先决条件
如果集群中只有一个节点,则至少需要 6 个 CPU、6 GB 内存和 30 GB 磁盘存储。
如果集群中有多个节点,则每个节点至少需要 2 个 CPU、4 GB 内存和 20 GB 磁盘存储。
您有一个使用 Kubernetes v1.24 或更高版本的集群。
部署 Knative Serving 流程
1. 部署Service自定义资源
2. 部署Serving核心组件
3. 部署网络层(networking layer)组件
1. Istio、Contour和Kourier三选一
4. (可选)配置DNS
5. (可选)部署Serving扩展
1. HPA:用于支持Kubernetes的HPA
2. Cert Manager:用于为工作负载自动签发TLS证书
3. Encrypt HTTP01:用于为工作负载自动签发TLS证书
6. 部署kn
部署 Knative Serving 自定义资源
# kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.11.0/serving-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev created
部署 Knative Serving 核心组件
下载 Knative Serving 核心组件
# wget https://github.com/knative/serving/releases/download/knative-v1.11.0/serving-core.yaml
替换 gcr.io
# sed -i '[email protected]@gcr.dockerproxy.com@g' serving-core.yaml
部署 Knative Serving 核心组件
# kubectl apply -f serving-core.yaml
namespace/knative-serving created
role.rbac.authorization.k8s.io/knative-serving-activator created
clusterrole.rbac.authorization.k8s.io/knative-serving-activator-cluster created
clusterrole.rbac.authorization.k8s.io/knative-serving-aggregated-addressable-resolver created
clusterrole.rbac.authorization.k8s.io/knative-serving-addressable-resolver created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-admin created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-edit created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-view created
clusterrole.rbac.authorization.k8s.io/knative-serving-core created
clusterrole.rbac.authorization.k8s.io/knative-serving-podspecable-binding created
serviceaccount/controller created
clusterrole.rbac.authorization.k8s.io/knative-serving-admin created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-admin created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-addressable-resolver created
serviceaccount/activator created
rolebinding.rbac.authorization.k8s.io/knative-serving-activator created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-activator-cluster created
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev unchanged
secret/serving-certs-ctrl-ca created
secret/knative-serving-certs created
secret/control-serving-certs created
secret/routing-serving-certs created
image.caching.internal.knative.dev/queue-proxy created
configmap/config-autoscaler created
configmap/config-defaults created
configmap/config-deployment created
configmap/config-domain created
configmap/config-features created
configmap/config-gc created
configmap/config-leader-election created
configmap/config-logging created
configmap/config-network created
configmap/config-observability created
configmap/config-tracing created
horizontalpodautoscaler.autoscaling/activator created
poddisruptionbudget.policy/activator-pdb created
deployment.apps/activator created
service/activator-service created
deployment.apps/autoscaler created
service/autoscaler created
deployment.apps/controller created
service/controller created
horizontalpodautoscaler.autoscaling/webhook created
poddisruptionbudget.policy/webhook-pdb created
deployment.apps/webhook created
service/webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.serving.knative.dev created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.serving.knative.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.serving.knative.dev created
secret/webhook-certs created
查看 Knative Serving 资源
# kubectl get pods,deployment,services -n knative-serving -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/activator-77d4bd5f98-ntrv4 1/1 Running 0 34m 172.20.154.254 192.168.174.106 <none> <none>
pod/autoscaler-759dc65b99-46rx8 1/1 Running 0 34m 172.20.89.172 192.168.174.108 <none> <none>
pod/controller-5cd56cb696-jggzh 1/1 Running 0 34m 172.20.89.164 192.168.174.108 <none> <none>
pod/webhook-669b69c86b-bd4hp 1/1 Running 0 34m 172.20.154.221 192.168.174.106 <none> <none>
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/activator 1/1 1 1 34m activator gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/activator@sha256:6b98eed95dd6dcc3d957e673aea3d271b768225442504316d713c08524f44ebe app=activator,role=activator
deployment.apps/autoscaler 1/1 1 1 34m autoscaler gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:5b52cc9aa521ee236645db57f19b70f2a0e8f6ef27dfa9181409a0f96406e2ad app=autoscaler
deployment.apps/controller 1/1 1 1 34m controller gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/controller@sha256:b11dbcba050eac9084edd021b7e0eee16b39c9e397b245bc4227266af1893404 app=controller
