环境介绍
- k8s集群:v1.25.2
- istio版本:1.15.2
下载Istio
方法一
# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.15.2 TARGET_ARCH=x86_64 sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 101 100 101 0 0 623 0 --:--:-- --:--:-- --:--:-- 623
100 4856 100 4856 0 0 3676 0 0:00:01 0:00:01 --:--:-- 4542
Downloading istio-1.15.2 from https://github.com/istio/istio/releases/download/1.15.2/istio-1.15.2-linux-amd64.tar.gz ...
Istio 1.15.2 Download Complete!
Istio has been successfully downloaded into the istio-1.15.2 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /usr/local/istio-1.15.2/bin directory to your environment path variable with:
export PATH="$PATH:/usr/local/istio-1.15.2/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/
方法二
# export ISTIO_VERSION=1.15.2
# wget https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz
# tar xf istio-${ISTIO_VERSION}-linux-amd64.tar.gz
设置环境变量
# cd istio-${ISTIO_VERSION}/
# export PATH=$PWD/bin:$PATH
istio安装目录结构介绍
-
bin # 二进制程序文件
-
manifests
- manifests/profiles/ # 内置的配置档案
-
samples # 目录下的示例应用程序
-
samples/addons/ # 部署各扩展组件的示例清单
-
samples/bookinfo/ # 示例微服务项目bookinfo
-
-
tools
定制Istio部署环境
定制配置
IstioOperator API中的各配置参数,均可在istioctl命令行中使用--set选项进行独立设置;例如
部署时,为default配置档案启用debug日志功能,可使用如下命令
~$ istioctl install --set profile=default --set values.global.logging.level=debug
部署时,为default配置档案启用EgressGateway组件
~$ istioctl install --set profile=default --set components.egressGateways.enabled=true
定制 Kubernetes 设置
IstioOperator API 支持以一致性的方式定制每一个组件的Kubernetes设置,每个组件都有一个KubernetesResourcesSpec
它支持修改许多配置参数包括Resources、Readiness probes、Replica count、HPA、PDB、Pod annotations、Service annotations、ImagePullPolicy、Node selector、Service、Toleration、Strategy、Env及Pod security context等
安装Istio
Istio安装环境检测
# istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out https://istio.io/latest/docs/setup/getting-started/
istio安装
# istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete Making this installation the default for injection and validation.
Thank you for installing Istio 1.15\. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/SWHFBmwJspusK1hv6
验证部署结果
pods
~# kubectl get pods -n istio-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
istio-egressgateway-fffc799cf-vt4b7 1/1 Running 0 59m 172.20.44.195 192.168.174.107 <none> <none>
istio-ingressgateway-7d68764b55-n2wk8 1/1 Running 0 59m 172.20.44.196 192.168.174.107 <none> <none>
istiod-5456fd558d-7l7xd 1/1 Running 0 59m 172.20.44.194 192.168.174.107 <none> <none>
svc
~# kubectl get svc -n istio-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
istio-egressgateway ClusterIP 10.100.86.184 <none> 80/TCP,443/TCP 58m app=istio-egressgateway,istio=egressgateway
istio-ingressgateway LoadBalancer 10.100.63.147 <pending> 15021:43732/TCP,80:55697/TCP,443:59179/TCP,31400:43335/TCP,15443:33703/TCP 58m app=istio-ingressgateway,istio=ingressgateway
istiod ClusterIP 10.100.50.155 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 59m app=istiod,istio=pilot
image
~# crictl image |grep istio
docker.io/istio/pilot 1.15.2 245047de26c06 73.9MB
docker.io/istio/proxyv2 1.15.2 25585bdfb0f7a 91.4MB
Istio sidecar自动注入功能
启用sidecar自动注入功能
按需指定namespace
# kubectl label namespace default istio-injection=enabled
namespace/default labeled
查看namespace label
# kubectl get namespace default --show-labels
NAME STATUS AGE LABELS
default Active 5d3h istio-injection=enabled,kubernetes.io/metadata.name=default
验证sidecar
创建demo pod
~# kubectl run demo --image=nginx:alpine --restart=Never
pod/demo created
~# kubectl get pods
NAME READY STATUS RESTARTS AGE
demo 2/2 Running 0 9s
查看pod
~# kubectl get pods demo -o yaml |grep "image:"
- image: nginx:alpine
image: docker.io/istio/proxyv2:1.15.2
