第四篇:kubernetes部署istio"/>
第四篇:kubernetes部署istio
说明: 总的目标是在k8s集群部署gitlab、jenkins,并且在本地提交代码到gitlab后jenkin流水线可以自动编译打包成为docker镜像然后部署到k8s中并实现客户端外部域名访问,在文档分为多个部分,其中涉及的技术有docker安装、k8s搭建、部署gitlab、部署jenkins、部署sonarqube、gitlab和jenkin联动、jenkins和sonarqube联动、pipline脚本编写、istio部署、istio服务网关等…
此文档接第三篇:kubernetes部署metric
这篇文档讲解的是kubernetns部署istio,istio是集网关、流量控制、安全、可视化为一体的开源软件, 这篇文档对istio的原理不做过多解释,有兴趣的同学可以查看官网文档:/
istio的安装方法有很多,这里我们使用一种可控性更高的安装方法
文章目录
- 1. 下载解压istio包
- 2. 生成istio安装文件
- 3. 修改kubernetes默认nodePort端口范围
- 4.更改istio-ingressgateway的service
- 5.安装istio
- 6.验证istio安装结果
1. 下载解压istio包
#登录主节点k8s-master下载压缩包
wget .15.3/istio-1.15.3-linux-amd64.tar.gz
注意: 官网所有版本的下载地址是:, 这里我们也可以在浏览器下载
如外网不能下载可以在这里下载:
#解压istio包
解压命令:tar -zxvf istio-1.15.3-linux-amd64.tar.gz
2. 生成istio安装文件
#进入istio-1.15.3/bin目录 执行:./istioctl manifest generate > generated.yaml
执行完成后会在本目录下会生成一个generated.yaml文件
注意: 执行完命令后会在本目录下生成一个generated.yaml文件,这个文件就是安装istio的配置文件(这个条命令会生成default profile的manifest文件)
// 这里会生成一个generated.yaml文件
//主节点k8s-master执行
root@k8s-master:/opt/k8s/istio-1.15.3/bin# ./istioctl manifest generate > generated.yaml
root@k8s-master:/opt/k8s/istio-1.15.3/bin# ll
total 87720
drwxr-x--- 2 root root 4096 Jan 11 18:45 ./
drwxr-x--- 6 root root 4096 Oct 19 13:36 ../
-rw-r--r-- 1 root root 404913 Jan 11 18:45 generated.yaml
-rwxr-xr-x 1 root root 89411584 Oct 19 13:36 istioctl*
root@k8s-master:/opt/k8s/istio-1.15.3/bin#
3. 修改kubernetes默认nodePort端口范围
说明: 默认情况下k8s的nodePort端口范围是30000-32767,当我们svc使用nodePort或者使用istio的网关时, 比如我们想使用80:80这时我们就应该更改k8s默认映射的端口了, 具体步骤如下:
编辑 kube-apiserver.yaml文件
#主节点k8s-master上打开kube-apiserver.yaml文件
// 主节点k8s-master上打开kube-apiserver.yaml文件
vim /etc/kubernetes/manifests/kube-apiserver.yaml;
#添加一行 - --service-node-port-range=80-32767
这里可取的范围是1-65535,我这里主要是要用80端口,所以取了一个80-32767
修改后文件如下所示:
- --service-account-issuer= --service-account-key-file=/etc/kubernetes/pki/sa.pub- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key- --service-cluster-ip-range=10.96.0.0/12- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key- --service-node-port-range=80-32767
注意:
- 我这里使用的kubernetes版本是1.22.12-00,编辑上面kube-apiserver.yaml文件保存退出之后,kube-apiserver的pod将自动更新,更新期间kube-apiserver将不可用,在生产环境谨慎更改
- 如果不更改kubernetes的默认nodePort端口,下面更改istio映射端口到80和443时会出错
4.更改istio-ingressgateway的service
#打开文件上一步生成的generated.yaml
#找到istio-ingressgateway的servicer配置段,我这边是在generated.yaml文件的9696-9729行, 添加l两行“nodePort:80”和“nodePort:443“, 这样的话映射到宿主机的端口就不是随机的了,而是我们定义的80和443端口了,
更改后的文件段如下:
apiVersion: v1
kind: Service
metadata:name: istio-ingressgatewaynamespace: istio-systemannotations:labels:app: istio-ingressgatewayistio: ingressgatewayrelease: istioistio.io/rev: defaultinstall.operator.istio.io/owning-resource: unknownoperator.istio.io/component: "IngressGateways"
spec:type: LoadBalancerselector:app: istio-ingressgatewayistio: ingressgatewayports:-name: status-portport: 15021protocol: TCPtargetPort: 15021-name: http2port: 80protocol: TCPtargetPort: 8080nodePort: 80 #新加的内容-name: httpsport: 443protocol: TCPtargetPort: 8443nodePort: 443 #新加的内容
5.安装istio
#执行命令kubectl apply -f generated.yaml 开始安装
//主节点k8s-master执行
root@k8s-master:/opt/k8s/istio-1.15.3/bin# kubectl apply -f generated.yaml
customresourcedefinition.apiextensions.k8s.io/authorizationpolicies.security.istio.io created
customresourcedefinition.apiextensions.k8s.io/destinationrulesworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/envoyfiltersworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/gatewaysworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/istiooperators.install.istio.io created
