mirror of https://github.com/easzlab/kubeasz.git
11 KiB
11 KiB
| title | date |
|---|---|
| Istio 1.1.7 安装 | 2019-05-19T19:44:00+08:00 |
Service Mesh(服务网格)
Kubernetes 已经给我们带来了诸多的好处。但是仍有些需求比如 A/B 测试、金丝雀发布、限流、访问控制,端到端认证等需要运维人员进一步去解决。
Istio 是完全开源的服务网格,提供了一套完整的解决方案,可以透明地分层到现有的分布式应用程序上。对开发人员几乎无感的同时获得超能力。
如果想要现有的服务支持 Istio,只需要在当前的环境中部署一个特殊的 sidecar 代理,即可。
前提
- 安装 Kubernetes 集群 1.9+
- 安装 Helm
准备
进入 Istio release 页面下载最新版安装包并解压到当前目录,
curl -L https://git.io/getLatestIstio | sh -
ll istio-1.1.7/
total 40
drwxr-xr-x 2 root root 4096 May 15 08:59 bin
drwxr-xr-x 6 root root 4096 May 15 08:59 install
-rw-r--r-- 1 root root 602 May 15 08:59 istio.VERSION
-rw-r--r-- 1 root root 11343 May 15 08:59 LICENSE
-rw-r--r-- 1 root root 5921 May 15 08:59 README.md
drwxr-xr-x 15 root root 4096 May 15 08:59 samples
drwxr-xr-x 7 root root 4096 May 15 08:59 tools
- install Kubernetes 安装所需的 .yaml 文件
- samples Task中的示例应用
- bin/istioctl 客户端工具
- istio.VERSION 配置文件
安装
注意事项
- Node 节点内存不能低于 4G,否则相关容器可能启动失败
- Istio 默认使用‘负载均衡器’服务对象类型。对于裸机安装没有负载均衡器的情况下,安装需指定‘NodePort’类型。
方案1:使用 Helm template 进行安装
cd /usr/local/src/istio-1.1.7
kubectl create namespace istio-system
# 安装 istio-init chart,来启动 Istio CRD 的安装过程
helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system --set gateways.istio-ingressgateway.type=NodePort --set gateways.istio-egressgateway.type=NodePort | kubectl apply -f -
# 稍等一会儿执行
# 输出 23 或者 28 (若开启了 cert-manager)
kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l
# 部署与你选择的配置文件相对应的 Istio 的核心组件
# 不同配置说明 https://istio.io/zh/docs/setup/kubernetes/additional-setup/config-profiles/
# 选择 default 配置
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set gateways.istio-ingressgateway.type=NodePort \
--set gateways.istio-egressgateway.type=NodePort | kubectl apply -f -
# 或选择 demo 配置
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set gateways.istio-ingressgateway.type=NodePort \
--set gateways.istio-egressgateway.type=NodePort \
--values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f -
方案2:在 Helm 和 Tiller 的环境中使用 helm install 命令进行安装
见官方文档
验证
kubectl get pod -n istio-system
# default 配置时
NAME READY STATUS RESTARTS AGE
istio-citadel-899dfb67c-5hlsc 1/1 Running 0 49s
istio-cleanup-secrets-1.1.7-nkdxt 0/1 Completed 0 50s
istio-galley-555dd7c7d7-rpfln 1/1 Running 0 49s
istio-ingressgateway-5b547dfb7b-ctm5l 1/1 Running 0 49s
istio-init-crd-10-l9xcj 0/1 Completed 0 66s
istio-init-crd-11-nqvml 0/1 Completed 0 66s
istio-pilot-9f5c75ddf-n5s6p 2/2 Running 0 49s
istio-policy-bd45d757d-6qcdg 2/2 Running 1 49s
istio-security-post-install-1.1.7-nbwwv 0/1 Completed 0 50s
istio-sidecar-injector-998dd6cbb-n2hdm 1/1 Running 0 49s
istio-telemetry-656df5b64-k8vkf 2/2 Running 1 49s
prometheus-7f87866f5f-t97wc 1/1 Running 0 49s
# demo 配置时
grafana-749c78bcc5-fbzmn 1/1 Running 0 101s
istio-citadel-899dfb67c-8shx2 1/1 Running 0 100s
istio-cleanup-secrets-1.1.7-jbhsl 0/1 Completed 0 102s
istio-egressgateway-748d5fd794-x5bjt 1/1 Running 0 101s
istio-galley-555dd7c7d7-86r2b 1/1 Running 0 101s
istio-grafana-post-install-1.1.7-kq7b4 0/1 Completed 0 103s
istio-ingressgateway-55dd86767f-jd9m4 1/1 Running 0 101s
istio-init-crd-10-l9xcj 0/1 Completed 0 16m
istio-init-crd-11-nqvml 0/1 Completed 0 16m
istio-pilot-6964dd4957-7bzdq 2/2 Running 0 101s
istio-policy-689687bd77-ncw2n 2/2 Running 1 101s
istio-security-post-install-1.1.7-t2kwh 0/1 Completed 0 102s
istio-sidecar-injector-998dd6cbb-7mwkh 1/1 Running 0 100s
istio-telemetry-8564679887-59c8z 2/2 Running 1 101s
istio-tracing-595796cf54-jn49s 1/1 Running 0 100s
