1. 准备环境
- k8s集群(1.18.5)
2. 安装配置
创建/tmp/istio目录,并下载istio包
mkdir -p /tmp/istio
cd /tmp/istio
curl -L https://istio.io/downloadIstio | sh -
会在当前目录(/tmp/istio)下生成如下目录:
[root@cs-master istio]# ls
istio-1.7.0
[root@cs-master istio]# cd istio-1.7.0/
[root@cs-master istio-1.7.0]# ls
bin LICENSE manifests manifest.yaml README.md samples tools
[root@cs-master istio-1.7.0]# ls bin/
istioctl
进入目录后,可看到istioctl执行程序,将该文件复制到执行目录(/bin/)或配置环境变量,保证可直接使用istioctl工具
[root@cs-master istio-1.7.0]# export PATH=$PATH:$PWD/bin
[root@cs-master istio-1.7.0]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/tmp/istio/istio-1.7.0/bin
3. 部署istio组件
3.1 目录结构
[root@cs-master istio-1.7.0]# ls -l
drwxr-x---. 2 root root 22 9月 11 19:32 bin
-rw-r--r--. 1 root root 11348 9月 11 19:32 LICENSE
drwxr-xr-x. 6 root root 66 9月 11 19:32 manifests
-rw-r-----. 1 root root 815 9月 11 19:32 manifest.yaml
-rw-r--r--. 1 root root 5756 9月 11 19:32 README.md
drwxr-xr-x. 20 root root 4096 9月 11 19:32 samples
drwxr-x---. 3 root root 133 9月 11 19:32 tools
可以看到有4个目录(bin、manifests、samples、tools)及3个文件(LICENSE、README.md、manifest.yaml)
其中bin下是istioctl执行程序,manifests是istio相关的主要部署组件,manifest.yaml是当前istio版本(1.7.0)中manifests目录下各组件的配置和依赖描述,samples是一套istio应用样例,用来部署测试做功能校验的,tools是一些工具脚本
打开README.md发现,主要说了3个点,istio的功能介绍、项目git仓库、以及问题优化管理原则,并没有直接给出安装使用方法
In this README:
- [Introduction](#introduction)
- [Repositories](#repositories)
- [Issue management](#issue-management)
3.2 istioctl使用
[root@cs-master istio-1.7.0]# istioctl -h
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
analyze Analyze Istio configuration and print validation messages
authz (authz is experimental. Use `istioctl experimental authz`)
convert-ingress Convert Ingress configuration into Istio VirtualService configuration
dashboard Access to Istio web UIs
deregister De-registers a service instance
experimental Experimental commands that may be modified or deprecated
help Help about any command
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
kube-inject Inject Envoy sidecar into Kubernetes pod resources
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
profile Commands related to Istio configuration profiles
proxy-config Retrieve information about proxy configuration from Envoy [kube only]
proxy-status Retrieves the synchronization status of each Envoy in the mesh [kube only]
register Registers a service instance (e.g. VM) joining the mesh
upgrade Upgrade Istio control plane in-place
validate Validate Istio policy and rules (NOTE: validate is deprecated and will be removed in 1.6. Use 'istioctl analyze' to validate configuration.)
verify-install Verifies Istio Installation Status or performs pre-check for the cluster before Istio installation
version Prints out build version information
Flags:
--context string The name of the kubeconfig context to use
-h, --help help for istioctl
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
Additional help topics:
istioctl options Displays istioctl global options
Use "istioctl [command] --help" for more information about a command.
