预先准备
- Minikube
- Docker
Reference
Install Docker Engine on CentOS
minikube start
Download Istio & configure istioctl
Download
设置集群资源
minikube start --cpus 6 --memory 8192 --force
Reference
Getting Started
# mkdir istio-installation
# cd istio-installation/
#获取需要的安装包
# wget https://github.com/istio/istio/releases/download/1.22.0/istio-1.22.0-linux-amd64.tar.gz
tar -xzvf istio-1.22.0-linux-amd64.tar.gz
# ls
istio-1.22.0 istio-1.22.0-linux-amd64.tar.gz
configure istioctl
配置路径,该方法只在当前终端有用
# pwd
/root/istio-installation/istio-1.22.0
# export PATH=$PWD/bin:$PATH
# istioctl
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
admin Manage control plane (istiod) configuration
analyze Analyze Istio configuration and print validation messages
authz (authz is experimental. Use `istioctl experimental authz`)
bug-report Cluster information and log capture support tool.
completion Generate the autocompletion script for the specified shell
create-remote-secret Create a secret with credentials to allow Istio to access remote Kubernetes apiservers
dashboard Access to Istio web UIs
experimental Experimental commands that may be modified or deprecated
help Help about any command
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
kube-inject Inject Istio sidecar into Kubernetes pod resources
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
profile Commands related to Istio configuration profiles
proxy-config Retrieve information about proxy configuration from Envoy [kube only]
proxy-status Retrieves the synchronization status of each Envoy in the mesh
remote-clusters Lists the remote clusters each istiod instance is connected to.
tag Command group used to interact with revision tags
uninstall Uninstall Istio from a cluster
upgrade Upgrade Istio control plane in-place
validate Validate Istio policy and rules files
verify-install Verifies Istio Installation Status
version Prints out build version information
Flags:
--context string Kubernetes configuration context
-h, --help help for istioctl
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Kubernetes namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Additional help topics:
istioctl options Displays istioctl global options
Use "istioctl [command] --help" for more information about a command.
Install Istio in Minikube cluster
# kubectl get ns
NAME STATUS AGE
default Active 34m
kube-node-lease Active 34m
kube-public Active 34m
kube-system Active 34m
安装istio核心组件
# istioctl install
This will install the Istio 1.22.0 "default" profile (with components: Istio core, Istiod, and Ingress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete Made this installation the default for injection and validation.
Reference
https://istio.io/latest/docs/ops/deployment/architecture/
# kubectl get ns
NAME STATUS AGE
default Active 6m46s
istio-system Active 109s
kube-node-lease Active 6m46s
kube-public Active 6m46s
kube-system Active 6m46s
kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-5f4d4f89d6-8xxmq 1/1 Running 0 3m
istiod-56855645c8-2qmpx 1/1 Running 0 3m8s
Deploy a Microservices Application
https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/release/kubernetes-manifests.yaml
根据这个.yaml文件创建资源
# vi kubernetes-manifests.yaml
# kubectl apply -f kubernetes-manifests.yaml
deployment.apps/currencyservice created
service/currencyservice created
serviceaccount/currencyservice created
deployment.apps/loadgenerator created
serviceaccount/loadgenerator created
deployment.apps/productcatalogservice created
service/productcatalogservice created
serviceaccount/productcatalogservice created
deployment.apps/checkoutservice created
service/checkoutservice created
serviceaccount/checkoutservice created
deployment.apps/shippingservice created
service/shippingservice created
serviceaccount/shippingservice created
deployment.apps/cartservice created
service/cartservice created
serviceaccount/cartservice created
deployment.apps/redis-cart created
service/redis-cart created
deployment.apps/emailservice created
service/emailservice created
serviceaccount/emailservice created
deployment.apps/paymentservice created
service/paymentservice created
serviceaccount/paymentservice created
deployment.apps/frontend created
service/frontend created
service/frontend-external created
serviceaccount/frontend created
deployment.apps/recommendationservice created
service/recommendationservice created
serviceaccount/recommendationservice created
deployment.apps/adservice created
service/adservice created
serviceaccount/adservice created
等待所有Pod都处于Running
状态
# kubectl get pod
NAME READY STATUS RESTARTS AGE
adservice-7fd58465b7-jr2ck 1/1 Running 0 3m17s
cartservice-6f4fc7c4c4-w9jkv 1/1 Running 0 3m18s
checkoutservice-694758bddf-nxnt6 1/1 Running 0 3m18s