kiali-5df77dc9b6-psjs4 1/1 Running 0 101s
prometheus-7f87866f5f-hrbgt 1/1 Running 0 100s
kubectl get svc -n istio-system
# default 配置时
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-citadel ClusterIP 10.68.236.249 <none> 8060/TCP,15014/TCP 75s
istio-galley ClusterIP 10.68.105.102 <none> 443/TCP,15014/TCP,9901/TCP 75s
istio-ingressgateway NodePort 10.68.181.46 <none> 15020:32761/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:33185/TCP,15030:20745/TCP,15031:36208/TCP,15032:34095/TCP,15443:36244/TCP 75s
istio-pilot ClusterIP 10.68.252.143 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 75s
istio-policy ClusterIP 10.68.40.51 <none> 9091/TCP,15004/TCP,15014/TCP 75s
istio-sidecar-injector ClusterIP 10.68.55.134 <none> 443/TCP 74s
istio-telemetry ClusterIP 10.68.16.11 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 75s
prometheus ClusterIP 10.68.65.238 <none> 9090/TCP 75s
# demo 配置时
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.68.65.248 <none> 3000/TCP 2m27s
istio-citadel ClusterIP 10.68.72.100 <none> 8060/TCP,15014/TCP 2m26s
istio-egressgateway NodePort 10.68.21.24 <none> 80:26775/TCP,443:28249/TCP,15443:38494/TCP 2m27s
istio-galley ClusterIP 10.68.73.9 <none> 443/TCP,15014/TCP,9901/TCP 2m27s
istio-ingressgateway NodePort 10.68.122.190 <none> 15020:39248/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:33522/TCP,15030:26010/TCP,15031:27064/TCP,15032:32158/TCP,15443:30848/TCP 2m27s
istio-pilot ClusterIP 10.68.116.5 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m26s
istio-policy ClusterIP 10.68.239.246 <none> 9091/TCP,15004/TCP,15014/TCP 2m27s
istio-sidecar-injector ClusterIP 10.68.93.151 <none> 443/TCP 2m26s
istio-telemetry ClusterIP 10.68.117.254 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m26s
jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m25s
jaeger-collector ClusterIP 10.68.103.8 <none> 14267/TCP,14268/TCP 2m26s
jaeger-query ClusterIP 10.68.73.252 <none> 16686/TCP 2m26s
kiali ClusterIP 10.68.214.228 <none> 20001/TCP 2m27s
prometheus ClusterIP 10.68.203.209 <none> 9090/TCP 2m26s
tracing ClusterIP 10.68.113.236 <none> 80/TCP 2m25s
zipkin ClusterIP 10.68.96.189 <none> 9411/TCP 2m25s
Sidecar 的自动注入
注意事项
需要在kube-apiserver 启动 admission-control 参数中加入 MutatingAdmissionWebhook 和 ValidatingAdmissionWebhook并确保正确的顺序,如果是多master安装,确保每个kube-apiserver都要进行修改。
部署应用验证
istio 的samples目录中有很多示例。我们现在使用samples/sleep/sleep.yaml 来验证刚刚开启的Sidecar自动注入功能。
进入目录 istio-1.1.7/ 部署一个新的应用
cd istio-1.1.7/
kubectl apply -f samples/sleep/sleep.yaml
kubectl get pod
NAME READY STATUS RESTARTS AGE
sleep-7549f66447-wv8cl 1/1 Running 0 1m
一切都是熟悉的味道。下面给 default 命名空间设置标签:istio-injection=enabled,这样就会在pod 创建时触发 Sidecar 的注入过程。从此default 名称空间拥有了超能力.
kubectl label namespace default istio-injection=enabled
kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 1h enabled
istio-system Active 3d22h
kube-public Active 4d2h
kube-system Active 4d2h
接下来删除上面创建的pod,观察下有什么变化。
kubectl delete pod sleep-7549f66447-wv8cl
pod "sleep-7549f66447-wv8cl" deleted
kubectl get pod
NAME READY STATUS RESTARTS AGE
sleep-7549f66447-x4td6 2/2 Running 0 37s
刚刚的pod里面现在已经拥有两个容器,进入pod一探究竟。
kubectl describe pod sleep-7549f66447-x4td6
....
Containers:
sleep:
Container ID: docker://
Image: pstauffer/curl
....
istio-proxy:
Container ID: docker://
Image: docker.io/istio/proxyv2:1.1.7
....
多出了一个 istio-proxy 容器及其对应的存储卷
卸载istio
# 采用 default 配置安装
helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl delete -f -
# 采用 demo 配置安装
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl delete -f -
kubectl delete namespace istio-system