customresourcedefinition.apiextensions.k8s.io/peerauthentications.security.istio.io created
customresourcedefinition.apiextensions.k8s.io/proxyconfigsworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/requestauthentications.security.istio.io created
customresourcedefinition.apiextensions.k8s.io/serviceentriesworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/sidecarsworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/telemetries.telemetry.istio.io created
customresourcedefinition.apiextensions.k8s.io/virtualservicesworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/wasmplugins.extensions.istio.io created
customresourcedefinition.apiextensions.k8s.io/workloadentriesworking.istio.io created
customresourcedefinition.apiextensions.k8s.io/workloadgroupsworking.istio.io created
serviceaccount/istio-ingressgateway-service-account created
serviceaccount/istio-reader-service-account created
serviceaccount/istiod created
serviceaccount/istiod-service-account created
clusterrole.rbac.authorization.k8s.io/istio-reader-clusterrole-istio-system created
clusterrole.rbac.authorization.k8s.io/istio-reader-istio-system created
clusterrole.rbac.authorization.k8s.io/istiod-clusterrole-istio-system created
clusterrole.rbac.authorization.k8s.io/istiod-gateway-controller-istio-system created
clusterrole.rbac.authorization.k8s.io/istiod-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-reader-clusterrole-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istio-reader-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istiod-clusterrole-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istiod-gateway-controller-istio-system created
clusterrolebinding.rbac.authorization.k8s.io/istiod-istio-system created
validatingwebhookconfiguration.admissionregistration.k8s.io/istio-validator-istio-system created
configmap/istio created
configmap/istio-sidecar-injector created
mutatingwebhookconfiguration.admissionregistration.k8s.io/istio-sidecar-injector created
deployment.apps/istio-ingressgateway created
deployment.apps/istiod created
Warning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
poddisruptionbudget.policy/istio-ingressgateway created
poddisruptionbudget.policy/istiod created
role.rbac.authorization.k8s.io/istio-ingressgateway-sds created
role.rbac.authorization.k8s.io/istiod created
role.rbac.authorization.k8s.io/istiod-istio-system created
rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds created
rolebinding.rbac.authorization.k8s.io/istiod created
rolebinding.rbac.authorization.k8s.io/istiod-istio-system created
horizontalpodautoscaler.autoscaling/istio-ingressgateway created
horizontalpodautoscaler.autoscaling/istiod created
service/istio-ingressgateway created
service/istiod created
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
unable to recognize "generated.yaml": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
root@k8s-master:/opt/k8s/istio-1.15.3/bin#
注意: 我们看到上面最后几行都有“unable to recognize "generated.yaml”的字样, 这里只需要再执行一次kubectl apply -f generated.yaml即可, 目前还不清楚原因
6.验证istio安装结果
//主节点k8s-master执行
root@k8s-master:/opt/k8s# kubectl get pod -n istio-system
NAMESPACE NAME READY STATUS RESTARTS AGE
istio-system istio-ingressgateway-5c8bc9685-qln22 1/1 Running 0 53m
istio-system istiod-5dcbbcf9b4-dqtnb 1/1 Running 0 53m
这里可以看到部署了两个pod,分别是istiod(istio的管理pod)和istio-ingressgateway(入口网关的pod)
目前安装就到这里, 后面会使用istio的网关进行配置访问不同的服务, 下一篇安装dashboard(图形化界面)时哦们就会使用istio去代理访问dashboard
接下来一章将讲解dashboard的部署:第五篇:kubernetes部署dashboard(图形化界面)*
更多推荐
第四篇:kubernetes部署istio
发布评论