helm是istio官方推荐的正式安装方式
安装helm
项目首页:
https://github.com/helm/helm
先安装helm client,使用helm client安装tiller,通过tiller下载chart,使用chart部署应用
helm client ---> helm tiller (chart) ---> apiserver
下载helm client安装脚本
$ wget https://raw.githubusercontent.com/helm/helm/master/scripts/get
运行helm client安装脚本
$ sh get
Downloading https://kubernetes-helm.storage.googleapis.com/helm-v2.14.0-linux-amd64.tar.gz
Preparing to install helm and tiller into /usr/local/bin
helm installed into /usr/local/bin/helm
tiller installed into /usr/local/bin/tiller
Run 'helm init' to configure helm.
设置环境变量,将/usr/local/bin加入到.bash_profile中PATH环境变量的配置中,并增加helm的命令的补全
$ cat >> /root/.bash_profile << EOF
source <(helm completion bash)
EOF
Helm init 安装tiller服务器
$ helm init
$HELM_HOME has been configured at /root/.helm.
Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Tiller也是容器化安装,会在kubenetes的kube-system namespace中增加service、deployment、pod等资源
$ kubectl get pods --all-namespaces | grep till
kube-system tiller-deploy-765dcb8745-4q4hm 1/1 Running 0 8m48s
验证安装成功
当pod变为Running状态后,可以使用helm version确认服务器正常
验证search功能
Helm是k8s的包管理器,类似yum、apt等,chart是一个应用的信息集合(相当于rpm包),而release是chart的运行实例。Helm search可以查看当前可以安装的chart
Helm与yum类似,也有仓库,上面看到的包属于默认的仓库,可以使用helm repo list查看
权限设置
此时tiller还没有集群权限,需要给tiller服务器添加权限
创建serviceaccount资源tiller,属于kube-system命名空间
$ kubectl create serviceaccount -n kube-system tiller
创建 clusterrolebinding资源tiller-cluster-rule,集群角色为cluster-admin,用户为kube-system:tiller
$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
修改deployment tiller-deploy的配置,增加字段spec.template.spec.serviceAccount
$ kubectl patch deploy -n kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
安装istio
添加istio repo到helm中
$ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.2.2/charts/
"istio.io" has been added to your repositories
$ helm repo list
NAME URL
stable https://kubernetes-charts.storage.googleapis.com
local http://127.0.0.1:8879/charts
istio.io https://storage.googleapis.com/istio-release/releases/1.2.2/charts/
$ helm search istio
NAME CHART VERSION APP VERSION DESCRIPTION
istio.io/istio 1.2.2 1.2.2 Helm chart for all istio components
istio.io/istio-cni 0.1.0 0.1.0 Helm chart for istio-cni components
istio.io/istio-init 1.2.2 1.2.2 Helm chart to initialize Istio CRDs
安装istio-init
$ kubectl create ns istio-system
$ helm install istio.io/istio-init --name istio-init --namespace istio-system
NAME: istio-init
LAST DEPLOYED: Thu Jul 11 15:55:04 2019
NAMESPACE: istio-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
istio-init-istio-system 0s
==> v1/ClusterRoleBinding
NAME AGE
istio-init-admin-role-binding-istio-system 0s
==> v1/ConfigMap
NAME DATA AGE
istio-crd-10 1 0s
istio-crd-11 1 0s
istio-crd-12 1 0s
==> v1/Job
NAME COMPLETIONS DURATION AGE
istio-init-crd-10 0/1 0s 0s
istio-init-crd-11 0/1 0s 0s
istio-init-crd-12 0/1 0s 0s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
istio-init-crd-10-7l9p4 0/1 ContainerCreating 0 0s
istio-init-crd-11-vwb6h 0/1 ContainerCreating 0 0s
istio-init-crd-12-g2dbc 0/1 ContainerCreating 0 0s
==> v1/ServiceAccount
NAME SECRETS AGE
istio-init-service-account 1 0s
确认istio-init安装成功,检查3个pod是否完成,检查是不是新建了23个GRD
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-init-crd-10-7l9p4 0/1 Completed 0 6m40s
istio-init-crd-11-vwb6h 0/1 Completed 0 6m40s
istio-init-crd-12-g2dbc 0/1 Completed 0 6m40s
$ kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l
23
#如果使用了cert-manager,应该是28个GRD
采用default方式安装istio,并查看相关svc和pod,注意type为Nodeport
$ helm install istio.io/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.type=NodePort
#缺省gateways.istio-ingressgateway使用的是LoadBalance
NAME: istio
LAST DEPLOYED: Thu Jul 11 17:00:01 2019
NAMESPACE: istio-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
istio-citadel-istio-system 13s
istio-galley-istio-system 14s
istio-mixer-istio-system 14s
istio-pilot-istio-system 13s
istio-reader 13s
istio-sidecar-injector-istio-system 13s
prometheus-istio-system 13s