currencyservice-75d6599b9-6f94l 1/1 Running 0 3m18s
emailservice-b964694b9-92qgn 1/1 Running 0 3m18s
frontend-b4467f874-ctfsr 1/1 Running 0 3m17s
loadgenerator-5fcbdb5cb9-mmwnx 1/1 Running 0 3m18s
paymentservice-7d969fdc57-szhm9 1/1 Running 0 3m18s
productcatalogservice-54cf845bc5-8mggl 1/1 Running 0 3m18s
recommendationservice-75b8b64bdc-trsbg 1/1 Running 0 3m17s
redis-cart-7ff8f4d6ff-gskxn 1/1 Running 0 3m18s
shippingservice-85ddd6cdbc-rl4c9 1/1 Running 0 3m18s
现在我们有istiod core并且微服务作为Pod运行,每个微服务在Pod内都有一个容器。
Configure automatic Envoy Proxy Injection
我们所需要做的就是标记一个istio injection=enabled
的namespace,如何标记命名空间呢
# kubectl get ns default --show-labels
NAME STATUS AGE LABELS
default Active 25m kubernetes.io/metadata.name=default
You have new mail in /var/spool/mail/root
# kubectl label ns default istio-injection=enabled
namespace/default labeled
# kubectl get ns default --show-labels
NAME STATUS AGE LABELS
default Active 27m istio-injection=enabled,kubernetes.io/metadata.name=default
清除清单文件所产生的资源
# kubectl delete -f kubernetes-manifests.yaml
deployment.apps "currencyservice" deleted
service "currencyservice" deleted
serviceaccount "currencyservice" deleted
deployment.apps "loadgenerator" deleted
serviceaccount "loadgenerator" deleted
deployment.apps "productcatalogservice" deleted
service "productcatalogservice" deleted
serviceaccount "productcatalogservice" deleted
deployment.apps "checkoutservice" deleted
service "checkoutservice" deleted
serviceaccount "checkoutservice" deleted
deployment.apps "shippingservice" deleted
service "shippingservice" deleted
serviceaccount "shippingservice" deleted
deployment.apps "cartservice" deleted
service "cartservice" deleted
serviceaccount "cartservice" deleted
deployment.apps "redis-cart" deleted
service "redis-cart" deleted
deployment.apps "emailservice" deleted
service "emailservice" deleted
serviceaccount "emailservice" deleted
deployment.apps "paymentservice" deleted
service "paymentservice" deleted
serviceaccount "paymentservice" deleted
deployment.apps "frontend" deleted
service "frontend" deleted
service "frontend-external" deleted
serviceaccount "frontend" deleted
deployment.apps "recommendationservice" deleted
service "recommendationservice" deleted
serviceaccount "recommendationservice" deleted
deployment.apps "adservice" deleted
service "adservice" deleted
serviceaccount "adservice" deleted
# kubectl get pod
No resources found in default namespace.
重新应用此资源,可以看到现在每个Pod里有两个容器
# kubectl apply -f kubernetes-manifests.yaml
deployment.apps/currencyservice created
service/currencyservice created
serviceaccount/currencyservice created
deployment.apps/loadgenerator created
serviceaccount/loadgenerator created
deployment.apps/productcatalogservice created
service/productcatalogservice created
serviceaccount/productcatalogservice created
deployment.apps/checkoutservice created
service/checkoutservice created
serviceaccount/checkoutservice created
deployment.apps/shippingservice created
service/shippingservice created
serviceaccount/shippingservice created
deployment.apps/cartservice created
service/cartservice created
serviceaccount/cartservice created
deployment.apps/redis-cart created
service/redis-cart created
deployment.apps/emailservice created
service/emailservice created
serviceaccount/emailservice created
deployment.apps/paymentservice created
service/paymentservice created
serviceaccount/paymentservice created
deployment.apps/frontend created
service/frontend created
service/frontend-external created
serviceaccount/frontend created
deployment.apps/recommendationservice created
service/recommendationservice created
serviceaccount/recommendationservice created
deployment.apps/adservice created
service/adservice created
serviceaccount/adservice created
# kubectl get pod
NAME READY STATUS RESTARTS AGE
adservice-7fd58465b7-5dd8k 1/2 Running 0 30s
cartservice-6f4fc7c4c4-zchb2 2/2 Running 0 31s
checkoutservice-694758bddf-jnr8q 2/2 Running 0 31s
currencyservice-75d6599b9-v77qr 2/2 Running 0 31s
emailservice-b964694b9-4k5ck 2/2 Running 0 31s
frontend-b4467f874-ptlwl 2/2 Running 0 31s
loadgenerator-5fcbdb5cb9-m6hzt 2/2 Running 0 31s
paymentservice-7d969fdc57-l6xk2 2/2 Running 0 31s
productcatalogservice-54cf845bc5-9f78z 2/2 Running 0 31s
recommendationservice-75b8b64bdc-j22bn 2/2 Running 0 30s
redis-cart-7ff8f4d6ff-dvv46 2/2 Running 0 31s
shippingservice-85ddd6cdbc-xj9lg 2/2 Running 0 31s
现在从其中一个Pod捕获关于istio的相关信息,istio 自动注入该容器istio proxy
# kubectl describe pod adservice-7fd58465b7-5dd8k | grep istio
security.istio.io/tlsMode=istio
service.istio.io/canonical-name=adservice
service.istio.io/canonical-revision=latest
Annotations: istio.io/rev: default
sidecar.istio.io/status:
{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-env...
