Difference between revisions of "Kubernetes/Istio"

From Ever changing code
Jump to navigation Jump to search
Line 219: Line 219:


= Resources =
= Resources =
Training
Training Istio v1.5
* [https://www.youtube.com/watch?v=z6WjVJ1XelY&feature=youtu.be What is Istio Service Mesh?]
* [https://www.youtube.com/watch?v=z6WjVJ1XelY&feature=youtu.be What is Istio Service Mesh?]
* [https://www.youtube.com/watch?v=2FyhNONICkY Istio Hands on Demo Part 1]
* [https://www.youtube.com/watch?v=2FyhNONICkY Istio Hands on Demo Part 1]

Revision as of 10:04, 29 September 2020

Architecture

. | app1  |                | app2  |
  | proxy |  <---------->  | proxy |  # Data Plane (all Envoy proxy sidecars)
 

| |  pod  |        | pod |       | pod | | 
| |citadel|        |mixer|       |pilot| |
|      C o n t r o l  P l a n e  A P I   |
 ----------------------------------------

Note: All proxies are collectively named Data Plane and everything else that Istio deployed is called Control Plane


Istio components group:

  • Istio-telemetry
  • Istio-pilot
  • Istio-tracing


Istio components
Envoy L7 proxy Pilot Citadel Mixer Galley
  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • Health checks
  • Staged rollouts
  • Fault injection
  • Service discovery
  • Intelligent routing
  • Resiliency

Aware about pods health, what pods are available and sends to the proxy pods that are alive with any other configuration updates.

  • User authentication
  • Credential management
  • Certificate management
  • Traffic encryption

Pods

  • istio-citadel-*

It's certificate store.

  • handles Access control
  • Usage policies
  • Telemetry data (data scraping)

It has a lot of modules/plugins. Pods: istio-policy-* istio-telemetry-*

Interface for underlying Istio API gateway(aka server)


Noticeable changes
  • In Istio 1.6, completed transition and fully moved functionality into Istiod. This has allow to remove the separate deployments for Citadel, the sidecar injector, and Galley.

Istio on minikube

# Minimum requirements are 8G and 4 CPUs
PROFILE=minikube-v1.17.6-istio
minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --profile $PROFILE
minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --driver kvm --profile $PROFILE-kvm2

minikube tunnel --profile $PROFILE
minikube addons enable istio --profile $PROFILE # [1] error

Troubleshooting

[1] - no matches for kind "IstioOperator"
💣  enable failed: run callbacks: running callbacks: [sudo KUBECONFIG=/var/lib/minikube/kubeconfig /var/lib/minikube/binaries/v1.17.6/kubectl apply -f /etc/kubernetes/addons/istio-default-profile.yaml: Process exited with status 1
stdout:
namespace/istio-system unchanged

stderr:
error: unable to recognize "/etc/kubernetes/addons/istio-default-profile.yaml": no matches for kind "IstioOperator" in version "install.istio.io/v1alpha1"

Install istioctl

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 sh -
cd istio-1.6.8/  # istio package directory
export PATH=$PWD/bin:$PATH
export PATH=$PATH:/git3rd/istio-1.6.8/bin

# make sure you can connect to k8s cluster, then verify the install
istioctl verify-install
...
CustomResourceDefinition: templates.config.istio.io.default checked successfully
CustomResourceDefinition: istiooperators.install.istio.io.default checked successfully
Checked 25 custom resource definitions
Checked 1 Istio Deployments
Istio is installed successfully

$ istioctl version --remote
client version: 1.6.8
control plane version: 1.6.8
data plane version: 1.6.8 (21 proxies)

Uninstall Istio

Uninstall v1.6.8, it's safe to ignore RBAC not existing resources. 

istioctl manifest generate --set profile=default | kubectl delete --ignore-not-found=true -f -
kubectl delete namespace istio-system

Uninstall v1.7.x 

istioctl x uninstall --purge

Get info

# List profiles
istioctl profile list

# profile configuration
istioctl profile dump demo
istioctl profile dump --config-path components.pilot demo

# Differences in the profiles
istioctl profile diff default demo

Customize istio installation

Configure ingress-gateways

Gateways are a special type of component, since multiple ingress and egress gateways can be defined. In the IstioOperator API, gateways are defined as a list type. The default profile installs one ingress gateway, called istio-ingressgateway. 

# Show default values of the ingressgateway
istioctl profile dump --config-path components.ingressGateways
istioctl profile dump --config-path values.gateways.istio-ingressgateway


Install istio with ingressgateway servioce as internal AWS loadbalancer: 

istioctl install \
>   --set profile=default \
>   --set addonComponents.prometheus.enabled=false \
>   --set addonComponents.grafana.enabled=false \
>   --set addonComponents.kiali.enabled=false \
>   --set addonComponents.tracing.enabled=false \
>   --set components.ingressGateways[0].enabled="true" \
>   --set components.ingressGateways[0].k8s.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"=\"true\"
✔ Istio core installed                                                                                                                                         
✔ Istiod installed                                                                                                                                             
✔ Ingress gateways installed                                                                                                                                   
✔ Installation complete

# --set gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0\.0\.0\.0/0"

istioctl version --remote
client version: 1.6.4
control plane version: 1.6.4
data plane version: 1.6.4 (1 proxies)

Ingress Gateways

# manually inject the sidecar
kubectl -n bin apply -f <(istioctl kube-inject -f httpbin.yaml)

export INGRESS_HOST=$(       kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
# AWS, uses 'hostname'
export INGRESS_HOST=$(       kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

export INGRESS_PORT=$(       kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

# This is not necessary set/configured
export TCP_INGRESS_PORT=$(   kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')

# Verify
env | grep INGRESS

Add custom headers

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /headers
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
      headers:
        response:            # add to response
          add:
           "key1": "abc"
        request:             # add to request
           add:
             "key2": "def"

Resources

Training Istio v1.5

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Kubernetes/Istio&oldid=5899