Kubernetes/Istio

From Ever changing code
Jump to navigation Jump to search

Architecture

. | app1  |                | app2  |
  | proxy |  <---------->  | proxy |    # Envoy proxy sidecars


| |  pod  |        | pod |       | pod | | 
| |citadel|        |mixer|       |pilot| |
|      C o n t r o l  P l a n e  A P I   |
 ----------------------------------------
TableHeadline
Envoy L7 proxy Pilot Citadel Mixer Galley
  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • Health checks
  • Staged rollouts
  • Fault injection
  • Service discovery
  • Intelligent routing
  • Resiliency

Aware about pods health, what pods are available and sends to the proxy pods that are alive with any other configuration updates.

  • User authentication
  • Credential management
  • Certificate management
  • Traffic encryption

Pods

  • istio-citadel-*

It's certificate store.

  • handles Access control
  • Usage policies
  • Telemetry data (data scraping)

It has a lot of modules/plugins. Pods: istio-policy-* istio-telemetry-*

Interface for underlying Istio API gateway(aka server)

Istio on minikube

# Minimum requirements are 8G and 4 CPUs
PROFILE=minikube-v1.17.6-istio
minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --profile $PROFILE
minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --driver kvm --profile $PROFILE-kvm2

minikube tunnel --profile $PROFILE
minikube addons enable istio --profile $PROFILE # [1] error

Troubleshooting

[1] - no matches for kind "IstioOperator"
💣  enable failed: run callbacks: running callbacks: [sudo KUBECONFIG=/var/lib/minikube/kubeconfig /var/lib/minikube/binaries/v1.17.6/kubectl apply -f /etc/kubernetes/addons/istio-default-profile.yaml: Process exited with status 1
stdout:
namespace/istio-system unchanged

stderr:
error: unable to recognize "/etc/kubernetes/addons/istio-default-profile.yaml": no matches for kind "IstioOperator" in version "install.istio.io/v1alpha1"

Download istioctl

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.4 sh -
cd istio-1.6.4/  # istio package directory
export PATH=$PWD/bin:$PATH

# make sure you can connect to k8s cluster, then verify the install
istioctl verify-install
...
CustomResourceDefinition: templates.config.istio.io.default checked successfully
CustomResourceDefinition: istiooperators.install.istio.io.default checked successfully
Checked 25 custom resource definitions
Checked 1 Istio Deployments
Istio is installed successfully

Ingress Gateways

# manually inject the sidecar
kubectl -n bin apply -f <(istioctl kube-inject -f httpbin.yaml)

export INGRESS_HOST=$(       kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(       kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
export TCP_INGRESS_PORT=$(   kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')

# Verify
env | grep INGRESS
Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Kubernetes/Istio&oldid=5758