==> v1/ClusterRoleBinding
NAME AGE
istio-citadel-istio-system 13s
istio-galley-admin-role-binding-istio-system 13s
istio-mixer-admin-role-binding-istio-system 13s
istio-multi 13s
istio-pilot-istio-system 13s
istio-sidecar-injector-admin-role-binding-istio-system 13s
prometheus-istio-system 13s
==> v1/ConfigMap
NAME DATA AGE
istio 2 14s
istio-galley-configuration 1 14s
istio-security-custom-resources 2 14s
istio-sidecar-injector 2 14s
prometheus 1 14s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
istio-citadel 1/1 1 1 12s
istio-galley 0/1 1 0 13s
istio-ingressgateway 0/1 1 0 13s
istio-pilot 0/1 1 0 13s
istio-policy 0/1 1 0 13s
istio-sidecar-injector 0/1 1 0 12s
istio-telemetry 0/1 1 0 13s
prometheus 0/1 1 0 12s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
istio-citadel-68c85b6684-9kl6n 1/1 Running 0 12s
istio-galley-77d697957f-jxlgz 0/1 ContainerCreating 0 13s
istio-ingressgateway-8b858ff84-6j7n7 0/1 ContainerCreating 0 13s
istio-pilot-5544b58bb6-78p7g 1/2 Running 0 12s
istio-policy-5f9cf6df57-v6l5c 0/2 ContainerCreating 0 13s
istio-sidecar-injector-66549495d8-4rfhs 0/1 ContainerCreating 0 12s
istio-telemetry-7749c6d54f-zs8qd 0/2 ContainerCreating 0 13s
prometheus-776fdf7479-54m5k 0/1 ContainerCreating 0 12s
==> v1/Role
NAME AGE
istio-ingressgateway-sds 13s
==> v1/RoleBinding
NAME AGE
istio-ingressgateway-sds 13s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-citadel ClusterIP 10.97.67.100 <none> 8060/TCP,15014/TCP 13s
istio-galley ClusterIP 10.106.30.202 <none> 443/TCP,15014/TCP,9901/TCP 13s
istio-ingressgateway NodePort 10.111.118.204 <none> 15020:31683/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31381/TCP,15030:31215/TCP,15031:31601/TCP,15032:32032/TCP,15443:30133/TCP 13s
istio-pilot ClusterIP 10.100.206.217 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 13s
istio-policy ClusterIP 10.105.215.18 <none> 9091/TCP,15004/TCP,15014/TCP 13s
istio-sidecar-injector ClusterIP 10.108.0.169 <none> 443/TCP 13s
istio-telemetry ClusterIP 10.107.242.174 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 13s
prometheus ClusterIP 10.105.154.7 <none> 9090/TCP 13s
==> v1/ServiceAccount
NAME SECRETS AGE
istio-citadel-service-account 1 14s
istio-galley-service-account 1 14s
istio-ingressgateway-service-account 1 14s
istio-mixer-service-account 1 14s
istio-multi 1 14s
istio-pilot-service-account 1 14s
istio-security-post-install-account 1 14s
istio-sidecar-injector-service-account 1 14s
prometheus 1 14s
==> v1alpha2/attributemanifest
NAME AGE
istioproxy 12s
kubernetes 12s
==> v1alpha2/handler
NAME AGE
kubernetesenv 12s
prometheus 12s
==> v1alpha2/instance
NAME AGE
attributes 12s
requestcount 12s
requestduration 12s
requestsize 12s
responsesize 12s
tcpbytereceived 12s
tcpbytesent 12s
tcpconnectionsclosed 12s
tcpconnectionsopened 12s
==> v1alpha2/rule
NAME AGE
kubeattrgenrulerule 11s
promhttp 11s
promtcp 12s
promtcpconnectionclosed 11s
promtcpconnectionopen 12s
tcpkubeattrgenrulerule 11s
==> v1alpha3/DestinationRule
NAME AGE
istio-policy 12s
istio-telemetry 12s
==> v1beta1/ClusterRole
NAME AGE
istio-security-post-install-istio-system 13s
==> v1beta1/ClusterRoleBinding
NAME AGE
istio-security-post-install-role-binding-istio-system 13s
==> v1beta1/MutatingWebhookConfiguration
NAME AGE
istio-sidecar-injector 12s
==> v1beta1/PodDisruptionBudget
NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE
istio-galley 1 N/A 0 14s
istio-ingressgateway 1 N/A 0 14s
istio-pilot 1 N/A 0 14s
istio-policy 1 N/A 0 14s
istio-sidecar-injector 1 N/A 0 14s
istio-telemetry 1 N/A 0 14s
==> v2beta1/HorizontalPodAutoscaler
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
istio-ingressgateway Deployment/istio-ingressgateway <unknown>/80% 1 5 0 12s
istio-pilot Deployment/istio-pilot <unknown>/80% 1 5 0 12s
istio-policy Deployment/istio-policy <unknown>/80% 1 5 0 12s
istio-telemetry Deployment/istio-telemetry <unknown>/80% 1 5 0 12s
NOTES:
Thank you for installing istio.
