Istio 1.6.3 发布了。Istio 是一个由谷歌、IBM 与 Lyft 共同开发的开源项目,旨在提供一种统一化的微服务连接、安全保障、管理与监控方式。具体来说,Istio 是一个开源服务网格平台,它确保微服务在处理故障时以指定的方式相互连接。
更新内容
- 修复了监视资源被删除后,操作员无法重新创建的问题
- 修复了Istio因消息崩溃的问题:
proto.Message is *client.QuotaSpecBinding, not *client.QuotaSpecBinding - 添加了对 k8s.v1.cni.cncf.io/networks 注释的支持
- 更新了
SidecarInjectionSpec以从.Values.global读取imagePullSecret - 更新了水平分割以跳过解析主机名的网关
- 修复了
istioctl experimental metrics,仅将错误响应代码标记为 erros - 更新了
istioctl analyze以对输出格式进行排序 - 更新了网关以使用
proxyMetadata - 更新了 Prometheus Sidecar 以使用
proxyMetadata - 启用 gateway.runAsRoot 时从 PodSecurityContext 中删除了无效的配置
升级更新
从已有版本升级,运行:
istioctl upgrade -h
The upgrade command checks for upgrade version eligibility and, if eligible, upgrades the Istio control plane components in-place. Warning: traffic may be disrupted during upgrade. Please ensure PodDisruptionBudgets are defined to maintain service continuity.
Usage:
istioctl upgrade [flags]
Flags:
--dry-run Console/log output only, make no changes.
-f, --filename strings Path to file containing IstioOperator custom resource
--force Apply the upgrade without eligibility checks
-h, --help help for upgrade
--logtostderr Send logs to stderr.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControlPlaneSpec
-y, --skip-confirmation If skip-confirmation is set, skips the prompting confirmation for value changes in this upgrade
--verbose Verbose output.
-u, --versionsURI string URI for operator versions to Istio versions map
-w, --wait Wait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of 10m0s
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
--log_output_level string Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default "default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn")
-n, --namespace string Config namespace
强制升级,运行:
istioctl upgrade --force
- ⚠️注意:目前不支持跨版本升级,需要逐级进行升级。详情参见:
快速安装
下载:
$ curl -L https://istio.io/downloadIstio | sh -
$ cd istio-1.6.3
# Add to ~/.profile or .bash...
$ export PATH=$PWD/bin:$PATH
安装:
$ istioctl install --set profile=demo
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Addons installed
✔ Installation complete
# Enable auto-injection
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
部署示范程序:
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
检查运行状态:
$ kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
发布服务到外部访问:
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
确定Igress的 IP和端口:
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 80:31380/TCP,443:31390/TCP,31400:31400/TCP 17h
设置环境:
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
$ echo $GATEWAY_URL
192.168.99.100:32194
访问示范服务:
$ echo http://$GATEWAY_URL/productpage
Web可视化面板,包括:
Available Commands:
controlz Open ControlZ web UI
envoy Open Envoy admin web UI
grafana Open Grafana web UI
jaeger Open Jaeger web UI
kiali Open Kiali web UI
prometheus Open Prometheus web UI
zipkin Open Zipkin web UI
Flags:
--address string Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default "localhost")
-h, --help help for dashboard
-p, --port int
- 可以通过--address和-p参数指定面板服务的地址和端口。
打开Kiali 面板,账号和密码都是 admin 。
istioctl dashboard kiali --address 192.168.199.173
道浏览器输入:http://192.168.199.173:42063/kiali/ (注意将提示的localhost改为实际IP地址),显示界面如下:
来源:oschina
链接:https://my.oschina.net/u/2306127/blog/4320421