从istioctl帮助说明可以看出,istioctl有很多子命令,经过测试试用发现其中与部署相关的主要有3个(install、manifest、operator):
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
3.2.1 istioctl install 部署
- istioctl install 是默认部署,按manifests/profile/default.yaml配置部署对应的组件,如下:
[root@cs-master istio-1.7.0]# istioctl install
This will install the default Istio profile into the cluster. Proceed? (y/N) y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Addons installed
✔ Ingress gateways installed
✔ Installation complete
- 当然,你也可以使用-d参数指定某个目录部署,这里通过--set 指定manifests/profiles目录下的某一类配置安装,我们以demo为例
[root@cs-master istio-1.7.0]# ls manifests/profiles/
default.yaml demo.yaml empty.yaml minimal.yaml preview.yaml remote.yaml
[root@cs-master istio-1.7.0]# istioctl install --set profile=demo
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
3.2.2 istioctl manifest 部署
- istioctl manifest的使用帮助如下,其安装主要是通过install子命令来落地的,其安装执行参数和效果,与直接执行istioctl install是一样的
[root@cs-master istio-1.7.0]# istioctl manifest
The manifest subcommand generates, applies, diffs or migrates Istio manifests.
Usage:
istioctl manifest [command]
Available Commands:
diff Compare manifests and generate diff
generate Generates an Istio install manifest
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for manifest
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
Use "istioctl manifest [command] --help" for more information about a command.
istioctl manifest install --help说明如下:
[root@cs-master istio-1.7.0]# istioctl manifest install --help
The install generates an Istio install manifest and applies it to a cluster.
Usage:
istioctl manifest install [flags]
Examples:
# Apply a default Istio installation
istioctl install
# Enable grafana dashboard
istioctl install --set values.grafana.enabled=true
# Generate the demo profile and don't wait for confirmation
istioctl install --set profile=demo --skip-confirmation
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
Flags:
--charts string Deprecated, use --manifests instead.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for install
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.7.0/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.7.0/istio-1.7.0-linux-amd64.tar.gz).
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
-y, --skip-confirmation skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
Global Flags:
--context string The name of the kubeconfig context to use
--dry-run Console/log output only, make no changes.
-c, --kubeconfig string Kubernetes configuration file
具体执行结果如下:
[root@cs-master istio-1.7.0]# istioctl manifest install --set profile=demo
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
3.3 istioctl operator 部署
- istioctl operator安装相对简单,主要是安装istioctl的operator,通过init子命令执行,结果如下:
[root@cs-master istio-1.7.0]# istioctl operator init
Operator controller is already installed in istio-operator namespace, updating.
Using operator Deployment image: docker.io/istio/operator:1.6.0
✔ Istio operator installed
✔ Installation complete
因istio operator已经通过istioctl manifest apply安装过了,所以提示installed
4. 安装校验
4.1 istio verify-install(校验方式一)
- 首先,通过istioctl manifest generate 命令生成安装清单的校验文件,istioctl manifest generate使用说明如下:
[root@cs-master istio-1.7.0]# istioctl manifest generate --help
The generate subcommand generates an Istio install manifest and outputs to the console by default.
Usage:
istioctl manifest generate [flags]
Examples:
# Generate a default Istio installation
istioctl manifest generate
# Enable grafana dashboard
istioctl manifest generate --set values.grafana.enabled=true
# Generate the demo profile
istioctl manifest generate --set profile=demo
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
Flags:
--charts string Deprecated, use --manifests instead.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for generate
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.7.0/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.7.0/istio-1.7.0-linux-amd64.tar.gz).
-o, --output string Manifest output directory path.
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
Global Flags:
--context string The name of the kubeconfig context to use
--dry-run Console/log output only, make no changes.
