环境介绍
k8s集群:v1.25.2
istio版本:1.15.2
下载Istio
方法一
# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.15.2 TARGET_ARCH=x86_64 sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 101 100 101 0 0 623 0 --:--:-- --:--:-- --:--:-- 623
100 4856 100 4856 0 0 3676 0 0:00:01 0:00:01 --:--:-- 4542
Downloading istio-1.15.2 from https://github.com/istio/istio/releases/download/1.15.2/istio-1.15.2-linux-amd64.tar.gz ...
Istio 1.15.2 Download Complete!
Istio has been successfully downloaded into the istio-1.15.2 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /usr/local/istio-1.15.2/bin directory to your environment path variable with:
export PATH="$PATH:/usr/local/istio-1.15.2/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/ 方法二
# export ISTIO_VERSION=1.15.2
# wget https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz
# tar xf istio-${ISTIO_VERSION}-linux-amd64.tar.gz设置环境变量
# cd istio-${ISTIO_VERSION}/
# export PATH=$PWD/bin:$PATHistio安装目录结构介绍
- bin # 二进制程序文件
- manifests
-
manifests/profiles/ # 内置的配置档案
-
- samples # 目录下的示例应用程序
-
samples/addons/ # 部署各扩展组件的示例清单
-
samples/bookinfo/ # 示例微服务项目bookinfo
-
- tools
定制Istio部署环境
-
定制配置
-
IstioOperator API中的各配置参数,均可在istioctl命令行中使用--set选项进行独立设置;例如
-
部署时,为default配置档案启用debug日志功能,可使用如下命令
-
~$ istioctl install --set profile=default --set values.global.logging.level=debug
-
-
部署时,为default配置档案启用EgressGateway组件
-
~$ istioctl install --set profile=default --set components.egressGateways.enabled=true
-
-
-
-
定制 Kubernetes 设置
-
IstioOperator API 支持以一致性的方式定制每一个组件的Kubernetes设置,每个组件都有一个KubernetesResourcesSpec
-
它支持修改许多配置参数
- 包括Resources、Readiness probes、Replica count、HPA、PDB、Pod annotations、Service annotations、ImagePullPolicy、Node selector、Service、Toleration、Strategy、Env及Pod security context等
-
Istio使用
Istio使用帮助
# istioctl --help
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
admin Manage control plane (istiod) configuration
analyze Analyze Istio configuration and print validation messages
authz (authz is experimental. Use `istioctl experimental authz`)
bug-report Cluster information and log capture support tool.
completion Generate the autocompletion script for the specified shell
create-remote-secret Create a secret with credentials to allow Istio to access remote Kubernetes apiservers
dashboard Access to Istio web UIs
experimental Experimental commands that may be modified or deprecated
help Help about any command
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
kube-inject Inject Istio sidecar into Kubernetes pod resources
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
profile Commands related to Istio configuration profiles
proxy-config Retrieve information about proxy configuration from Envoy [kube only]
proxy-status Retrieves the synchronization status of each Envoy in the mesh [kube only]
remote-clusters Lists the remote clusters each istiod instance is connected to.
tag Command group used to interact with revision tags
uninstall Uninstall Istio from a cluster
upgrade Upgrade Istio control plane in-place
validate Validate Istio policy and rules files
verify-install Verifies Istio Installation Status
version Prints out build version information
Flags:
--context string The name of the kubeconfig context to use
-h, --help help for istioctl
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Additional help topics:
istioctl options Displays istioctl global options
Use "istioctl [command] --help" for more information about a command.查看Istio内置profile
# istioctl profile --help
The profile command lists, dumps or diffs Istio configuration profiles.
