22f58200f6
In K8s 1.24, when a ServiceAccount is created, no more Secret is created automatically. Need to add extra steps for secret creation. Closes-bug: 1997750 Signed-off-by: Litao Gao <litao.gao@windriver.com> Change-Id: Iffa965717b35c55e129e21eca79bfbb1f6668f5d
4.9 KiB
Technology Preview - Istio Service Mesh Application
The Istio Service Mesh application Technology Preview is integrated into as a system application.
Istio provides traffic management, observability as well as security as a Kubernetes service mesh. For more information, see https://istio.io/.
includes istio-operator container to manage the life cycle management of the Istio components.
The following Istio components are enabled when applying the Istio system application:
- Istio data plane - Envoy - Kubernetes side-car proxy
- Istio control plane - Istiod - service discovery, configuration and certificate management
- Istio gateway - Traffic management of ingress and egress L4-L7 traffic
- Istio-cni - Kubernetes plugin
The Kiali (https://kiali.io/) management console for Istio is also integrated with in the Istio system application. It provides management functions and visualizations to the service mesh operation. Metrics and tracing functionalities are not supported at this time.
You can install Istio and Kiali on from the command line.
Locate the Istio tarball in
/usr/local/share/applications/helm.For example:
/usr/local/share/applications/helm/istio-<version>.tgzUpload the application.
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgzApply the application.
~(keystone_admin)]$ system application-apply istioMonitor the application status.
~(keystone_admin)]$ watch -n 5 system application-listOR
~(keystone_admin)]$ watch kubectl get pods -n istio-systemSetup network attachment definition.
cat > istio-cni-nad.yaml <<EOF apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: istio-cni EOF kubectl apply -f istio-cni-nad.yamlis managed by Multus. The
NetworkAttachmentDefinitionis required in the application namespace in order to invoke theistio-cniplugin.Enable side car for a particular namespace.
kubectl label namespace <namespace> istio-injection=enabledWhen the
istio-injection=enabledlabel on a namespace is set and the injection webhook is enabled, any new pods that are created in that namespace will automatically have a sidecar added to them.
At this point, you may have launched services in the above namespace.
When the user application is deployed, the sidecar container
istio-proxy is injected into the user application pod:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
...
Normal Created 10s kubelet Created container <user app>
Normal Started 10s kubelet Started container <user app>
...
Normal Created 9s kubelet Created container istio-proxy
Normal Started 8s kubelet Started container istio-proxyThe istio-proxy sidecar extracts telemetry of all
ingress and egress traffic of the user application that can be monitored
and available for display in Kiali, and it mediates all ingress and
egress traffic of the user application by enforcing policy
decisions.
Use Kiali
After the Istio application has been installed, you can launch the Kiali management console in a browser.
Get the port of Kiali service.
~(keystone_admin)]$ kubectl get svc -n istio-system kiali -o jsonpath='{.spec.ports[?(@.name=="http")].nodePort}'Launch Kiali on a browser.
http:<oam-floating-ip>:<kiali_port>/kialiGet the login token.
~(keystone_admin)]$ kubectl get secret -n istio-system $(kubectl get sa kiali -n istio-system -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -dLogin to Kiali.
Enter the token from the previous step and press Login.
Remove Istio application
You can remove the Istio application from .
Remove pods and their resources.
~(keystone_admin)]$ system application-remove istioDelete the application.
~(keystone_admin)]$ system application-delete istioDelete Istio Network Attachment Definition.
~(keystone_admin)]$ kubectl delete -f istio-cni-nad.yaml