deployment.apps/webhook 1/1 1 1 34m webhook gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/webhook@sha256:7b138c73fcaaf0b9bb2d414b8a89a780f8c09371d24c6f57969be1694acf4aaa app=webhook,role=webhook
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/activator-service ClusterIP 10.100.114.223 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 34m app=activator
service/autoscaler ClusterIP 10.100.183.199 <none> 9090/TCP,8008/TCP,8080/TCP 34m app=autoscaler
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.167.12 <none> 8080/TCP 34m <none>
service/controller ClusterIP 10.100.121.104 <none> 9090/TCP,8008/TCP 34m app=controller
service/webhook ClusterIP 10.100.177.224 <none> 9090/TCP,8008/TCP,443/TCP 34m app=webhook,role=webhook
部署 Istio
下载 Istio
# export ISTIO_VERSION=1.18.0
# wget https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz
# tar xf istio-${ISTIO_VERSION}-linux-amd64.tar.gz
部署 Istio
# istioctl install --set profile=demo -y
部署 Knative Istio 控制器
# kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.11.0/net-istio.yaml
clusterrole.rbac.authorization.k8s.io/knative-serving-istio created
gateway.networking.istio.io/knative-ingress-gateway created
gateway.networking.istio.io/knative-local-gateway created
service/knative-local-gateway created
configmap/config-istio created
peerauthentication.security.istio.io/webhook created
peerauthentication.security.istio.io/net-istio-webhook created
deployment.apps/net-istio-controller created
deployment.apps/net-istio-webhook created
secret/net-istio-webhook-certs created
service/net-istio-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.istio.networking.internal.knative.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.istio.networking.internal.knative.dev created
启用sidecar自动注入功能
# kubectl label namespace knative-serving istio-injection=enabled
Istio mTLS 功能与 Knative 结合
istio-PeerAuthentication-knative.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "knative-serving"
spec:
mtls:
mode: PERMISSIVE
创建资源
# kubectl apply -f istio-PeerAuthentication-knative.yaml
查看istio资源
istio-system名称空间资源
# kubectl get pods,deployment,service,gateway -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-ingressgateway-d898789f-qcgdb 1/1 Running 0 4m27s
pod/istiod-5855798659-p2khk 1/1 Running 0 4m31s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-ingressgateway 1/1 1 1 4m27s
deployment.apps/istiod 1/1 1 1 4m31s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-ingressgateway LoadBalancer 10.100.247.211 <pending> 15021:64867/TCP,80:45240/TCP,443:49592/TCP 4m27s
service/istiod ClusterIP 10.100.237.122 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m31s
service/knative-local-gateway ClusterIP 10.100.157.86 <none> 80/TCP 3m6s
knative-serving名称空间资源
# kubectl get pods,deployment,service,gateway -n knative-serving
NAME READY STATUS RESTARTS AGE
pod/activator-77d4bd5f98-gdhhw 1/1 Running 0 9m19s
pod/autoscaler-759dc65b99-z827n 1/1 Running 0 9m19s
pod/controller-5cd56cb696-jwgk9 1/1 Running 0 9m19s
pod/net-istio-controller-7dcc87768c-vdnt7 1/1 Running 0 3m25s
pod/net-istio-webhook-55bb6bd985-94kbw 1/1 Running 0 3m25s
pod/webhook-669b69c86b-2x2g6 1/1 Running 0 9m18s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/activator 1/1 1 1 9m19s
deployment.apps/autoscaler 1/1 1 1 9m19s
deployment.apps/controller 1/1 1 1 9m19s
deployment.apps/net-istio-controller 1/1 1 1 3m25s
deployment.apps/net-istio-webhook 1/1 1 1 3m25s
deployment.apps/webhook 1/1 1 1 9m18s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/activator-service ClusterIP 10.100.185.167 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 9m19s
service/autoscaler ClusterIP 10.100.163.27 <none> 9090/TCP,8008/TCP,8080/TCP 9m19s
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.124.80 <none> 8080/TCP 9m17s
service/controller ClusterIP 10.100.162.32 <none> 9090/TCP,8008/TCP 9m19s
service/net-istio-webhook ClusterIP 10.100.252.82 <none> 9090/TCP,8008/TCP,443/TCP 3m25s
service/webhook ClusterIP 10.100.26.3 <none> 9090/TCP,8008/TCP,443/TCP 9m18s
NAME AGE
gateway.networking.istio.io/knative-ingress-gateway 3m25s
gateway.networking.istio.io/knative-local-gateway 3m25s
istio-ingressgateway 添加externalIPs
# kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalIPs":"192.168.174.249"}'
获取外部 IP 地址
# kubectl --namespace istio-system get service istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.100.247.211 192.168.174.249 15021:64867/TCP,80:45240/TCP,443:49592/TCP 98m
验证istio