image: docker.io/istio/proxyv2:1.15.2
image: docker.io/library/nginx:alpine
image: docker.io/istio/proxyv2:1.15.2
image: docker.io/istio/proxyv2:1.15.2
~# kubectl get pods demo -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo 2/2 Running 0 3m16s 172.20.44.206 192.168.174.107 <none> <none>
访问demo
~# curl -I 172.20.44.206
HTTP/1.1 200 OK
server: istio-envoy
date: Tue, 18 Oct 2022 10:21:00 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 19 Jul 2022 15:23:19 GMT
etag: "62d6cc67-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 0
x-envoy-decorator-operation: :0/*
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
查看sidecar配置
~# kubectl exec -it demo -- curl localhost:15000/listeners
5ab27672-0804-4808-8bd1-4520a2da8900::0.0.0.0:15090
36645d3e-58ce-48bf-9ed6-00c16423711d::0.0.0.0:15021
10.100.50.155_443::10.100.50.155:443
10.100.0.1_443::10.100.0.1:443
10.100.50.155_15012::10.100.50.155:15012
10.100.63.147_31400::10.100.63.147:31400
10.100.63.147_15443::10.100.63.147:15443
10.100.86.184_443::10.100.86.184:443
10.100.63.147_443::10.100.63.147:443
10.100.0.2_53::10.100.0.2:53
10.100.128.238_8000::10.100.128.238:8000
0.0.0.0_80::0.0.0.0:80
10.100.63.147_15021::10.100.63.147:15021
10.100.194.250_14268::10.100.194.250:14268
0.0.0.0_15014::0.0.0.0:15014
10.100.196.126_3000::10.100.196.126:3000
10.100.107.86_443::10.100.107.86:443
10.100.194.250_14250::10.100.194.250:14250
0.0.0.0_9411::0.0.0.0:9411
0.0.0.0_9090::0.0.0.0:9090
0.0.0.0_16685::0.0.0.0:16685
0.0.0.0_15010::0.0.0.0:15010
10.100.0.2_9153::10.100.0.2:9153
0.0.0.0_20001::0.0.0.0:20001
virtualOutbound::0.0.0.0:15001
virtualInbound::0.0.0.0:15006
查看Istio配置下发状态
# istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD
demo.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-5456fd558d-7l7xd
istio-egressgateway-fffc799cf-vt4b7.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-5456fd558d-7l7xd
istio-ingressgateway-7d68764b55-n2wk8.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-5456fd558d-7l7xd
查看pod路由信息
# istioctl proxy-config all demo
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local 8000 - outbound EDS
grafana.istio-system.svc.cluster.local 3000 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 9411 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14250 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14268 - outbound EDS
kiali.istio-system.svc.cluster.local 9090 - outbound EDS
kiali.istio-system.svc.cluster.local 20001 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local 443 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
prometheus.istio-system.svc.cluster.local 9090 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
tracing.istio-system.svc.cluster.local 80 - outbound EDS
tracing.istio-system.svc.cluster.local 16685 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
zipkin.istio-system.svc.cluster.local 9411 - outbound EDS
ADDRESS PORT MATCH DESTINATION
10.100.0.2 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.100.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
10.100.107.86 443 Trans: raw_buffer; App: http/1.1,h2c Route: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local:443
10.100.107.86 443 ALL Cluster: outbound|443||kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
10.100.50.155 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.100.63.147 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.100.86.184 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.100.196.126 3000 Trans: raw_buffer; App: http/1.1,h2c Route: grafana.istio-system.svc.cluster.local:3000
10.100.196.126 3000 ALL Cluster: outbound|3000||grafana.istio-system.svc.cluster.local
