03istio在k8s中部署与移除

1. Istio下载

官网https://istio.io/

https://github.com/istio/istio/releases/

~]# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.0 sh -   
//国内网用GitHub下，下载指定的版本1.6.0
Downloading istio-1.6.0 from 
Istio has been successfully downloaded into the istio-1.6.0 folder on your system.

Next Steps:
See https://istio.io/docs/setup/kubernetes/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /root/istio-1.6.0/bin directory to your environment path variable with:
	 export PATH="$PATH:/root/istio-1.6.0/bin"

Begin the Istio pre-installation verification check by running:
	 istioctl verify-install

Need more information? Visit https://istio.io/docs/setup/kubernetes/install/

2. 进入到下载的istio目录

[root@master ~]# tar xf istio-1.6.2.tar
[root@master ~]# ls istio-1.6.2
bin              httpbin-proxy-cert.txt  manifest.yaml          nginx.example.com.key  README.md
certs.pem        istio.yaml              nginx.conf             proxy-cert-1.pem       samples
example.com.crt  LICENSE                 nginx.example.com.crt  proxy-cert-2.pem       td-installation.yaml
example.com.key  manifests               nginx.example.com.csr  proxy-cert-3.pem       tools

[root@master ~]# export PATH=$PATH:/root/istio-1.6.2/bin
[root@master ~]# istioctl version
no running Istio pods in "istio-system"
1.6.2

[root@master ~]# istioctl --help
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.

Usage:
  istioctl [command]

Available Commands:
  analyze         Analyze Istio configuration and print validation messages
  authz           (authz is experimental. Use `istioctl experimental authz`)
  convert-ingress Convert Ingress configuration into Istio VirtualService configuration
  dashboard       Access to Istio web UIs
  deregister      De-registers a service instance
  experimental    Experimental commands that may be modified or deprecated
  help            Help about any command
  install         Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
  kube-inject     Inject Envoy sidecar into Kubernetes pod resources
  manifest        Commands related to Istio manifests
  operator        Commands related to Istio operator controller.
  profile         Commands related to Istio configuration profiles
  proxy-config    Retrieve information about proxy configuration from Envoy [kube only]
  proxy-status    Retrieves the synchronization status of each Envoy in the mesh [kube only]
  register        Registers a service instance (e.g. VM) joining the mesh
  upgrade         Upgrade Istio control plane in-place
  validate        Validate Istio policy and rules (NOTE: validate is deprecated and will be removed in 1.6. Use 'istioctl analyze' to validate configuration.)
  verify-install  Verifies Istio Installation Status or performs pre-check for the cluster before Istio installation
  version         Prints out build version information

Flags:
      --context string          The name of the kubeconfig context to use
  -h, --help                    help for istioctl
  -i, --istioNamespace string   Istio system namespace (default "istio-system")
  -c, --kubeconfig string       Kubernetes configuration file
  -n, --namespace string        Config namespace

Additional help topics:
  istioctl options         Displays istioctl global options

Use "istioctl [command] --help" for more information about a command.

[root@master ~]# istioctl manifest   --help
The manifest subcommand generates, applies, diffs or migrates Istio manifests.
Usage:
  istioctl manifest [command]

Available Commands:
  apply       Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
  diff        Compare manifests and generate diff
  generate    Generates an Istio install manifest
  migrate     Migrates a file containing Helm values or IstioControlPlane to IstioOperator format
  versions    List the versions of Istio recommended for use or supported for upgrade by this version of istioctl

Flags:
      --dry-run   Console/log output only, make no changes.
  -h, --help      help for manifest

Global Flags:
      --context string      The name of the kubeconfig context to use
  -c, --kubeconfig string   Kubernetes configuration file

Use "istioctl manifest [command] --help" for more information about a command.

2. Istio的部署

针对安装，在这里使用demo的配置文件。它被选择为具有一组用于测试的良好默认设置，但是还有用于生产或性能测试的其他配置文件。

[root@master ~]# istioctl profile list
Istio configuration profiles:
    minimal
    preview
    remote
    default
    demo      //学习时常用
    empty

[root@node1 ~]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://n0dwemtq.mirror.aliyuncs.com"]
}
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker
[root@node1 ~]# ls
grafana.tar  istio-1.6.2.tar  kiali.tar  pilot.1.62.tar  prometheus.tar  proxyv2.tar  tracing.tar
[root@node1 ~]# for i in `ls ` ;do docker load -i $i;done
//因为是单节点部署，我们先把需要的包上传一下（国内网不能直接拉取），再启动下面的命令

[root@master ~]# istioctl manifest apply --set profile=demo
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.ps/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Addons installed
✔ Installation complete                 

成功安装后，Istio所有的组件将会被部署在 istio-system命名空间下

[root@master ~]# kubectl edit deployment prometheus -nistio-system
deployment.apps/prometheus edited
        image: docker.io/istio/proxyv2:1.6.2
        imagePullPolicy: IfNotPresent  //如果无法联网，及时修改这里的拉取策略。暂时未找到根源上的修改


[root@master ~]# kubectl edit svc istio-ingressgateway  -nistio-system
  type: NodePort