-c, --kubeconfig string Kubernetes configuration file
通过istioctl manifest generate把按demo配置的部署,生成对应的安装校验清单,并保存在当前目录下的test.yaml文件中
[root@cs-master istio-1.7.0]# istioctl manifest generate --set profile=demo > test.yaml
然后通过istio verify-install校验,校验安装成功,详细如下:
[root@cs-master istio-1.7.0]# istioctl verify-install -f test.yaml
CustomResourceDefinition: adapters.config.istio.io.default checked successfully
CustomResourceDefinition: attributemanifests.config.istio.io.default checked successfully
CustomResourceDefinition: authorizationpolicies.security.istio.io.default checked successfully
CustomResourceDefinition: destinationrules.networking.istio.io.default checked successfully
CustomResourceDefinition: envoyfilters.networking.istio.io.default checked successfully
CustomResourceDefinition: gateways.networking.istio.io.default checked successfully
CustomResourceDefinition: handlers.config.istio.io.default checked successfully
CustomResourceDefinition: httpapispecbindings.config.istio.io.default checked successfully
CustomResourceDefinition: httpapispecs.config.istio.io.default checked successfully
CustomResourceDefinition: instances.config.istio.io.default checked successfully
CustomResourceDefinition: istiooperators.install.istio.io.default checked successfully
CustomResourceDefinition: peerauthentications.security.istio.io.default checked successfully
CustomResourceDefinition: quotaspecbindings.config.istio.io.default checked successfully
CustomResourceDefinition: quotaspecs.config.istio.io.default checked successfully
CustomResourceDefinition: requestauthentications.security.istio.io.default checked successfully
CustomResourceDefinition: rules.config.istio.io.default checked successfully
CustomResourceDefinition: serviceentries.networking.istio.io.default checked successfully
CustomResourceDefinition: sidecars.networking.istio.io.default checked successfully
CustomResourceDefinition: templates.config.istio.io.default checked successfully
CustomResourceDefinition: virtualservices.networking.istio.io.default checked successfully
CustomResourceDefinition: workloadentries.networking.istio.io.default checked successfully
ServiceAccount: istio-egressgateway-service-account.istio-system checked successfully
ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
ServiceAccount: istio-reader-service-account.istio-system checked successfully
ServiceAccount: istiod-service-account.istio-system checked successfully
ClusterRole: istio-reader-istio-system.default checked successfully
ClusterRole: istiod-istio-system.default checked successfully
ClusterRoleBinding: istio-reader-istio-system.default checked successfully
ClusterRoleBinding: istiod-pilot-istio-system.default checked successfully
ValidatingWebhookConfiguration: istiod-istio-system.default checked successfully
EnvoyFilter: metadata-exchange-1.6.istio-system checked successfully
EnvoyFilter: metadata-exchange-1.7.istio-system checked successfully
EnvoyFilter: stats-filter-1.6.istio-system checked successfully
EnvoyFilter: stats-filter-1.7.istio-system checked successfully
EnvoyFilter: tcp-metadata-exchange-1.6.istio-system checked successfully
EnvoyFilter: tcp-metadata-exchange-1.7.istio-system checked successfully
EnvoyFilter: tcp-stats-filter-1.6.istio-system checked successfully
EnvoyFilter: tcp-stats-filter-1.7.istio-system checked successfully
ConfigMap: istio.istio-system checked successfully
ConfigMap: istio-sidecar-injector.istio-system checked successfully
MutatingWebhookConfiguration: istio-sidecar-injector.default checked successfully
Deployment: istio-egressgateway.istio-system checked successfully
Deployment: istio-ingressgateway.istio-system checked successfully
Deployment: istiod.istio-system checked successfully
PodDisruptionBudget: istio-egressgateway.istio-system checked successfully
PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
PodDisruptionBudget: istiod.istio-system checked successfully
Role: istio-egressgateway-sds.istio-system checked successfully
Role: istio-ingressgateway-sds.istio-system checked successfully
Role: istiod-istio-system.istio-system checked successfully
RoleBinding: istio-egressgateway-sds.istio-system checked successfully
RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
RoleBinding: istiod-istio-system.istio-system checked successfully
Service: istio-egressgateway.istio-system checked successfully
Service: istio-ingressgateway.istio-system checked successfully
Service: istiod.istio-system checked successfully
Checked 21 custom resource definitions
Checked 2 Istio Deployments
Istio is installed successfully
4.2 查看资源状态(校验方式二)
- 查看istio的CRD
- 查看istio相关的CRD是否正常创建,通过命令可以查看到与istio相关的crd非常多,在demo模式下共有21个,详细如下:
[root@cs-master istio-1.7.0]# kubectl get crd|grep istio
adapters.config.istio.io 2020-09-16T12:03:47Z
attributemanifests.config.istio.io 2020-09-16T12:03:47Z
authorizationpolicies.security.istio.io 2020-09-16T12:03:47Z
destinationrules.networking.istio.io 2020-09-16T12:03:47Z
envoyfilters.networking.istio.io 2020-09-16T12:03:47Z
gateways.networking.istio.io 2020-09-16T12:03:47Z
handlers.config.istio.io 2020-09-16T12:03:47Z
httpapispecbindings.config.istio.io 2020-09-16T12:03:47Z
httpapispecs.config.istio.io 2020-09-16T12:03:47Z
instances.config.istio.io 2020-09-16T12:03:47Z
istiooperators.install.istio.io 2020-09-16T12:03:47Z
peerauthentications.security.istio.io 2020-09-16T12:03:47Z
quotaspecbindings.config.istio.io 2020-09-16T12:03:47Z
quotaspecs.config.istio.io 2020-09-16T12:03:47Z
requestauthentications.security.istio.io 2020-09-16T12:03:47Z
rules.config.istio.io 2020-09-16T12:03:47Z
serviceentries.networking.istio.io 2020-09-16T12:03:47Z
sidecars.networking.istio.io 2020-09-16T12:03:47Z
templates.config.istio.io 2020-09-16T12:03:47Z
virtualservices.networking.istio.io 2020-09-16T12:03:47Z
workloadentries.networking.istio.io 2020-09-16T12:03:47Z
[root@cs-master istio-1.7.0]# kubectl get crd|grep istio|wc -l
21
- 查看operator状态
- 查看istio operator是否正常运行,istio operator是运行在另外一个命名空间(istio-operator )下的,具体如下:
[root@cs-master istio-1.7.0]# kubectl get all -n istio-operator
NAME READY STATUS RESTARTS AGE
pod/istio-operator-76f79b96dd-hbfcx 1/1 Running 0 39m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-operator ClusterIP 10.255.39.148 8383/TCP 39m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-operator 1/1 1 1 39m
NAME DESIRED CURRENT READY AGE
replicaset.apps/istio-operator-76f79b96dd 1 1 1 39m
其中pod和service都正常
- 查看istio operator维护配置情况
- 通过执行kubectl get IstioOperator -n istio-system -o yaml,查看对应status,可以看到istio-operator维护的各个组件运行情况,均为HEALTHY状态
status:
componentStatus:
Base:
status: HEALTHY
EgressGateways:
status: HEALTHY
IngressGateways:
status: HEALTHY
Pilot:
status: HEALTHY
status: HEALTHY
- 查看命名空间istio-system的所有资源状态
- 可以看到3个pod(istio-egressgateway、istio-ingressgateway、istiod即pilot),以及对应的3个service,均是正常,如下:
[root@cs-master istio-1.7.0]# kubectl get all -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-egressgateway-695f5944d8-jjbmn 1/1 Running 0 21m
pod/istio-ingressgateway-5c697d4cd7-2qvlf 1/1 Running 0 21m
pod/istiod-77544cd464-mkhhz 1/1 Running 0 10m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-egressgateway ClusterIP 10.255.34.2 80/TCP,443/TCP,15443/TCP 21m
service/istio-ingressgateway LoadBalancer 10.255.38.109 15021:31437/TCP,80:31135/TCP,443:31445/TCP,31400:30539/TCP,15443:31470/TCP 22m
service/istiod ClusterIP 10.255.32.201 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 22m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-egressgateway 1/1 1 1 21m
deployment.apps/istio-ingressgateway 1/1 1 1 22m
deployment.apps/istiod 1/1 1 1 22m
这是根据/manifests/profiles/demo.yaml配置下指定的component部署的deployment(istio-egressgateway、istio-ingressgateway、istiod即pilot),部分内容截取如下:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
components:
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
service:
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
- port: 31400
targetPort: 31400
name: tcp
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
pilot:
k8s:
env:
- name: PILOT_TRACE_SAMPLING
value: "100"
resources:
requests:
cpu: 10m
memory: 100Mi
若是按默认安装,则使用/manifests/profiles/default.yaml,会通过component指定部署更多deployment(istio-egressgateway、istiod即pilot),当然你也可以通过istioctl install --set component.telemetry.enabled=true来配置/manifests/profiles/default.yaml,然后通过istioctl install安装telemetry,具体我就不演示了
