2020.04.24
1. 개요
- Environments: Google Compute Engine, CentOS 7.7, Kubernetes 1.15
- Istio 1.5 has been tested with these Kubernetes releases: 1.14, 1.15, 1.16.
- The Helm installation approach will be deprecated in the future.
- 참고 사이트
https://istio.io/docs/setup/getting-started/
https://istio.io/docs/setup/install/istioctl/
#1 - 마이크로 서비스와 서비스 매쉬 (https://bcho.tistory.com/1293?category=731548)
#2 - Envoy proxy (https://bcho.tistory.com/1295?category=731548)
#3- Istio에 대한 소개 (https://bcho.tistory.com/1296?category=731548)
#4 - Istio 설치와 BookInfo 예제 (https://bcho.tistory.com/1297?category=731548)
#5 Istio Traffic management (https://bcho.tistory.com/1367)
Istio Traffic management https://istio.io/docs/ops/best-practices/traffic-management/#split-virtual-services
2. Istio 구성
- Install
$ curl -L https://istio.io/downloadIstio | sh -
…
Istio has been successfully downloaded into the istio-1.5.1 folder on your system.
$ echo "export PATH=\$PATH:/home/ysjeon71_kubeflow3/istio-1.5.1/bin" >> ~/.bash_profile
$ istioctl verify-install
…
Install Pre-Check passed! The cluster is ready for Istio installation.
$
$ istioctl manifest apply --set profile=demo
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT.
See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Finished applying manifest for component Base.
✔ Finished applying manifest for component Pilot.
✔ Finished applying manifest for component EgressGateways.
✔ Finished applying manifest for component IngressGateways.
✔ Finished applying manifest for component AddonComponents.
✔ Installation complete
$
- Inject Envoy Sidecar proxies
Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
$ kubectl label namespace default istio-injection=disabled --overwrite
$
- Uninstall
$ istioctl manifest generate --set profile=demo | kubectl delete -f -
3. Test
- Deploy the sample application
$ k apply -f istio-1.5.1/samples/bookinfo/platform/kube/bookinfo.yaml
…
$ k get svc | egrep -v "^kubernetes"
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.103.90.234 <none> 9080/TCP 2m31s
productpage ClusterIP 10.96.4.46 <none> 9080/TCP 2m30s
ratings ClusterIP 10.100.230.0 <none> 9080/TCP 2m30s
reviews ClusterIP 10.99.40.14 <none> 9080/TCP 2m30s
$ k get pod
NAME READY STATUS RESTARTS AGE
details-v1-74f858558f-dlgdf 2/2 Running 0 2m3s
productpage-v1-76589d9fdc-rcwl9 2/2 Running 0 2m3s
ratings-v1-7855f5bcb9-bqbv2 2/2 Running 0 2m2s
reviews-v1-64bc5454b9-kpblv 2/2 Running 0 2m3s
reviews-v2-76c64d4bdf-dqt2v 2/2 Running 0 2m3s
reviews-v3-5545c7c78f-79dm5 2/2 Running 0 2m3s
$ kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
$
- Open the application to outside traffic
$ cat istio-1.5.1/samples/bookinfo/networking/bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
…
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
$ k apply -f istio-1.5.1/samples/bookinfo/networking/bookinfo-gateway.yaml
- Determining the ingress IP and ports
If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway.
If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway.
$ kubectl edit svc istio-ingressgateway -n istio-system
:%s/type: LoadBalancer/type: NodePort/
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway NodePort 10.106.99.75 <none> 15020:30546/TCP,80:32549/TCP,443:30773/TCP,... 107m
$
- Service type이 NodePort 인 경우
$ export INGRESS_HOST=<workerNodeAddress>
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ echo INGRESS_PORT=$INGRESS_PORT, SECURE_INGRESS_PORT=$SECURE_INGRESS_PORT
INGRESS_PORT=32549, SECURE_INGRESS_PORT=30773
$
- Service type이 LoadBalancer인 경우
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
$ gcloud compute firewall-rules create allow-gateway-http --allow tcp:$INGRESS_PORT
$ gcloud compute firewall-rules create allow-gateway-https --allow tcp:$SECURE_INGRESS_PORT
$ curl http://35.231.144.242:32549/productpage
…
$
4. Addon tool 구성
a. kiali : 서비스의 관계를 시각화 해주는 툴
$ kubectl port-forward service/kiali 20001:20001 -n istio-system --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-kiali --allow tcp:20001
- http://35.231.144.242:20001/
Username: admin, Password: admin
b. jaeger-query : 개별 분산 트렌젝션에 대해서 각 구간별 응답 시간을 모니터링
$ kubectl -n istio-system port-forward service/jaeger-query 16686:16686 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-jaeger --allow tcp:16686
- http://35.231.144.242:16686/
c. grafana : 서비스들의 지표를 상세하게 모니터링
$ kubectl -n istio-system port-forward service/grafana 3000:3000 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-grafana --allow tcp:3000
d. prometheus
$ kubectl -n istio-system port-forward service/prometheus 9090:9090 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-prometheus --allow tcp:9090
'Kubernetes > Management' 카테고리의 다른 글
K8s - Master node의 role이 '<none>' 일 때 (0) | 2021.09.30 |
---|---|
Istio - Virtual service config (0) | 2021.09.23 |
Cert-manager with LetsEncrypt (HTTP challenge) (0) | 2021.09.23 |
ClusterIP, NodePort, Ingress 개념 (0) | 2021.09.23 |
K8s 잡학다식 (0) | 2021.09.23 |
댓글