Your release is named istio.
To get started running application with Istio, execute the following steps:
1. Label namespace that application object will be deployed to by the following command (take default namespace as an example)
$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
2. Deploy your applications
$ kubectl apply -f <your-application>.yaml
For more information on running Istio, visit:
https://istio.io/
查看部署情况
$ kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-citadel ClusterIP 10.105.168.54 <none> 8060/TCP,15014/TCP 2m3s
istio-galley ClusterIP 10.96.206.169 <none> 443/TCP,15014/TCP,9901/TCP 2m4s
istio-ingressgateway NodePort 10.100.122.195 <none> 15020:32279/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31090/TCP,15030:31719/TCP,15031:32634/TCP,15032:31885/TCP,15443:30493/TCP 2m4s
istio-pilot ClusterIP 10.97.214.19 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m3s
istio-policy ClusterIP 10.101.16.60 <none> 9091/TCP,15004/TCP,15014/TCP 2m3s
istio-sidecar-injector ClusterIP 10.110.143.225 <none> 443/TCP 2m3s
istio-telemetry ClusterIP 10.102.132.254 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m3s
prometheus ClusterIP 10.100.112.16 <none> 9090/TCP 2m3s
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-citadel-68c85b6684-4gbdg 1/1 Running 0 3m21s
istio-galley-77d697957f-ls798 0/1 ContainerCreating 0 3m21s
istio-ingressgateway-8b858ff84-qndv9 0/1 Running 0 3m21s
istio-init-crd-10-7l9p4 0/1 Completed 0 19m
istio-init-crd-11-vwb6h 0/1 Completed 0 19m
istio-init-crd-12-g2dbc 0/1 Completed 0 19m
istio-pilot-5544b58bb6-tvkqg 0/2 ContainerCreating 0 3m21s
istio-policy-5f9cf6df57-jqnbh 2/2 Running 1 3m21s
istio-security-post-install-1.2.2-dqtz5 0/1 ContainerCreating 0 5m19s
istio-sidecar-injector-66549495d8-klp5z 0/1 ContainerCreating 0 3m21s
istio-telemetry-7749c6d54f-867p5 0/2 ContainerCreating 0 3m21s
prometheus-776fdf7479-t4txt 0/1 ContainerCreating 0 3m21s
#需要等待pod都运行成功
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-citadel-68c85b6684-9kl6n 1/1 Running 0 6m45s
istio-galley-77d697957f-jxlgz 1/1 Running 0 6m46s
istio-ingressgateway-8b858ff84-6j7n7 1/1 Running 0 6m46s
istio-init-crd-10-7l9p4 0/1 Completed 0 71m
istio-init-crd-11-vwb6h 0/1 Completed 0 71m
istio-init-crd-12-g2dbc 0/1 Completed 0 71m
istio-pilot-5544b58bb6-78p7g 2/2 Running 0 6m45s
istio-policy-5f9cf6df57-v6l5c 2/2 Running 5 6m46s
istio-sidecar-injector-66549495d8-4rfhs 1/1 Running 0 6m45s
istio-telemetry-7749c6d54f-zs8qd 2/2 Running 1 6m46s
prometheus-776fdf7479-54m5k 1/1 Running 0 6m45s
如何卸载istio
#删除release
$ helm delete --purge istio
$ helm delete --purge istio-init
#删除release后,并不会删除相关的crds资源,需要单独删除
$ tar -zxvf .helm/cache/archive/istio-init-1.2.2.tgz
$ kubectl delete -f istio-init/files/
#确认crds清理完成
$ kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l
可以通过helm upgrade修改release中的配置
$ helm upgrade --set gateways.istio-ingressgateway.type=LoadBalance istio istio.io/istio
istio所有端口
| Port | Protocol | Used by | Description |
|---|---|---|---|
| 8060 | HTTP | Citadel | GRPC server |
| 9090 | HTTP | Prometheus | Prometheus |
| 9091 | HTTP | Mixer | Policy/Telemetry |
| 9093 | HTTP | Citadel | |
| 15000 | TCP | Envoy | Envoy admin port (commands/diagnostics) |
| 15001 | TCP | Envoy | Envoy |
| 15004 | HTTP | Mixer, | Pilot Policy/Telemetry - mTLS |
| 15010 | HTTP | Pilot | Pilot service - XDS pilot - discovery |
| 15011 | TCP | Pilot | Pilot service - mTLS - Proxy - discovery |
| 15014 | HTTP | Citadel,Mixer, Pilot | Control plane monitoring |
| 15030 | TCP | Prometheus | Prometheus |
| 15090 | HTTP | Mixer | Proxy |
| 42422 | TCP | Mixer | Telemetry - Prometheus |
配置namespace default为自动注入
$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
网友评论