From ede3999127f4c53c096653d02bcaf2689cc2ec71 Mon Sep 17 00:00:00 2001 From: waiting <1661926154@qq.com> Date: Tue, 23 Apr 2019 18:29:27 +0800 Subject: [PATCH] =?UTF-8?q?docs(istio):=20=E6=9B=B4=E6=96=B0=E5=AE=89?= =?UTF-8?q?=E8=A3=85=E6=96=87=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/guide/istio.md | 183 +++++++++++++++++++++++++++++--------------- 1 file changed, 121 insertions(+), 62 deletions(-) diff --git a/docs/guide/istio.md b/docs/guide/istio.md index f97c8f0..8cbf7eb 100644 --- a/docs/guide/istio.md +++ b/docs/guide/istio.md @@ -1,7 +1,6 @@ --- -title: "Istio 1.0.3 安装 " -date: 2018-11-12T13:44:34+08:00 -draft: false +title: "Istio 1.1.3 安装 " +date: 2019-04-16T20:26:00+08:00 --- #### Service Mesh(服务网格) @@ -24,20 +23,20 @@ Istio 是完全开源的服务网格,提供了一套完整的解决方案,可 ---- -进入 [Istio release](https://github.com/istio/istio/releases) 页面下载最新版安装包(1.0.3)并解压到当前目录, +进入 [Istio release](https://github.com/istio/istio/releases) 页面下载最新版安装包并解压到当前目录, ``` curl -L https://git.io/getLatestIstio | sh - -ll istio-1.0.3/ +ll istio-1.1.3/ total 28 -drwxr-xr-x 2 root root 22 10月 26 07:36 bin -drwxr-xr-x 6 root root 79 10月 26 07:36 install --rw-r--r-- 1 root root 648 10月 26 07:36 istio.VERSION --rw-r--r-- 1 root root 11343 10月 26 07:36 LICENSE --rw-r--r-- 1 root root 5817 10月 26 07:36 README.md -drwxr-xr-x 12 root root 212 10月 26 07:36 samples -drwxr-xr-x 8 root root 4096 10月 26 07:36 tools +drwxr-xr-x 2 root root 22 Apr 13 06:36 bin +drwxr-xr-x 6 root root 79 Apr 13 06:36 install +-rw-r--r-- 1 root root 602 Apr 13 06:36 istio.VERSION +-rw-r--r-- 1 root root 11343 Apr 13 06:36 LICENSE +-rw-r--r-- 1 root root 5921 Apr 13 06:36 README.md +drwxr-xr-x 15 root root 241 Apr 13 06:36 samples +drwxr-xr-x 7 root root 4096 Apr 13 06:36 tools ``` - install Kubernetes 安装所需的 .yaml 文件 - samples Task中的示例应用 @@ -45,53 +44,119 @@ drwxr-xr-x 8 root root 4096 10月 26 07:36 tools - istio.VERSION 配置文件 #### 安装 +---- ---- - -##### 安装 istio 注意事项 -Istio 默认使用‘负载均衡器’服务对象类型。对于裸机安装没有负载均衡器的情况下,安装需指定‘NodePort’类型。 +- Node 节点内存不能低于 4G,否则相关容器可能启动失败 +- Istio 默认使用‘负载均衡器’服务对象类型。对于裸机安装没有负载均衡器的情况下,安装需指定‘NodePort’类型。 + +##### 方案1:使用 Helm template 进行安装 + +```bash +cd /usr/local/src/istio-1.1.3 + +kubectl create namespace istio-system + +# 安装 istio-init chart,来启动 Istio CRD 的安装过程 +helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system --set gateways.istio-ingressgateway.type=NodePort --set gateways.istio-egressgateway.type=NodePort | kubectl apply -f - + +# 稍等一会儿执行 +# 输出 53 或者 58 (若开启了 cert-manager) +kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l + +# 部署与你选择的配置文件相对应的 Istio 的核心组件 +# 不同配置说明 https://istio.io/zh/docs/setup/kubernetes/additional-setup/config-profiles/ + +# 选择 default 配置 +helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --set gateways.istio-ingressgateway.type=NodePort \ + --set gateways.istio-egressgateway.type=NodePort | kubectl apply -f - + +# 或者选择demo 配置 +helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --set gateways.istio-ingressgateway.type=NodePort \ + --set gateways.istio-egressgateway.type=NodePort \ + --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f - ``` -helm install --name istio install/kubernetes/helm/istio --namespace istio-system --set gateways.istio-ingressgateway.type=NodePort --set gateways.istio-egressgateway.type=NodePort -``` + +##### 方案2:在 Helm 和 Tiller 的环境中使用 helm install 命令进行安装 + +见[官方文档](https://istio.io/zh/docs/setup/kubernetes/install/helm/#%E6%96%B9%E6%A1%88-2-%E5%9C%A8-helm-%E5%92%8C-tiller-%E7%9A%84%E7%8E%AF%E5%A2%83%E4%B8%AD%E4%BD%BF%E7%94%A8-helm-install-%E5%91%BD%E4%BB%A4%E8%BF%9B%E8%A1%8C%E5%AE%89%E8%A3%85) + ##### 验证 -``` +```bash +# default 配置时 kubectl get pod -n istio-system NAME READY STATUS RESTARTS AGE -istio-citadel-6955bc9cb7-qh846 1/1 Running 0 3d22h -istio-egressgateway-7dc5cbbc56-k4cgh 1/1 Running 0 3d22h -istio-galley-545b6b8f5b-k7ssx 1/1 Running 0 3d22h -istio-ingressgateway-7958d776b5-ptdsc 1/1 Running 0 3d22h -istio-pilot-56bfdbffff-mtcn6 2/2 Running 0 3d22h -istio-policy-5c689f446f-6bzlq 2/2 Running 0 3d15h -istio-policy-5c689f446f-dvmfq 2/2 Running 0 3d22h -istio-policy-5c689f446f-f2kl8 2/2 Running 0 3d3h -istio-policy-5c689f446f-nfv2l 2/2 Running 0 3d1h -istio-policy-5c689f446f-qdtql 2/2 Running 0 3d2h -istio-sidecar-injector-99b476b7b-dt24k 1/1 Running 0 3d22h -istio-telemetry-55d68b5dfb-52ftl 2/2 Running 0 3d22h -istio-telemetry-55d68b5dfb-dvdvz 2/2 Running 0 3d22h -istio-telemetry-55d68b5dfb-ln2sr 2/2 Running 0 3d -istio-telemetry-55d68b5dfb-m2mb8 2/2 Running 0 3d -istio-telemetry-55d68b5dfb-sjgq8 2/2 Running 0 3d -prometheus-65d6f6b6c-dsv26 1/1 Running 0 3d22h +istio-citadel-899dfb67c-5hlsc 1/1 Running 0 49s +istio-cleanup-secrets-1.1.3-nkdxt 0/1 Completed 0 50s +istio-galley-555dd7c7d7-rpfln 1/1 Running 0 49s +istio-ingressgateway-5b547dfb7b-ctm5l 1/1 Running 0 49s +istio-init-crd-10-l9xcj 0/1 Completed 0 66s +istio-init-crd-11-nqvml 0/1 Completed 0 66s +istio-pilot-9f5c75ddf-n5s6p 2/2 Running 0 49s +istio-policy-bd45d757d-6qcdg 2/2 Running 1 49s +istio-security-post-install-1.1.3-nbwwv 0/1 Completed 0 50s +istio-sidecar-injector-998dd6cbb-n2hdm 1/1 Running 0 49s +istio-telemetry-656df5b64-k8vkf 2/2 Running 1 49s +prometheus-7f87866f5f-t97wc 1/1 Running 0 49s + +# demo 配置时 +grafana-749c78bcc5-fbzmn 1/1 Running 0 101s +istio-citadel-899dfb67c-8shx2 1/1 Running 0 100s +istio-cleanup-secrets-1.1.3-jbhsl 0/1 Completed 0 102s +istio-egressgateway-748d5fd794-x5bjt 1/1 Running 0 101s +istio-galley-555dd7c7d7-86r2b 1/1 Running 0 101s +istio-grafana-post-install-1.1.3-kq7b4 0/1 Completed 0 103s +istio-ingressgateway-55dd86767f-jd9m4 1/1 Running 0 101s +istio-init-crd-10-l9xcj 0/1 Completed 0 16m +istio-init-crd-11-nqvml 0/1 Completed 0 16m +istio-pilot-6964dd4957-7bzdq 2/2 Running 0 101s +istio-policy-689687bd77-ncw2n 2/2 Running 1 101s +istio-security-post-install-1.1.3-t2kwh 0/1 Completed 0 102s +istio-sidecar-injector-998dd6cbb-7mwkh 1/1 Running 0 100s +istio-telemetry-8564679887-59c8z 2/2 Running 1 101s +istio-tracing-595796cf54-jn49s 1/1 Running 0 100s +kiali-5df77dc9b6-psjs4 1/1 Running 0 101s +prometheus-7f87866f5f-hrbgt 1/1 Running 0 100s ``` -``` + +```bash kubectl get svc -n istio-system -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -istio-citadel ClusterIP 10.68.7.100 8060/TCP,9093/TCP 3d22h -istio-egressgateway NodePort 10.68.67.237 80:30060/TCP,443:38194/TCP 3d22h -istio-galley ClusterIP 10.68.12.54 443/TCP,9093/TCP 3d22h -istio-ingressgateway NodePort 10.68.87.79 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:31812/TCP,8060:30957/TCP,853:23011/TCP,15030:22292/TCP,15031:23663/TCP 3d22h -istio-pilot ClusterIP 10.68.84.101 15010/TCP,15011/TCP,8080/TCP,9093/TCP 3d22h -istio-policy ClusterIP 10.68.94.206 9091/TCP,15004/TCP,9093/TCP 3d22h -istio-sidecar-injector ClusterIP 10.68.191.221 443/TCP 3d22h -istio-telemetry ClusterIP 10.68.199.8 9091/TCP,15004/TCP,9093/TCP,42422/TCP 3d22h -prometheus ClusterIP 