10.100.128.238 8000 Trans: raw_buffer; App: http/1.1,h2c Route: dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local:8000
10.100.128.238 8000 ALL Cluster: outbound|8000||dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local
0.0.0.0 9090 Trans: raw_buffer; App: http/1.1,h2c Route: 9090
0.0.0.0 9090 ALL PassthroughCluster
10.100.0.2 9153 Trans: raw_buffer; App: http/1.1,h2c Route: kube-dns.kube-system.svc.cluster.local:9153
10.100.0.2 9153 ALL Cluster: outbound|9153||kube-dns.kube-system.svc.cluster.local
0.0.0.0 9411 Trans: raw_buffer; App: http/1.1,h2c Route: 9411
0.0.0.0 9411 ALL PassthroughCluster
10.100.194.250 14250 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14250
10.100.194.250 14250 ALL Cluster: outbound|14250||jaeger-collector.istio-system.svc.cluster.local
10.100.194.250 14268 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14268
10.100.194.250 14268 ALL Cluster: outbound|14268||jaeger-collector.istio-system.svc.cluster.local
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.100.50.155 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.100.63.147 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.100.63.147 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.100.63.147 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 16685 Trans: raw_buffer; App: http/1.1,h2c Route: 16685
0.0.0.0 16685 ALL PassthroughCluster
0.0.0.0 20001 Trans: raw_buffer; App: http/1.1,h2c Route: 20001
0.0.0.0 20001 ALL PassthroughCluster
10.100.63.147 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
NAME DOMAINS MATCH VIRTUAL SERVICE
jaeger-collector.istio-system.svc.cluster.local:14250 * /*
9411 jaeger-collector.istio-system, 10.100.194.250 /*
9411 zipkin.istio-system, 10.100.155.241 /*
kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local:443 * /*
kube-dns.kube-system.svc.cluster.local:9153 * /*
jaeger-collector.istio-system.svc.cluster.local:14268 * /*
9090 kiali.istio-system, 10.100.139.46 /*
9090 prometheus.istio-system, 10.100.127.66 /*
grafana.istio-system.svc.cluster.local:3000 * /*
* /stats/prometheus*
InboundPassthroughClusterIpv4 * /*
InboundPassthroughClusterIpv4 * /*
80 istio-egressgateway.istio-system, 10.100.86.184 /*
80 istio-ingressgateway.istio-system, 10.100.63.147 /*
80 tracing.istio-system, 10.100.18.156 /*
dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local:8000 * /*
istio-ingressgateway.istio-system.svc.cluster.local:15021 * /*
* /healthz/ready*
15010 istiod.istio-system, 10.100.50.155 /*
15014 istiod.istio-system, 10.100.50.155 /*
16685 tracing.istio-system, 10.100.18.156 /*
20001 kiali.istio-system, 10.100.139.46 /*
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true 262032566884822718243266101713902765105 2022-10-19T10:15:35Z 2022-10-18T10:13:35Z
ROOTCA CA ACTIVE true 163973747743325474974169611986485697030 2032-10-15T08:21:22Z 2022-10-18T08:21:22Z
取消sidecar自动注入
# kubectl label namespace default istio-injection-
namespace/default unlabeled
卸载Istio
使用istioctl命令卸载Istio
命令:istioctl experimental uninstall
卸载方法
卸载指定的控制平面
卸载指定文件中定义的控制平面
~$ istioctl x uninstall -f <FILE>
卸载指定的Revision
~$ istioctl x uninstall --revision <NAME>
基于安装时的选项生成配置信息后经由kubectl命令删除
~$ istioctl manifest generate <your original installation options> | kubectl delete -f -
清除集群上部署的所有控制平面
~$ istioctl uninstall --purge
提示:控制平面的名称空间默认并不会删除,如果确认不再需要时,需自行进行删除操作
示例
Istio 卸载程序按照层次结构逐级的从 istio-system 命令空间中删除 RBAC 权限和所有资源。对于不存在的资源报错,可以安全的忽略掉,毕竟他们已经被分层的删除了。
kubectl delete -f samples/addons
istioctl manifest generate --set profile=demo | kubectl delete --ignore-not-found=true -f -
命名空间 istio-system 默认情况下并不会被删除。 不需要的时候,使用下面命令删掉它:
kubectl delete namespace istio-system
指示 Istio 自动注入 Envoy 边车代理的标签默认也不删除。 不需要的时候,使用下面命令删掉它。
kubectl label namespace default istio-injection-
网友评论