# istioctl verify-install
1 Istio control planes detected, checking --revision "default" only
✔ ClusterRole: istiod-istio-system.istio-system checked successfully
✔ ClusterRole: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ Role: istiod-istio-system.istio-system checked successfully
✔ RoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istiod-service-account.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: istiooperators.install.istio.io.istio-system checked successfully
✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ Deployment: istiod.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ HorizontalPodAutoscaler: istio-ingressgateway.istio-system checked successfully
✔ Deployment: istio-ingressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
✔ Role: istio-ingressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
✔ Service: istio-ingressgateway.istio-system checked successfully
✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
Checked 15 custom resource definitions
Checked 2 Istio Deployments
✔ Istio is installed and verified successfully
部署 HPA 扩展
部署HPA
# kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.11.0/serving-hpa.yaml
deployment.apps/autoscaler-hpa created
service/autoscaler-hpa created
查看资源
# kubectl get pods,deployment,service,gateway -n knative-serving
NAME READY STATUS RESTARTS AGE
pod/activator-77d4bd5f98-gdhhw 1/1 Running 0 101m
pod/autoscaler-759dc65b99-z827n 1/1 Running 0 101m
pod/autoscaler-hpa-6c489c6858-qv2n2 2/2 Running 0 49s
pod/controller-5cd56cb696-jwgk9 1/1 Running 0 101m
pod/net-istio-controller-7dcc87768c-vdnt7 1/1 Running 0 95m
pod/net-istio-webhook-55bb6bd985-94kbw 1/1 Running 0 95m
pod/webhook-669b69c86b-2x2g6 1/1 Running 0 101m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/activator 1/1 1 1 101m
deployment.apps/autoscaler 1/1 1 1 101m
deployment.apps/autoscaler-hpa 1/1 1 1 49s
deployment.apps/controller 1/1 1 1 101m
deployment.apps/net-istio-controller 1/1 1 1 95m
deployment.apps/net-istio-webhook 1/1 1 1 95m
deployment.apps/webhook 1/1 1 1 101m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/activator-service ClusterIP 10.100.185.167 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 101m
service/autoscaler ClusterIP 10.100.163.27 <none> 9090/TCP,8008/TCP,8080/TCP 101m
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.124.80 <none> 8080/TCP 101m
service/autoscaler-hpa ClusterIP 10.100.23.92 <none> 9090/TCP,8008/TCP 49s
service/controller ClusterIP 10.100.162.32 <none> 9090/TCP,8008/TCP 101m
service/net-istio-webhook ClusterIP 10.100.252.82 <none> 9090/TCP,8008/TCP,443/TCP 95m
service/webhook ClusterIP 10.100.26.3 <none> 9090/TCP,8008/TCP,443/TCP 101m
NAME AGE
gateway.networking.istio.io/knative-ingress-gateway 95m
gateway.networking.istio.io/knative-local-gateway 95m
部署 kn
下载 kn
# wget https://github.com/knative/client/releases/download/knative-v1.11.0/kn-linux-amd64
部署 kn
# mv kn-linux-amd64 /usr/local/bin/kn
# chmod +x /usr/local/bin/kn
验证 kn
# kn version
Version: v1.11.0
Build Date: 2023-07-27 07:42:56
Git Revision: b7508e67
Supported APIs:
* Serving
- serving.knative.dev/v1 (knative-serving v1.11.0)
* Eventing
- sources.knative.dev/v1 (knative-eventing v1.11.0)
- eventing.knative.dev/v1 (knative-eventing v1.11.0)
kn 使用说明
# kn --help
kn is the command line interface for managing Knative Serving and Eventing resources
Find more information about Knative at: https://knative.dev
Serving Commands:
service Manage Knative services
revision Manage service revisions
route List and describe service routes
domain Manage domain mappings
container Manage service's containers (experimental)
Eventing Commands:
source Manage event sources
broker Manage message brokers
trigger Manage event triggers
channel Manage event channels
subscription Manage event subscriptions
eventtype Manage eventtypes
Other Commands:
plugin Manage kn plugins
secret Manage secrets
completion Output shell completion code
version Show the version of this client
Use "kn <command> --help" for more information about a given command.
Use "kn options" for a list of global command-line options (applies to all commands).
参考文档
https://knative.dev/docs/install/yaml-install/serving/install-serving-with-yaml/
标签:Serving,created,v1.11,istio,TCP,system,knative,io,Knative From: https://www.cnblogs.com/wangguishe/p/17699955.html