Usage:
istioctl profile [command]
Examples:
istioctl profile list
istioctl install --set profile=demo # Use a profile from the list
Available Commands:
diff Diffs two Istio configuration profiles
dump Dumps an Istio configuration profile
list Lists available Istio configuration profiles
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for profile
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Use "istioctl profile [command] --help" for more information about a command.使用样例一
# istioctl profile list
Istio configuration profiles:
default
demo
empty
external
minimal
openshift
preview使用样例二
查看代码
# istioctl profile dump demo
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
name: istio-egressgateway
ingressGateways:
- enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tcp
port: 31400
targetPort: 31400
- name: tls
port: 15443
targetPort: 15443
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
k8s:
env:
- name: PILOT_TRACE_SAMPLING
value: "100"
resources:
requests:
cpu: 10m
memory: 100Mi
hub: docker.io/istio
meshConfig:
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
extensionProviders:
- envoyOtelAls:
port: 4317
service: opentelemetry-collector.istio-system.svc.cluster.local
name: otel
profile: demo
tag: 1.15.2
values:
base:
enableCRDTemplates: false
validationURL: ""
defaultRevision: ""
gateways:
istio-egressgateway:
autoscaleEnabled: false
env: {}
name: istio-egressgateway
secretVolumes:
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
type: ClusterIP
istio-ingressgateway:
autoscaleEnabled: false
env: {}
name: istio-ingressgateway
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: LoadBalancer
global:
configValidation: true
defaultNodeSelector: {}
defaultPodDisruptionBudget:
enabled: true
defaultResources:
requests:
cpu: 10m
imagePullPolicy: ""
imagePullSecrets: []
istioNamespace: istio-system
istiod:
enableAnalysis: false
jwtPolicy: third-party-jwt
logAsJson: false
logging:
level: default:info
meshNetworks: {}
mountMtlsCerts: false
multiCluster:
clusterName: ""
enabled: false
network: ""
omitSidecarInjectorConfigMap: false
oneNamespace: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: ""
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: misc:error
enableCoreDump: false
excludeIPRanges: ""
excludeInboundPorts: ""
excludeOutboundPorts: ""
image: proxyv2
includeIPRanges: '*'
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
istiodRemote:
injectionURL: ""
pilot:
autoscaleEnabled: false
autoscaleMax: 5
autoscaleMin: 1
configMap: true
cpu:
targetAverageUtilization: 80
enableProtocolSniffingForInbound: true
enableProtocolSniffingForOutbound: true
env: {}
image: pilot
keepaliveMaxServerConnectionAge: 30m
nodeSelector: {}
podLabels: {}
replicaCount: 1
traceSampling: 1
telemetry:
enabled: true
v2:
enabled: true
metadataExchange:
wasmEnabled: false
prometheus:
enabled: true
wasmEnabled: false
stackdriver:
configOverride: {}
enabled: false
logging: false
monitoring: false
topology: false转换为k8s格式的配置清单
转化格式
# istioctl manifest --help
The manifest command generates and diffs Istio manifests.
Usage:
istioctl manifest [command]
Available Commands:
diff Compare manifests and generate diff
generate Generates an Istio install manifest
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for manifest
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Use "istioctl manifest [command] --help" for more information about a command.使用示例
# istioctl manifest generate --set profile=demo | kubectl apply -f -安装Istio
安装Istio格式
# istioctl install --help
The install command generates an Istio install manifest and applies it to a cluster.
Usage:
istioctl install [flags]
Aliases:
install, apply
Examples:
# Apply a default Istio installation
istioctl install
# Enable Tracing
istioctl install --set meshConfig.enableTracing=true
# Generate the demo profile and don't wait for confirmation
istioctl install --set profile=demo --skip-confirmation
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
# For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\).
istioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\"false\"
Flags:
--dry-run Console/log output only, make no changes.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for install
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.15.2/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.15.2/istio-1.15.2-linux-amd64.tar.gz).
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.15/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
-y, --skip-confirmation The skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
--verify Verify the Istio control plane after installation/in-place upgrade
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9Istio安装环境检测
# istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out https://istio.io/latest/docs/setup/getting-started/istio安装
# istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete Making this installation the default for injection and validation.
