蹤 istioctl install --set meshConfig.enableTracing=true # 生成演示配置文件 istioctl manifest generate --set profile=demo # 要覆蓋包含點的設置,請使用反斜槓(\)對其進行轉義。您的shell可能須要加引號 istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default" ...
輸出到generate-manifest-istio-yaml目錄
# mkdir generate-manifest-istio-yaml # istioctl manifest generate -o generate-manifest-istio-yaml
也能夠將manifest輸出到一個文件
# istioctl manifest generate > generate-manifest-istio.yaml
# istioctl manifest install -f addonComponents.yaml # kubectl get deployment -n istio-system # istioctl manifest install -f addonComponents.yaml # kubectl get all -n istio-system NAME READY STATUS RESTARTS AGE pod/grafana-8fdf895f6-tt2x7 1/1 Running 0 16h pod/istio-tracing-85fddf979f-fj76v 1/1 Running 0 16h pod/istiod-6869899d55-lrw9q 1/1 Running 0 16h pod/kiali-777987866-xrz78 1/1 Running 0 16h pod/prometheus-5dc7ccbd8c-58nxf 1/1 Running 0 16h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/grafana ClusterIP 10.0.145.54 <none> 3000/TCP 16h service/istiod ClusterIP 10.0.228.155 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 18h service/jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 16h service/jaeger-collector ClusterIP 10.0.125.5 <none> 14267/TCP,14268/TCP,14250/TCP 16h service/jaeger-collector-headless ClusterIP None <none> 14250/TCP 16h service/jaeger-query ClusterIP 10.0.133.43 <none> 16686/TCP 16h service/kiali ClusterIP 10.0.194.167 <none> 20001/TCP 16h service/prometheus ClusterIP 10.0.124.3 <none> 9090/TCP 16h service/tracing ClusterIP 10.0.245.10 <none> 80/TCP 16h service/zipkin ClusterIP 10.0.45.150 <none> 9411/TCP 16h NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/grafana 1/1 1 1 16h deployment.apps/istio-tracing 1/1 1 1 16h deployment.apps/istiod 1/1 1 1 18h deployment.apps/kiali 1/1 1 1 16h deployment.apps/prometheus 1/1 1 1 16h NAME DESIRED CURRENT READY AGE replicaset.apps/grafana-8fdf895f6 1 1 1 16h replicaset.apps/istio-tracing-85fddf979f 1 1 1 16h replicaset.apps/istiod-6869899d55 1 1 1 18h replicaset.apps/kiali-777987866 1 1 1 16h replicaset.apps/prometheus-5dc7ccbd8c 1 1 1 16h NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE horizontalpodautoscaler.autoscaling/istiod Deployment/istiod 5%/80% 1 5 1 16h
相關文章
- 1. istio in kubernetes (一) --原理篇
- 2. Kubernetes-1.16部署之四 Istio
- 3. istio部署-istio prometheus
- 4. istio部署-istio jaeger & kiali
- 5. istio 1.2.5及istio-cni 部署
- 6. Istio 1.0 部署
- 7. istio部署
- 8. istio-部署
- 9. Istio 服務部署
- 10. 二進制部署kubernetes集羣(上篇)
- 更多相關文章...
- • Maven 自動化部署 - Maven教程
- • ionic 頭部與底部 - ionic 教程
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
