在 Azure Kubernetes 服务 (AKS) 中安装和使用 IstioInstall and use Istio in Azure Kubernetes Service (AKS)

Istio 是跨 Kubernetes 群集中的微服务提供关键功能集的开源服务网格。Istio is an open-source service mesh that provides a key set of functionality across the microservices in a Kubernetes cluster. 这些功能包括流量管理、服务标识和安全性、策略执行以及可观察性。These features include traffic management, service identity and security, policy enforcement, and observability. 有关 Istio 的详细信息,请参阅官方文档什么是 Istio?For more information about Istio, see the official What is Istio? documentation.

本文介绍如何安装 Istio。This article shows you how to install Istio. Istio istioctl 客户端二进制文件已安装到客户端计算机上,Istio 组件将安装到 AKS 上的 Kubernetes 群集中。The Istio istioctl client binary is installed onto your client machine and the Istio components are installed into a Kubernetes cluster on AKS.

备注

以下说明引用 Istio 版本 1.7.3The following instructions reference Istio version 1.7.3.

Istio 团队已针对 Kubernetes 版本 1.16+ 测试了 Istio 1.7.x 发行版。The Istio 1.7.x releases have been tested by the Istio team against Kubernetes version 1.16+. 可以在 GitHub - Istio 版本中找到其他 Istio 版本,在 Istio 新闻中找到有关每个版本的信息,在一般的 Istio 常见问题解答中找到支持的 Kubernetes 版本。You can find additional Istio versions at GitHub - Istio Releases, information about each of the releases at Istio News and supported Kubernetes versions at Istio General FAQ.

在本文中,学习如何:In this article, you learn how to:

  • 下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary
  • 在 AKS 上安装 IstioInstall Istio on AKS
  • 验证 Istio 安装Validate the Istio installation
  • 访问加载项Access the add-ons
  • 从 AKS 中卸载 IstioUninstall Istio from AKS

准备阶段Before you begin

本文中详述的步骤假设你已创建 AKS 群集(已启用 Kubernetes RBAC 的 Kubernetes 1.16 及更高版本)并已与该群集建立 kubectl 连接。The steps detailed in this article assume that you've created an AKS cluster (Kubernetes 1.16 and above, with Kubernetes RBAC enabled) and have established a kubectl connection with the cluster. 如果需要帮助完成这些项目,请参阅 AKS 快速入门If you need help with any of these items, then see the AKS quickstart.

确保你已阅读 Istio 性能和可伸缩性文档,以了解在 AKS 群集中运行 Istio 时的其他资源要求。Make sure that you have read the Istio Performance and Scalability documentation to understand the additional resource requirements for running Istio in your AKS cluster. 核心和内存要求将因特定工作负荷而异。The core and memory requirements will vary based on your specific workload. 选择适当数量的节点和 VM 大小以适合你的设置。Choose an appropriate number of nodes and VM size to cater for your setup.

本文将 Istio 安装指南分为多个独立步骤。This article separates the Istio installation guidance into several discrete steps. 最终结果的结构与官方 Istio 安装指南相同。The end result is the same in structure as the official Istio installation guidance.

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 Linux 或适用于 Linux 的 Windows 子系统上的基于 bash 的 shell 中,使用 curl 下载 Istio 发行版,然后使用 tar 进行解压缩,如下所示:In a bash-based shell on Linux or Windows Subsystem for Linux, use curl to download the Istio release and then extract with tar as follows:

# Specify the Istio version that will be leveraged throughout these instructions
ISTIO_VERSION=1.7.3

curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istioctl-$ISTIO_VERSION-linux-amd64.tar.gz" | tar xz

istioctl 客户端二进制文件在客户端计算机上运行,这使你可以在 AKS 群集中安装并管理 Istio。The istioctl client binary runs on your client machine and allows you to install and manage Istio in your AKS cluster. 使用以下命令在 Linux 或适用于 Linux 的 Windows 子系统上的基于 bash 的 shell 中安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a bash-based shell on Linux or Windows Subsystem for Linux. 这些命令可将 istioctl 客户端二进制文件复制到 PATH 中的标准用户程序位置。These commands copy the istioctl client binary to the standard user program location in your PATH.