istio-init:
Image: docker.io/istio/proxyv2:1.22.0
Image ID: docker-pullable://istio/proxyv2@sha256:5b1a4b45e1e5589f00dde00b724c16511f192e0174f7c3827d3d79f68e33c34b
istio-iptables
istio-proxy:
Image: docker.io/istio/proxyv2:1.22.0
Image ID: docker-pullable://istio/proxyv2@sha256:5b1a4b45e1e5589f00dde00b724c16511f192e0174f7c3827d3d79f68e33c34b
PILOT_CERT_PROVIDER: istiod
CA_ADDR: istiod.istio-system.svc:15012
/etc/istio/pod from istio-podinfo (rw)
/etc/istio/proxy from istio-envoy (rw)
/var/lib/istio/data from istio-data (rw)
/var/run/secrets/istio from istiod-ca-cert (rw)
/var/run/secrets/tokens from istio-token (rw)
istio-envoy:
istio-data:
istio-podinfo:
istio-token:
istiod-ca-cert:
Name: istio-ca-root-cert
Normal Pulled 3m34s kubelet Container image "docker.io/istio/proxyv2:1.22.0" already present on machine
Normal Created 3m34s kubelet Created container istio-init
Normal Started 3m34s kubelet Started container istio-init
Normal Pulled 3m34s kubelet Container image "docker.io/istio/proxyv2:1.22.0" already present on machine
Normal Created 3m34s kubelet Created container istio-proxy
Normal Started 3m34s kubelet Started container istio-proxy
Install Istio Addons for monitoring & data visualization
Reference
https://istio.io/latest/docs/ops/integrations/
目前已经完成了istio proxy的注入,但是我们无法去可视化微服务中发生的一些事件
istio会从代理容器中收集指标,因此你可以获得有关微服务如何运行的一些数据(请求,数据指标等)
我们将安装其中一些监控组件到我们的集群里
在我们的安装目录istio-1.22.0/samples/addons
中,有许多外部组件.yaml文件,我们可以应用它们去可视化微服务
# ls
extras jaeger.yaml loki.yaml README.md
grafana.yaml kiali.yaml prometheus.yaml
# pwd
istio-installation/istio-1.22.0/samples/addons
# kubectl apply -f ./
serviceaccount/grafana created
configmap/grafana created
service/grafana created
deployment.apps/grafana created
configmap/istio-grafana-dashboards created
configmap/istio-services-grafana-dashboards created
deployment.apps/jaeger created
service/tracing created
service/zipkin created
service/jaeger-collector created
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali created
serviceaccount/loki created
configmap/loki created
configmap/loki-runtime created
service/loki-memberlist created
service/loki-headless created
service/loki created
statefulset.apps/loki created
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
在istio-system
查看这些Pod
# kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-657df88ffd-l7fz9 1/1 Running 0 102s
istio-ingressgateway-5f4d4f89d6-8xxmq 1/1 Running 0 54m
istiod-56855645c8-2qmpx 1/1 Running 0 54m
jaeger-697d898d6-xlzlv 1/1 Running 0 102s
kiali-5899548ff7-4lnlq 1/1 Running 0 101s
loki-0 1/1 Running 0 101s
prometheus-777db476b6-kd6qw 2/2 Running 0 101s
查看相关服务
# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.111.21.67 <none> 3000/TCP 5m53s
istio-ingressgateway LoadBalancer 10.111.143.91 <pending> 15021:30282/TCP,80:31916/TCP,443:31511/TCP 58m
istiod ClusterIP 10.107.220.208 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 58m
jaeger-collector ClusterIP 10.109.92.229 <none> 14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 5m53s
kiali ClusterIP 10.108.32.254 <none> 20001/TCP,9090/TCP 5m53s
loki ClusterIP 10.105.54.198 <none> 3100/TCP,9095/TCP 5m52s
loki-headless ClusterIP None <none> 3100/TCP 5m52s
loki-memberlist ClusterIP None <none> 7946/TCP 5m52s
prometheus ClusterIP 10.111.176.78 <none> 9090/TCP 5m52s
tracing ClusterIP 10.105.189.178 <none> 80/TCP,16685/TCP 5m53s
zipkin ClusterIP 10.109.79.221 <none> 9411/TCP 5m53s
Kiali具有数据可视化,配置服务设置和通信功能,使用端口转发实现服务访问
# kubectl port-forward svc/kiali -n istio-system 20001
在你的manifest清单稳定中包含你的deployment和Service必须包含app
标签,以便istio进行可视化操作