# wget https://github.com/istio/istio/releases/download/1.13.0/istio-1.13.0-linux-amd64.tar.gz
# tar xf istio-1.13.0-linux-amd64.tar.gz
# cd istio-1.13.0
# mv bin/istioctl /usr/local/bin/
# istioctl version
接下来安装 Istio 的 Operator,可以使用 istioctl 一键部署:
# istioctl operator init
Installing operator controller in namespace: istio-operator using image:
istio/operator:1.13.0
Operator controller will watch namespaces: istio-system
✔ Istio operator installed
✔ Installation complete
出现 Installation complete 后,查看 Pod 是否正常:
# kubectl get po -n istio-operator
NAME READY STATUS RESTARTS AGE
istio-operator-7f546b959b-cq4c9 1/1 Running 0 116s
之后通过定义 IstioOperator 资源,在 Kubernetes 中安装 Istio:
# cat istio-operator.yaml
apiVersion: install.istio.io/v1alpha1kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane
spec:
profile: default
components: # 自定义组件配置
ingressGateways: # 自定义 ingressGateway 配置
- name: istio-ingressgateway
enabled: true # 开启 ingressGateway
k8s: # 自定义 ingressGateway 的 Kubernetes 配置
service: #将 Service 类型改成 NodePort
type: NodePort
ports:
- port: 15020
nodePort: 30520
name: status-port
- port: 80
nodePort: 30080
name: http2
targetPort: 8080
- port: 443
nodePort: 30443
name: https
targetPort: 8443
安装 Istio:
# istioctl manifest apply -f istio-operator.yaml
This will install the Istio 1.13.0 default profile with ["Istio core"
"Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete
Thank you for installing Istio 1.11. Please take a few minutes to tell
us about your install/upgrade experience!
https://forms.gle/kWULBRjUv7hHci7T6
查看创建的 Service 和 Pod:
# kubectl get svc,po -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/istio-ingressgateway NodePort 192.168.99.93 <none>
15020:30020/TCP,80:30080/TCP,443:30443/TCP 83s
service/istiod ClusterIP 192.168.117.146 <none>
15010/TCP,15012/TCP,443/TCP,15014/TCP 5m42s
NAME READY STATUS RESTARTS AGE
pod/istio-ingressgateway-5684974946-vmw6v 1/1 Running 0
6m4s
pod/istiod-7859559dd-gwp6p 1/1 Running 0 6m42s
1.1.2 配置自动注入
修改 APIServer 的配置文件,添加 MutatingAdmissionWebhook,ValidatingAdmissionWebhook
(如果 K8s 版本大于 1.16 默认已经开启):
# vi /etc/kubernetes/manifests/kube-apiserver.yaml # 二进制安装方式需要找到
APIServer 的 Service 文件
- --enable-admission-plugins=
MutatingAdmissionWebhook,ValidatingAdmissionWebhook # 本示例省略了其它配置项,读
者需要追加这两项即可
接下来创建一个测试的 Namespace,并添加一个 istio-injection=enabled 的标签,之后在该
Namespace 下创建的 Pod 就会被自动注入 Istio 的 Proxy。
创建 Namespace 并添加 Label:
# kubectl create ns istio-test
# kubectl label namespace istio-test istio-injection=enabled
切换目录至 istio 的安装包,然后创建测试应用,此时创建的 Pod 会被自动注入一个 istio
proxy 的容器:
# kubectl apply -f samples/sleep/sleep.yaml -n istio-test
service/sleep created
deployment.extensions/sleep created
查看部署的容器:# kubectl get po -n istio-test
NAME READY STATUS RESTARTS AGE
sleep-86cf99dfd6-h2nzh 2/2 Running 0 92s
1.1.3 可视化工具 Kiali
Kiali 为 Istio 提供了可视化的界面,可以在 Kiali 上进行观测流量的走向、调用链,同时还可
以使用 Kiali 进行配置管理,给用户带来了很好的体验。
接下来在 Kubernetes 中安装 Kiali 工具,首先进入到 Istio 的安装包目录:
# kubectl create -f samples/addons/kiali.yaml
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali created
查看部署状态:
# kubectl get po,svc -n istio-system -l app=kiali
NAME READY STATUS RESTARTS AGE
pod/kiali-fd9f88575-zbphq 1/1 Running 0 9m39s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
service/kiali ClusterIP 192.168.55.181 <none>
20001/TCP,9090/TCP 8m40s
之后可以将 Service 类型改成 NodePort,或者配置 Ingress 即可访问 Kiali 服务:
除了 Kiali 之外,还需要一个链路追踪的工具,安装该工具可以在 Kiali 的 Workloads 页面,
查看某个服务的 Traces 信息。直接安装即可:
# kubectl create -f samples/addons/jaeger.yaml
deployment.apps/jaeger created
service/tracing created
service/zipkin created
service/jaeger-collector created
1.1.4 Prometheus 和 Grafana
Istio 默认暴露了很多监控指标,比如请求数量统计、请求持续时间以及 Service 和工作
负载的指标,这些指标可以使用 Prometheus 进行收集,Grafana 进行展示。
Istio 内置了 Prometheus 和 Grafana 的安装文件,直接安装即可(也可以使用外置的
Prometheus 和 Grafana):
# kubectl create -f samples/addons/prometheus.yaml -f
samples/addons/grafana.yaml
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
serviceaccount/grafana created
configmap/grafana created
service/grafana created
deployment.apps/grafana created
configmap/istio-grafana-dashboards createdconfigmap/istio-services-grafana-dashboards created
查看创建的 Pod 和 Service:
# kubectl get svc,pod -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP
PORT(S) AGE
service/grafana ClusterIP 192.168.58.97 <none>
3000/TCP 36m
service/istio-ingressgateway NodePort 192.168.99.93 <none>
15020:30020/TCP,80:30080/TCP,443:30443/TCP 42h
service/istiod ClusterIP 192.168.117.146 <none>
15010/TCP,15012/TCP,443/TCP,15014/TCP 42h
service/jaeger-collector ClusterIP 192.168.174.239 <none>
14268/TCP,14250/TCP,9411/TCP 36m
service/kiali NodePort 192.168.55.181 <none>
20001:31600/TCP,9090:31235/TCP 41m
service/knative-local-gateway ClusterIP 192.168.93.127 <none>
80/TCP 41h
service/prometheus ClusterIP 192.168.168.212 <none>
9090/TCP 36m
service/tracing ClusterIP 192.168.155.244 <none>
80/TCP,16685/TCP 36m
service/zipkin ClusterIP 192.168.114.253 <none>
9411/TCP 36m
NAME READY STATUS RESTARTS AGE
pod/grafana-68cc7d6d78-tpx74 1/1 Running 0 37m
pod/istio-ingressgateway-5684974946-vmw6v 1/1 Running 0 42h
pod/istiod-7859559dd-gwp6p 1/1 Running 0 42h
pod/jaeger-5d44bc5c5d-9wwj7 1/1 Running 0 37m
pod/kiali-fd9f88575-zbphq 1/1 Running 0 42m
pod/prometheus-77b49cb997-zkrm2 2/2 Running 0 37m
同样的方式,将 Grafana 的 Service 改成 NodePort 或者添加 Ingress,之后访问即可: