Istio

Prerequisite

See https://istio.io/docs/setup/kubernetes/quick-start.html

kops

If is important that you have a cluster in version 1.9 or higher.

Add the following part to you cluster configuration:

$ kops edit cluster <cluster-name>

kubeAPIServer:
    admissionControl:
    - NamespaceLifecycle
    - LimitRanger
    - ServiceAccount
    - PersistentVolumeLabel
    - DefaultStorageClass
    - DefaultTolerationSeconds
    - MutatingAdmissionWebhook
    - ValidatingAdmissionWebhook
    - ResourceQuota
    - NodeRestriction
    - Priority

Do not forget to update your cluster:

$ kops update cluster --yes
$ kops rolling-update cluster --yes

The api-server should now have the admission control parameters:

$ for i in `kubectl get pods -nkube-system | grep api | awk '{print $1}'` ; do  kubectl describe pods -nkube-system $i | grep "/usr/local/bin/kube-apiserver"  ; done

      mkfifo /tmp/pipe; (tee -a /var/log/kube-apiserver.log < /tmp/pipe & ) ; exec /usr/local/bin/kube-apiserver --address=127.0.0.1 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,Priority ...

Install

This will download and extract the latest in your current directory:

$ curl -L https://git.io/getLatestIstio | sh -
$ cd istio-0.6
$ export PATH=$PWD/bin:$PATH

Install in k8s:

$ kubectl apply -f install/kubernetes/istio.yaml

We are also install the mutating webhook admission controller.

$ ./install/kubernetes/webhook-create-signed-cert.sh \
    --service istio-sidecar-injector \
    --namespace istio-system \
    --secret sidecar-injector-certs

$ kubectl apply -f install/kubernetes/istio-sidecar-injector-configmap-release.yaml

$ cat install/kubernetes/istio-sidecar-injector.yaml | \
     ./install/kubernetes/webhook-patch-ca-bundle.sh > \
     install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml

$ kubectl apply -f install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml

With version 0.6 I had problems with the webhook-create-signed-cert.sh script. I removed the part in the script and saved theyaml output in the temporary file. The problem with the yaml content is that the api version and kind is missing and the secret name seems to be incorrect. So I've added 'apiVersion: v1' and 'kind: Secret' and renamed the secret to name: sidecar-injector-certs.

Now the istio namespace should have the following pods:

$ kubectl get pods -n istio-system
NAME                                      READY     STATUS        RESTARTS   AGE
istio-ca-59f6dcb7d9-fggjf                 1/1       Running       0          18m
istio-ingress-779649ff5b-qkgvf            1/1       Running       0          18m
istio-mixer-7f4fd7dff-j2lmw               3/3       Running       0          18m
istio-pilot-5f5f76ddc8-knmz5              2/2       Running       0          18m
istio-sidecar-injector-54578c9669-xz5gv   1/1       Running       0          25s

The Istio-Sidecar-injector will automatically inject Envoy containers into your application pods assuming running in namespaces labeled with istio-injection=enabled:

$ kubectl create namespace istio-demo
$ kubectl label namespace istio-demo istio-injection=enabled

Tasks

Deploy demo app

$ kubectl create -n istio-demo -f https://raw.githubusercontent.com/FuriKuri/demo/master/deploy.yaml

Egress traffic

cat <<EOF | istioctl create -f -
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
  namespace: istio-demo
  name: httpbin-timeout-rule
spec:
  destination:
    service: httpbin.org
  http_req_timeout:
    simple_timeout:
      timeout: 3s
EOF

$ http http://127.0.0.1:8001/api/v1/namespaces/istio-demo/services/http:client:80/proxy/http/httpbin.org/delay/0
HTTP/1.1 200 OK
Content-Length: 846
Content-Type: text/plain; charset=utf-8
Date: Sat, 31 Mar 2018 17:01:35 GMT
Server: envoy
X-Envoy-Decorator-Operation: default-route
X-Envoy-Upstream-Service-Time: 187

{
    "args": {},
    "data": "",
    "files": {},
    "form": {},
    "headers": {
        "Accept-Encoding": "gzip",
        "Connection": "close",
        "Host": "httpbin.org",
        "User-Agent": "Go-http-client/1.1",
        "X-B3-Sampled": "1",
        "X-B3-Spanid": "e6b2268a1a529fe4",
        "X-B3-Traceid": "e6b2268a1a529fe4",
        "X-Envoy-Decorator-Operation": "httpbin-timeout-rule",
        "X-Envoy-Expected-Rq-Timeout-Ms": "3000",
        "X-Istio-Attributes": "CkoKCnNvdXJjZS51aWQSPBI6a3ViZXJuZXRlczovL2NsaWVudC1kZXBsb3ltZW50LTU0NDc4YzhiOWMtOXZ2aDguaXN0aW8tZGVtbwpDCg1zb3VyY2UubGFiZWxzEjJKMAoNCgNhcHASBmNsaWVudAofChFwb2QtdGVtcGxhdGUtaGFzaBIKMTAwMzQ3NDY1NwofCglzb3VyY2UuaXASEjIQAAAAAAAAAAAAAP//ZGACBw==",
        "X-Ot-Span-Context": "e6b2268a1a529fe4;e6b2268a1a529fe4;0000000000000000"
    },
    "origin": "35.157.82.188",
    "url": "http://httpbin.org/delay/0"
}

$ http http://127.0.0.1:8001/api/v1/namespaces/istio-demo/services/http:client:80/proxy/http/httpbin.org/delay/4
HTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
Date: Sat, 31 Mar 2018 17:01:40 GMT
Server: envoy
X-Envoy-Decorator-Operation: default-route
X-Envoy-Upstream-Service-Time: 3003

upstream request timeout

Istio

Istio

Prerequisite

kops

Install

Tasks

Deploy demo app

Egress traffic

results matching ""

No results matching ""