 //这里默认的的service.spec.type字段值为LoadBalancer，需改为NodePort才能正常分配IP

[root@master ~]# kubectl get all -n istio-system
NAME                                        READY   STATUS    RESTARTS   AGE
pod/grafana-54b54568fc-zjkbp                1/1     Running   0          3m53s
pod/istio-egressgateway-765f77ff94-szr6d    1/1     Running   0          3m54s
pod/istio-ingressgateway-85bcfb5c74-8jqjl   1/1     Running   0          3m54s
pod/istio-tracing-9dd6c4f7c-nwvvj           1/1     Running   0          3m53s
pod/istiod-d754b48bd-mcj69                  1/1     Running   0          3m58s
pod/kiali-d45468dc4-mgdq5                   1/1     Running   0          3m53s
pod/prometheus-756f8c9898-6sbd7             2/2     Running   0          3m53s

NAME                                TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
service/grafana                     ClusterIP      10.111.61.100    <none>        3000/TCP                                                                     3m53s
service/istio-egressgateway         ClusterIP      10.97.97.164     <none>        80/TCP,443/TCP,15443/TCP                                                     3m53s
service/istio-ingressgateway        ClusterIP      10.99.5.194      <none>     15020:31209/TCP,80:30256/TCP,443:30517/TCP,31400:30424/TCP,15443:32409/TCP   3m53s
service/istiod                      ClusterIP      10.99.5.194      <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP                         3m58s
service/jaeger-agent                ClusterIP      None             <none>        5775/UDP,6831/UDP,6832/UDP                                                   3m52s
service/jaeger-collector            ClusterIP      10.107.114.19    <none>        14267/TCP,14268/TCP,14250/TCP                                                3m52s
service/jaeger-collector-headless   ClusterIP      None             <none>        14250/TCP                                                                    3m52s
service/jaeger-query                ClusterIP      10.97.217.202    <none>        16686/TCP                                                                    3m52s
service/kiali                       ClusterIP      10.97.205.237    <none>        20001/TCP                                                                    3m52s
service/prometheus                  ClusterIP      10.96.167.68     <none>        9090/TCP                                                                     3m52s
service/tracing                     ClusterIP      10.100.204.35    <none>        80/TCP                                                                       3m52s
service/zipkin                      ClusterIP      10.111.217.190   <none>        9411/TCP                                                                     3m52s

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana                1/1     1            1           3m53s
deployment.apps/istio-egressgateway    1/1     1            1           3m54s
deployment.apps/istio-ingressgateway   1/1     1            1           3m54s
deployment.apps/istio-tracing          1/1     1            1           3m53s
deployment.apps/istiod                 1/1     1            1           3m58s
deployment.apps/kiali                  1/1     1            1           3m53s
deployment.apps/prometheus             1/1     1            1           3m53s

NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/grafana-54b54568fc                1         1         1       3m53s
replicaset.apps/istio-egressgateway-765f77ff94    1         1         1       3m54s
replicaset.apps/istio-ingressgateway-85bcfb5c74   1         1         1       3m54s
replicaset.apps/istio-tracing-9dd6c4f7c           1         1         1       3m53s
replicaset.apps/istiod-d754b48bd                  1         1         1       3m58s
replicaset.apps/kiali-d45468dc4                   1         1         1       3m53s
replicaset.apps/prometheus-756f8c9898             1         1         1       3m53s

添加名称空间的标签，当部署应用后，告诉istio去自动的注入Envoy sidecar代理。

[root@master ~]# kubectl label namespace default istio-injection=enabled
namespace/default labeled     //default命名空间将注入istio

[root@master ~]# kubectl describe namespace default
Name:         default
Labels:       istio-injection=enabled           //istio标签
Annotations:  <none>
Status:       Active

[root@node1 ~]# docker load -i nginx.tar.gz

[root@master ~]# cat pod-example.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-example
  labels:
    app: myapp
spec:
  containers:
  - name: myos
    image: nginx:latest
    imagePullPolicy: IfNotPresent
    stdin: true
    tty: true
  restartPolicy: Always

[root@master ~]# kubectl apply -f pod-example.yaml
pod/pod-example created
[root@master ~]# kubectl get pod
NAME          READY   STATUS    RESTARTS   AGE
pod-example   2/2     Running   2          11m

[root@master ~]# kubectl edit  pod pod-example
    image: docker.io/istio/proxyv2:1.6.2
    imagePullPolicy: IfNotPresent       

//因为istio-proxy的拉取策略是always，网络问题需要等很久，这里可以先修改configmap一下，完成部署
[root@master ~]# kubectl edit cm  istio-sidecar-injector -nistio-system
configmap/istio-sidecar-injector edited
...
  values: |-
        "hub": "docker.io/istio",
        "imagePullPolicy": "IfNotPresent",
  ...

移除

Istio uninstall将分层次删除在Istio -system名称空间下的RBAC权限和所有资源。忽略不存在的资源的错误是安全的，因为它们可能是分层删除的。

istioctl manifest generate --set profile=demo | kubectl delete -f -

istio-system的名称空间默认不会删除的，假如不再需要的话，执行如下命令进行删 除。

kubectl delete namespace istio-system