Thank you for installing Istio 1.15. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/SWHFBmwJspusK1hv6启用sidecar自动注入功能
按需指定namespace
# kubectl label namespace default istio-injection=enabled
namespace/default labeled验证部署结果
pods
~# kubectl get pods -n istio-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
istio-egressgateway-fffc799cf-vt4b7 1/1 Running 0 59m 172.20.44.195 192.168.174.107 <none> <none>
istio-ingressgateway-7d68764b55-n2wk8 1/1 Running 0 59m 172.20.44.196 192.168.174.107 <none> <none>
istiod-5456fd558d-7l7xd 1/1 Running 0 59m 172.20.44.194 192.168.174.107 <none> <none>svc
~# kubectl get svc -n istio-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
istio-egressgateway ClusterIP 10.100.86.184 <none> 80/TCP,443/TCP 58m app=istio-egressgateway,istio=egressgateway
istio-ingressgateway LoadBalancer 10.100.63.147 <pending> 15021:43732/TCP,80:55697/TCP,443:59179/TCP,31400:43335/TCP,15443:33703/TCP 58m app=istio-ingressgateway,istio=ingressgateway
istiod ClusterIP 10.100.50.155 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 59m app=istiod,istio=pilotimage
~# crictl image |grep istio
docker.io/istio/pilot 1.15.2 245047de26c06 73.9MB
docker.io/istio/proxyv2 1.15.2 25585bdfb0f7a 91.4MB部署Addons
查看内置addons
# ls -l samples/addons/
total 288
-rw-r--r-- 1 root root 5194 Oct 8 02:48 README.md
drwxr-xr-x 2 root root 4096 Oct 8 02:48 extras
-rw-r--r-- 1 root root 246979 Oct 8 02:48 grafana.yaml
-rw-r--r-- 1 root root 2533 Oct 8 02:48 jaeger.yaml
-rw-r--r-- 1 root root 11727 Oct 8 02:48 kiali.yaml
-rw-r--r-- 1 root root 14509 Oct 8 02:48 prometheus.yaml暴露kiali端口
spec:
type: NodePort
ports:
- name: http
protocol: TCP
port: 20001
targetPort: 20001
nodePort: 30001
- name: http-metrics
protocol: TCP
port: 9090
selector:
app.kubernetes.io/name: kiali
app.kubernetes.io/instance: kiali部署addons
# kubectl apply -f samples/addons/
serviceaccount/grafana created
configmap/grafana created
service/grafana created
deployment.apps/grafana created
configmap/istio-grafana-dashboards created
configmap/istio-services-grafana-dashboards created
deployment.apps/jaeger created
service/tracing created
service/zipkin created
service/jaeger-collector created
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali created
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
验证部署结果
# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-56bdf8bf85-g2vgz 1/1 Running 0 118s
istio-egressgateway-fffc799cf-vt4b7 1/1 Running 0 66m
istio-ingressgateway-7d68764b55-n2wk8 1/1 Running 0 66m
istiod-5456fd558d-7l7xd 1/1 Running 0 67m
jaeger-c4fdf6674-tc9mn 1/1 Running 0 118s
kiali-5ff49b9f69-qlb2s 1/1 Running 0 117s
prometheus-85949fddb-4p4nr 2/2 Running 0 117s
# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.100.196.126 <none> 3000/TCP 2m30s
istio-egressgateway ClusterIP 10.100.86.184 <none> 80/TCP,443/TCP 86m
istio-ingressgateway LoadBalancer 10.100.63.147 <pending> 15021:43732/TCP,80:55697/TCP,443:59179/TCP,31400:43335/TCP,15443:33703/TCP 86m
istiod ClusterIP 10.100.50.155 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 87m
jaeger-collector ClusterIP 10.100.194.250 <none> 14268/TCP,14250/TCP,9411/TCP 2m29s
kiali NodePort 10.100.139.46 <none> 20001:30001/TCP,9090:36607/TCP 2m29s
prometheus ClusterIP 10.100.127.66 <none> 9090/TCP 2m28s
tracing ClusterIP 10.100.18.156 <none> 80/TCP,16685/TCP 2m29s
zipkin ClusterIP 10.100.155.241 <none> 9411/TCP 2m29s访问kiali
卸载Istio
-
使用istioctl命令卸载Istio
-
命令:istioctl experimental uninstall
-
-
卸载方法
-
卸载指定的控制平面
-
卸载指定文件中定义的控制平面
-
~$ istioctl x uninstall -f <FILE>
-
-
卸载指定的Revision
-
~$ istioctl x uninstall --revision <NAME>
-
-
基于安装时的选项生成配置信息后经由kubectl命令删除
-
~$ istioctl manifest generate <your original installation options> | kubectl delete -f -
-
-
-
清除集群上部署的所有控制平面
-
~$ istioctl x uninstall --purge
-
-
-
提示:控制平面的名称空间默认并不会删除,如果确认不再需要时,需自行进行删除操作
参考文档
https://istio.io/latest/zh/docs/setup/getting-started/
标签:created,部署,istioctl,Istio,TCP,istio,-- From: https://www.cnblogs.com/wangguishe/p/16775509.html