安装istio

1.1.1 使用 Operator 部署 Istio

# wget https://github.com/istio/istio/releases/download/1.13.0/istio-1.13.0-linux-amd64.tar.gz

# tar xf istio-1.13.0-linux-amd64.tar.gz

# cd istio-1.13.0

# mv bin/istioctl /usr/local/bin/

# istioctl version

接下来安装 Istio 的 Operator，可以使用 istioctl 一键部署：

# istioctl operator init

Installing operator controller in namespace: istio-operator using image:

istio/operator:1.13.0

Operator controller will watch namespaces: istio-system

✔ Istio operator installed

✔ Installation complete

出现 Installation complete 后，查看 Pod 是否正常：

# kubectl get po -n istio-operator

NAME READY STATUS RESTARTS AGE

istio-operator-7f546b959b-cq4c9 1/1 Running 0 116s

之后通过定义 IstioOperator 资源，在 Kubernetes 中安装 Istio：

# cat istio-operator.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: example-istiocontrolplane
spec:
  profile: default
  components: # 自定义组件配置
    ingressGateways: # 自定义 ingressGateway 配置
       - name: istio-ingressgateway
         enabled: true # 开启 ingressGateway
         k8s: # 自定义 ingressGateway 的 Kubernetes 配置
           service: #将 Service 类型改成 NodePort
             type: NodePort
             ports:
             - port: 15020
               nodePort: 30520
               name: status-port
             - port: 80
               nodePort: 30080
               name: http2
               targetPort: 8080
             - port: 443
               nodePort: 30443
               name: https
               targetPort: 8443

安装 Istio：

# istioctl manifest apply -f istio-operator.yaml

This will install the Istio 1.13.0 default profile with ["Istio core"

"Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y

✔ Istio core installed

✔ Istiod installed

✔ Ingress gateways installed

✔ Installation complete

Thank you for installing Istio 1.11. Please take a few minutes to tell

us about your install/upgrade experience!

https://forms.gle/kWULBRjUv7hHci7T6

查看创建的 Service 和 Pod：

# kubectl get svc,po -n istio-system

NAME TYPE CLUSTER-IP EXTERNAL-IP

PORT(S) AGE

service/istio-ingressgateway NodePort 192.168.99.93 <none>

15020:30020/TCP,80:30080/TCP,443:30443/TCP 83s

service/istiod ClusterIP 192.168.117.146 <none>

15010/TCP,15012/TCP,443/TCP,15014/TCP 5m42s

NAME READY STATUS RESTARTS AGE

pod/istio-ingressgateway-5684974946-vmw6v 1/1 Running 0

6m4s

pod/istiod-7859559dd-gwp6p 1/1 Running 0 6m42s

 

1.1.2 配置自动注入

修改 APIServer 的配置文件，添加 MutatingAdmissionWebhook,ValidatingAdmissionWebhook

（如果 K8s 版本大于 1.16 默认已经开启）：

# vi /etc/kubernetes/manifests/kube-apiserver.yaml # 二进制安装方式需要找到

APIServer 的 Service 文件

- --enable-admission-plugins=

MutatingAdmissionWebhook,ValidatingAdmissionWebhook # 本示例省略了其它配置项，读

者需要追加这两项即可

接下来创建一个测试的 Namespace，并添加一个 istio-injection=enabled 的标签，之后在该

Namespace 下创建的 Pod 就会被自动注入 Istio 的 Proxy。

创建 Namespace 并添加 Label：

# kubectl create ns istio-test

# kubectl label namespace istio-test istio-injection=enabled

切换目录至 istio 的安装包，然后创建测试应用，此时创建的 Pod 会被自动注入一个 istio

proxy 的容器：

# kubectl apply -f samples/sleep/sleep.yaml -n istio-test

service/sleep created

deployment.extensions/sleep created

查看部署的容器：# kubectl get po -n istio-test

NAME READY STATUS RESTARTS AGE

sleep-86cf99dfd6-h2nzh 2/2 Running 0 92s

 

1.1.3 可视化工具 Kiali

Kiali 为 Istio 提供了可视化的界面，可以在 Kiali 上进行观测流量的走向、调用链，同时还可

以使用 Kiali 进行配置管理，给用户带来了很好的体验。

接下来在 Kubernetes 中安装 Kiali 工具，首先进入到 Istio 的安装包目录：

# kubectl create -f samples/addons/kiali.yaml

serviceaccount/kiali created

configmap/kiali created

clusterrole.rbac.authorization.k8s.io/kiali-viewer created

clusterrole.rbac.authorization.k8s.io/kiali created

clusterrolebinding.rbac.authorization.k8s.io/kiali created

role.rbac.authorization.k8s.io/kiali-controlplane created

rolebinding.rbac.authorization.k8s.io/kiali-controlplane created

service/kiali created

deployment.apps/kiali created

查看部署状态：

# kubectl get po,svc -n istio-system -l app=kiali

NAME READY STATUS RESTARTS AGE

pod/kiali-fd9f88575-zbphq 1/1 Running 0 9m39s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

AGE

service/kiali ClusterIP 192.168.55.181 <none>

20001/TCP,9090/TCP 8m40s

之后可以将 Service 类型改成 NodePort，或者配置 Ingress 即可访问 Kiali 服务：

除了 Kiali 之外，还需要一个链路追踪的工具，安装该工具可以在 Kiali 的 Workloads 页面，

查看某个服务的 Traces 信息。直接安装即可：

# kubectl create -f samples/addons/jaeger.yaml

deployment.apps/jaeger created

service/tracing created

service/zipkin created

service/jaeger-collector created

 

1.1.4 Prometheus 和 Grafana

Istio 默认暴露了很多监控指标，比如请求数量统计、请求持续时间以及 Service 和工作

负载的指标，这些指标可以使用 Prometheus 进行收集，Grafana 进行展示。

Istio 内置了 Prometheus 和 Grafana 的安装文件，直接安装即可（也可以使用外置的

Prometheus 和 Grafana）：

# kubectl create -f samples/addons/prometheus.yaml -f

samples/addons/grafana.yaml

serviceaccount/prometheus created

configmap/prometheus created

clusterrole.rbac.authorization.k8s.io/prometheus created

clusterrolebinding.rbac.authorization.k8s.io/prometheus created

service/prometheus created

deployment.apps/prometheus created

serviceaccount/grafana created

configmap/grafana created

service/grafana created

deployment.apps/grafana created

configmap/istio-grafana-dashboards createdconfigmap/istio-services-grafana-dashboards created

查看创建的 Pod 和 Service：

# kubectl get svc,pod -n istio-system

NAME TYPE CLUSTER-IP EXTERNAL-IP

PORT(S) AGE

service/grafana ClusterIP 192.168.58.97 <none>

3000/TCP 36m

service/istio-ingressgateway NodePort 192.168.99.93 <none>

15020:30020/TCP,80:30080/TCP,443:30443/TCP 42h

service/istiod ClusterIP 192.168.117.146 <none>

15010/TCP,15012/TCP,443/TCP,15014/TCP 42h

service/jaeger-collector ClusterIP 192.168.174.239 <none>

14268/TCP,14250/TCP,9411/TCP 36m

service/kiali NodePort 192.168.55.181 <none>

20001:31600/TCP,9090:31235/TCP 41m

service/knative-local-gateway ClusterIP 192.168.93.127 <none>

80/TCP 41h

service/prometheus ClusterIP 192.168.168.212 <none>

9090/TCP 36m

service/tracing ClusterIP 192.168.155.244 <none>

80/TCP,16685/TCP 36m

service/zipkin ClusterIP 192.168.114.253 <none>

9411/TCP 36m

NAME READY STATUS RESTARTS AGE

pod/grafana-68cc7d6d78-tpx74 1/1 Running 0 37m

pod/istio-ingressgateway-5684974946-vmw6v 1/1 Running 0 42h

pod/istiod-7859559dd-gwp6p 1/1 Running 0 42h

pod/jaeger-5d44bc5c5d-9wwj7 1/1 Running 0 37m

pod/kiali-fd9f88575-zbphq 1/1 Running 0 42m

pod/prometheus-77b49cb997-zkrm2 2/2 Running 0 37m

同样的方式，将 Grafana 的 Service 改成 NodePort 或者添加 Ingress，之后访问即可：