5. 卸载istio
- 通过istioctl manifest generate生成对应的安装清单,然后删除,命令:istioctl manifest generate
| kubectl delete -f -
详细demo如下:
[root@cs-master istio-1.7.0]# istioctl manifest generate --set profile=demo |kubectl delete -f -
customresourcedefinition.apiextensions.k8s.io "adapters.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "attributemanifests.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "authorizationpolicies.security.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "destinationrules.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "envoyfilters.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "gateways.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "handlers.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "httpapispecbindings.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "httpapispecs.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "instances.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "istiooperators.install.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "peerauthentications.security.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "quotaspecbindings.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "quotaspecs.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "requestauthentications.security.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "rules.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "serviceentries.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "sidecars.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "templates.config.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "virtualservices.networking.istio.io" deleted
customresourcedefinition.apiextensions.k8s.io "workloadentries.networking.istio.io" deleted
serviceaccount "istio-egressgateway-service-account" deleted
serviceaccount "istio-ingressgateway-service-account" deleted
serviceaccount "istio-reader-service-account" deleted
serviceaccount "istiod-service-account" deleted
clusterrole.rbac.authorization.k8s.io "istio-reader-istio-system" deleted
clusterrole.rbac.authorization.k8s.io "istiod-istio-system" deleted
clusterrolebinding.rbac.authorization.k8s.io "istio-reader-istio-system" deleted
clusterrolebinding.rbac.authorization.k8s.io "istiod-pilot-istio-system" deleted
validatingwebhookconfiguration.admissionregistration.k8s.io "istiod-istio-system" deleted
configmap "istio" deleted
configmap "istio-sidecar-injector" deleted
mutatingwebhookconfiguration.admissionregistration.k8s.io "istio-sidecar-injector" deleted
deployment.apps "istio-egressgateway" deleted
deployment.apps "istio-ingressgateway" deleted
deployment.apps "istiod" deleted
poddisruptionbudget.policy "istio-egressgateway" deleted
poddisruptionbudget.policy "istio-ingressgateway" deleted
poddisruptionbudget.policy "istiod" deleted
role.rbac.authorization.k8s.io "istio-egressgateway-sds" deleted
role.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted
role.rbac.authorization.k8s.io "istiod-istio-system" deleted
rolebinding.rbac.authorization.k8s.io "istio-egressgateway-sds" deleted
rolebinding.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted
rolebinding.rbac.authorization.k8s.io "istiod-istio-system" deleted
service "istio-egressgateway" deleted
service "istio-ingressgateway" deleted
service "istiod" deleted
把资源清理干净后,删除命名空间istio-system
[root@cs-master istio-1.7.0]# kubectl get all -n istio-system
No resources found in istio-system namespace.
[root@cs-master istio-1.7.0]# kubectl delete ns istio-system
namespace "istio-system" deleted
6. 总结
-
- 安装包下载及配置
-
- istio环境部署,通过istioctl install 和istioctl manifest install都可以做到istio组件无差别部署
-
- istio部署组件校验,通过几类方式istioctl install 或istioctl manifest install
-
- 校验:istioctl verify-install,以及人工查看各类组件是否正常运行,关键查看命名空间istio-system下IstioOperator内的status是否全为HEALTHY状态
-
- 卸载,通过istioctl manifest generate生成清单删除卸载
引用
- istioctl install/manifest区别讨论:https://stackoverflow.com/questions/62261984/what-is-the-difference-between-istioctl-manifest-apply-and-istioctl-install](https://stackoverflow.com/questions/62261984/what-is-the-difference-between-istioctl-manifest-apply-and-istioctl-install)
- istioctl 项目仓库:https://github.com/istio/istio
- istio