问题描述
我打算使用以下配置在自己的AKS群集上安装Istion,这将安装什么组件?它会同时安装Ingress和Egress网关吗?
istioctl operator init
kubectl create ns istio-system
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
Metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeselector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
EOF
解决方法
您问题中的istio操作员清单不会安装出口网关。它基于默认配置文件,根据istio文档,可以使用istioctl profile dump进行检查:
默认:根据
IstioOperatorAPI的默认设置启用组件。建议将此配置文件用于生产部署和multicluster mesh中的主群集。您可以通过运行命令istioctl profile dump显示默认设置。
要使用IstioOperator安装出口网关,请执行istio documentation中的以下步骤:
配置网关
网关是一种特殊的组件,因为可以定义多个入口和出口网关。在
IstioOperatorAPI中,网关被定义为列表类型。default配置文件将安装一个名为istio-ingressgateway的入口网关。您可以检查该网关的默认值:istioctl profile dump --config-path components.ingressGateways istioctl profile dump --config-path values.gateways.istio-ingressgateway这些命令显示了网关的
IstioOperator和Helm设置,它们一起用于定义生成的网关资源。可以像其他任何组件一样自定义内置网关。从1.7开始,叠加时必须始终指定网关名称。不指定任何名称将不再默认为
istio-ingressgateway或istio-egressgateway。可以通过添加新的列表条目来创建新的用户网关:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true - namespace: user-ingressgateway-ns name: ilb-gateway enabled: true k8s: resources: requests: cpu: 200m serviceAnnotations: cloud.google.com/load-balancer-type: "internal" service: ports: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - port: 5353 name: tcp-dns请注意,Helm值(
spec.values.gateways.istio-ingressgateway/egressgateway)由所有入口/出口网关共享。如果必须针对每个网关自定义这些选项,则建议使用单独的IstioOperator CR为用户网关生成清单,而与主要Istio安装不同:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: empty components: ingressGateways: - name: ilb-gateway namespace: user-ingressgateway-ns enabled: true # Copy settings from istio-ingressgateway as needed. values: gateways: istio-ingressgateway: debug: error
有关在AKS上安装istio的更多信息,请参见here。
,我已经使用以下配置来设置Ingress和Egress网关。
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
EOF