istio installation
premise:
kubernetes 1.7.3 and above, and enable RBAC
kubernetes 1.9 and above, support automatic installation of sidecar injection
Environmental requirements:
1. Open serviceaccount
2. Network component
3. Have dns
Download the source package:
cd /usr/local/src/
wget https://github.com/istio/istio/releases/download/0.7.1/istio-0.7.1-linux.tar.gz
tar -zxf istio-0.7.1-linux.tar.gzInstall
cd istio-0.7.1
cp bin/istioctl /usr/local/sbin/
kubectl apply -f install/kubernetes/istio.yamlIf you want to start tls
kubectl apply -f install/kubernetes/istio-auth.yaml
View all projects in namespace istio-system
image name, which can be downloaded in advance
docker.io/istio/proxy:0.7.1
docker.io/istio/mixer:0.7.1
docker.io/istio/pilot:0.7.1
docker.io/istio/istio-ca:0.7.1Check if the installation is successful
kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingress LoadBalancer 10.111.150.31 <pending> 80:31691/TCP,443:30512/TCP 4h
istio-mixer ClusterIP 10.100.150.25 <none> 9091/TCP,15004/TCP,9093/TCP,9094/TCP,9102/TCP,9125/UDP,42422/TCP 4h
istio-pilot ClusterIP 10.108.203.112 <none> 15003/TCP,15005/TCP,15007/TCP,15010/TCP,8080/TCP,9093/TCP,443/TCP 4hNote: EXTERNAL-IP is pending if the cluster does not support load banlance. NodePort or port forwarding can be set to achieve access
Check if the pod is normal
kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ca-5d495f8897-dvpg6 1/1 Running 0 4h
istio-ingress-5b5db76895-wqndc 1/1 Running 0 4h
istio-mixer-db9f8d47d-7gn9h 3/3 Running 0 4h
istio-pilot-84fcc8d4d7-lk9n2 2/2 Running 0 4hIf it is version 1.9, there is also pod: istio-sidecar-injector-
Deploy the application
Note: The application must be HTTP/1.1 or HTTP/2.0, because HTTP/1.0 is not supported
If it is version 1.9 and pod (istio-sidecar-injector) is enabled, you can use the kubectl create command directly
kubectl label namespace <namespace> istio-injection=enabled
kubectl create -n <namespace> -f <your-app>.yamlIf Istio-sidecar-injector is not installed, it must be added manuallykubectl create -f <(istioctl kube-inject -f <your-app>.yaml)
uninstall
1. Enable sidecar injector during installation
kubectl delete -f install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml
2. No TLS authentication:
kubectl delete -f install/kubernetes/istio.yaml
3. With TLS certification:
kubectl delete -f install/kubernetes/istio-auth.yaml
Example of use
Here is an example of helloworld directory location istio-0.7.1/samples/helloworld
Because the cluster version is 1.8 and there is no built-in injector, you need to manually change the yaml
istioctl kube-inject -f helloworld.yaml -o helloworld-istio.yaml
Using the new yaml file, deploy the servicekubectl create -f helloworld-istio.yaml
Get ingress url and port
export HELLOWORLD_URL=$(kubectl get po -l istio=ingress -o 'jsonpath={.items[0].status.hostIP}'):$(kubectl get svc istio-ingress -o 'jsonpath={.spec.ports[0].nodePort}')Check if the service is normalcurl http://$HELLOWORLD_URL/hello
Note: Because the cluster has no loadbalance, it can only be accessed with nodeport
get node ipkubectl get po -l istio=ingress -n istio-system -o 'jsonpath={.items[0].status.hostIP}'
get node portkubectl get svc istio-ingress -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}'
Visit nowcurl http://$HELLOWORLD_URL/hello
The discovery rule is to poll each node
route-rule writing
1. Only v1 can be accessed, route-rule-all-v1.yaml
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: helloword-default
spec:
destination:
name: helloworld
route:
- labels:
version: v12. Only access v2, route-rule-all-v2.yaml
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: helloword-default
spec:
destination:
name: helloworld
route:
- labels:
version: v2istio command
delete ruleistioctl delete routerules helloword-default
View the rulesistioctl get routerules