istio在calico环境的安装

发表于 | 分类于

istio2

flannel和ovs环境下的istio安装比较简单,flannel直接按照官网安装就行了,ovs的话需要把istoi-system的netid设置为0

calico环境安装istio步骤(helm安装方式,此例为istio-1.3.2)

istio安装helm使用helm 2.x版本,3.x不好使。

创建istio的crd

1
2
3
4
5
6
7
8
# 这句可以不用
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.3.2/charts/

kubectl create namespace istio-system
oc adm policy add-scc-to-group anyuid system:serviceaccounts -n istio-system

helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
kubectl -n istio-system wait --for=condition=complete job --all

安装istio组件

1
2
3
4
5
6
7
8
9
10
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.3.2
helm template install/kubernetes/helm/istio \
    --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo.yaml \
    --set global.proxy.privileged=true | kubectl apply -f -
# patch kiali权限激活服务观测
oc patch clusterrole kiali -p '[{"op":"add", "path":"/rules/-", "value":{"apiGroups":["apps.openshift.io"], "resources":["deploymentconfigs"],"verbs": ["get", "list", "watch"]}}]' --type json
oc patch clusterrole kiali -p '[{"op":"add", "path":"/rules/-", "value":{"apiGroups":["project.openshift.io"], "resources":["projects"],"verbs": ["get"]}}]' --type json
oc patch clusterrole kiali -p '[{"op":"add", "path":"/rules/-", "value":{"apiGroups":["route.openshift.io"], "resources":["routes"],"verbs": ["get"]}}]' --type json

激活istio自动注入

在master节点 /etc/origin/master目录进行patch
创建master-config.patch文件

1
2
3
4
5
6
7
8
9
10
11
12
admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission
    ValidatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission

如下为patch脚本,每个master节点都要执行

1
2
3
4
cp -p master-config.yaml master-config.yaml.prepatch
oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
master-restart api
master-restart controllers

给业务namespace进行自动注入

1
2
3
4
5
# 此例为book
oc adm policy add-scc-to-group privileged system:serviceaccounts -n book
oc adm policy add-scc-to-group anyuid system:serviceaccounts -n book

kubectl label ns book istio-injection=enabled

这时可以重启book的pod,然后就会自动注入istio proxy。

使用openshift时禁止deploy组件被注入

修改istio-sidecar-injector的ConfigMap,修改neverInjectSelector字段。

1
2
3
4
5
neverInjectSelector:
  - matchExpressions:
    - {key: openshift.io/build.name, operator: Exists}
  - matchExpressions:
    - {key: openshift.io/deployer-pod-for.name, operator: Exists}

使用spring cloud kubernetes

使用到这个组件,需要授权相应的namespace,此例为book

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: book
  name: namespace-reader
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["configmaps", "pods", "services", "endpoints", "secrets"]
    verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-reader-binding
  namespace: book
subjects:
- kind: ServiceAccount
  name: default
  apiGroup: ""
roleRef:
  kind: Role
  name: namespace-reader
  apiGroup: ""