10.68.91.13 9090/TCP + +# default 配置时 +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-citadel ClusterIP 10.68.236.249 8060/TCP,15014/TCP 75s +istio-galley ClusterIP 10.68.105.102 443/TCP,15014/TCP,9901/TCP 75s +istio-ingressgateway NodePort 10.68.181.46 15020:32761/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:33185/TCP,15030:20745/TCP,15031:36208/TCP,15032:34095/TCP,15443:36244/TCP 75s +istio-pilot ClusterIP 10.68.252.143 15010/TCP,15011/TCP,8080/TCP,15014/TCP 75s +istio-policy ClusterIP 10.68.40.51 9091/TCP,15004/TCP,15014/TCP 75s +istio-sidecar-injector ClusterIP 10.68.55.134 443/TCP 74s +istio-telemetry ClusterIP 10.68.16.11 9091/TCP,15004/TCP,15014/TCP,42422/TCP 75s +prometheus ClusterIP 10.68.65.238 9090/TCP 75s + +# demo 配置时 +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +grafana ClusterIP 10.68.65.248 3000/TCP 2m27s +istio-citadel ClusterIP 10.68.72.100 8060/TCP,15014/TCP 2m26s +istio-egressgateway NodePort 10.68.21.24 80:26775/TCP,443:28249/TCP,15443:38494/TCP 2m27s +istio-galley ClusterIP 10.68.73.9 443/TCP,15014/TCP,9901/TCP 2m27s +istio-ingressgateway NodePort 10.68.122.190 15020:39248/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:33522/TCP,15030:26010/TCP,15031:27064/TCP,15032:32158/TCP,15443:30848/TCP 2m27s +istio-pilot ClusterIP 10.68.116.5 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m26s +istio-policy ClusterIP 10.68.239.246 9091/TCP,15004/TCP,15014/TCP 2m27s +istio-sidecar-injector ClusterIP 10.68.93.151 443/TCP 2m26s +istio-telemetry ClusterIP 10.68.117.254 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m26s +jaeger-agent ClusterIP None 5775/UDP,6831/UDP,6832/UDP 2m25s +jaeger-collector ClusterIP 10.68.103.8 14267/TCP,14268/TCP 2m26s +jaeger-query ClusterIP 10.68.73.252 16686/TCP 2m26s +kiali ClusterIP 10.68.214.228 20001/TCP 2m27s +prometheus ClusterIP 10.68.203.209 9090/TCP 2m26s +tracing ClusterIP 10.68.113.236 80/TCP 2m25s +zipkin ClusterIP 10.68.96.189 9411/TCP 2m25s ``` ##### Sidecar 的自动注入 @@ -100,20 +165,15 @@ prometheus ClusterIP 10.68.91.13 9090/TCP 需要在kube-apiserver 启动 admission-control 参数中加入 MutatingAdmissionWebhook 和 ValidatingAdmissionWebhook并确保正确的顺序,如果是多master安装,确保每个kube-apiserver都要进行修改。 -``` -/bin/kube-apiserver --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook -``` - -重启 kube-apiserver 即可 ##### 部署应用验证 istio 的samples目录中有很多示例。我们现在使用samples/sleep/sleep.yaml 来验证刚刚开启的Sidecar自动注入功能。 -进入目录 istio-1.0.3/ 部署一个新的应用 +进入目录 istio-1.1.3/ 部署一个新的应用 -``` -cd istio-1.0.3/ +```bash +cd istio-1.1.3/ kubectl apply -f samples/sleep/sleep.yaml kubectl get pod @@ -123,7 +183,7 @@ sleep-7549f66447-wv8cl 1/1 Running 0 1m 一切都是熟悉的味道。下面给 default 命名空间设置标签:istio-injection=enabled,这样就会在pod 创建时触发 Sidecar 的注入过程。从此default 名称空间拥有了超能力. -``` +```bash kubectl label namespace default istio-injection=enabled kubectl get namespace -L istio-injection NAME STATUS AGE ISTIO-INJECTION @@ -134,7 +194,7 @@ kube-system Active 4d2h ``` 接下来删除上面创建的pod,观察下有什么变化。 -``` +```bash kubectl delete pod sleep-7549f66447-wv8cl pod "sleep-7549f66447-wv8cl" deleted @@ -142,8 +202,9 @@ kubectl get pod NAME READY STATUS RESTARTS AGE sleep-7549f66447-x4td6 2/2 Running 0 37s ``` + 刚刚的pod里面现在已经拥有两个容器,进入pod一探究竟。 -``` +```bash kubectl describe pod sleep-7549f66447-x4td6 .... @@ -158,16 +219,14 @@ sleep-7549f66447-x4td6 2/2 Running 0 37s .... ``` -多出了一个 istio-proxy 容器及其对应的存储卷 +多出了一个 `istio-proxy` 容器及其对应的存储卷 #### 卸载istio --- -``` +```bash helm delete --purge istio ``` - -