一、安装istioctl
- 下载1.10.3安装包 for win Releases · istio/istio · GitHub
- 解压到
C:\Program Install\istio-1.10.3 - 编辑windows PATH 环境变量,添加
C:\Program Install\istio-1.10.3\bin
二、Kubernetes准备
- 创建namespace
istio-system
kubectl create ns istio-system
- 检查是否开启
Pod Security Policies
Pod security policy control作为admission controller的一个选项。通过enabling the admission controller来开启PodSecurityPolicies。
检查admission-plugins
kube-apiserver -h | grep enable-admission-plugins
关闭
kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny ...
查看kubernetes (资源PodSecurityPolicy缩写为psp)
#kubectl get psp -n all
No resources found
三、部署 Istio Operator
命令 istioctl operator init ,会创建ns:istio-operator 。
还可以指定 Operator Controller安装的namespace、Operator 观测的namespace、Istio 的镜像源和版本等。
例如,可以使用参数 --watchedNamespaces 指定一个或多个命名空间来观测:istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
#istioctl operator init
Installing operator controller in namespace: istio-operator using image: docker.io/istio/operator:1.10.3
Operator controller will watch namespaces: istio-system
✔ Istio operator installed
�[32m✔ �[0mInstallation complete
#kubectl -n istio-operator get pods
NAME READY STATUS RESTARTS AGE
istio-operator-dbc5db55-cgx2h 1/1 Running 0 5m34s
#kubectl -n istio-operator get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-operator ClusterIP 10.99.198.251 <none> 8383/TCP 5m37s
四、以Operator安装Istio
-
创建 ns : istio-system
在上面已经创建了 -
安装Istio demo configuration profile
#kubectl apply -f demo_profile.yml
istiooperator.install.istio.io/example-istiocontrolplane created
demo_profile.yml 文件如下
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: demo
OR istioctl install
#istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/KjkrDnMPByq7akrYA
查看安装结果
#kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 10.100.39.94 <none> 80/TCP,443/TCP 41s
istio-ingressgateway LoadBalancer 10.110.185.80 localhost 15021:30776/TCP,80:32338/TCP,443:32623/TCP,31400:31980/TCP,15443:31490/TCP 41s
istiod ClusterIP 10.103.228.126 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 60s
#kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-5547fcc8fc-dkfk2 1/1 Running 0 50s
istio-ingressgateway-8f568d595-ttbfg 1/1 Running 0 50s
istiod-6659979bdf-k6n46 1/1 Running 0 69s
给命名空间添加标签,指示 Istio 在部署应用的时候,自动注入 Envoy sidecar代理:
#kubectl describe ns default
Name: default
Labels: kubernetes.io/metadata.name=default
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.
#kubectl label namespace default istio-injection=enabled
namespace/default labeled
#kubectl describe ns default
Name: default
Labels: istio-injection=enabled
kubernetes.io/metadata.name=default
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.
五、查看服务网格 mesh
istioctl ps or istioctl proxy-status
#istioctl ps
NAME CDS LDS EDS RDS ISTIOD VERSION
istio-egressgateway-5547fcc8fc-dkfk2.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-6659979bdf-k6n46 1.10.3
istio-ingressgateway-8f568d595-ttbfg.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-6659979bdf-k6n46 1.10.3
网友评论