sudo mv ./istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

如果想要通过命令行完成 istioctl 客户端二进制文件,则按如下所示进行设置:If you'd like command-line completion for the Istio istioctl client binary, then set it up as follows:

# Generate the bash completion file and source it in your current shell
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash

# Source the bash completion file in your .bashrc so that the command-line completions
# are permanently available in your shell
echo "source ~/completions/istioctl.bash" >> ~/.bashrc

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 MacOS 上基于 bash 的 shell 中,使用 curl 下载 Istio 发行版,然后使用 tar 进行解压缩,如下所示:In a bash-based shell on macOS, use curl to download the Istio release and then extract with tar as follows:

# Specify the Istio version that will be leveraged throughout these instructions
ISTIO_VERSION=1.7.3

curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istioctl-$ISTIO_VERSION-osx.tar.gz" | tar xz

istioctl 客户端二进制文件在客户端计算机上运行,这使你可以安装并管理 AKS 群集中的 Istio。The istioctl client binary runs on your client machine and allows you to install and manage Istio in your AKS cluster. 在 MacOS 上基于 bash 的 shell 中使用以下命令安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a bash-based shell on macOS. 这些命令可将 istioctl 客户端二进制文件复制到 PATH 中的标准用户程序位置。These commands copy the istioctl client binary to the standard user program location in your PATH.

sudo mv ./istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

如果想要通过命令行完成 istioctl 客户端二进制文件,则按如下所示进行设置:If you'd like command-line completion for the Istio istioctl client binary, then set it up as follows:

# Generate the bash completion file and source it in your current shell
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash

# Source the bash completion file in your .bashrc so that the command-line completions
# are permanently available in your shell
echo "source ~/completions/istioctl.bash" >> ~/.bashrc

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 Windows 上基于 PowerShell 的 shell 中,使用 Invoke-WebRequest 下载 Istio 发行版,然后使用 Expand-Archive 进行解压缩,如下所示:In a PowerShell-based shell on Windows, use Invoke-WebRequest to download the Istio release and then extract with Expand-Archive as follows:

# Specify the Istio version that will be leveraged throughout these instructions
$ISTIO_VERSION="1.7.3"

[Net.ServicePointManager]::SecurityProtocol = "tls12"
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -URI "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istioctl-$ISTIO_VERSION-win.zip" -OutFile "istioctl-$ISTIO_VERSION.zip"
Expand-Archive -Path "istioctl-$ISTIO_VERSION.zip" -DestinationPath .

istioctl 客户端二进制文件在客户端计算机上运行,这使你可以在 AKS 群集中安装并管理 Istio。The istioctl client binary runs on your client machine and allows you to install and manage Istio in your AKS cluster. 在 Windows 上基于 PowerShell 的 shell 中使用以下命令安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a PowerShell-based shell on Windows. 这些命令可将 istioctl 客户端二进制文件复制到某个 Istio 文件夹,然后你就可以通过 PATH 将其设置为立即可用(在当前 shell 中)或永久可用(跨 shell 重启)。These commands copy the istioctl client binary to an Istio folder and then make it available both immediately (in current shell) and permanently (across shell restarts) via your PATH. 不需要提升的(管理员)特权即可运行这些命令,不需重启 shell。You don't need elevated (Admin) privileges to run these commands and you don't need to restart your shell.

# Copy istioctl.exe to C:\Istio
New-Item -ItemType Directory -Force -Path "C:\Istio"
Move-Item -Path .\istioctl.exe -Destination "C:\Istio\"

# Add C:\Istio to PATH. 
# Make the new PATH permanently available for the current User
$USER_PATH = [environment]::GetEnvironmentVariable("PATH", "User") + ";C:\Istio\"
[environment]::SetEnvironmentVariable("PATH", $USER_PATH, "User")
# Make the new PATH immediately available in the current shell
$env:PATH += ";C:\Istio\"

在 AKS 上安装 Istio OperatorInstall the Istio Operator on AKS

Istio 提供了一个 Operator,用于管理 AKS 群集中 Istio 组件的安装和更新。Istio provides an Operator to manage installation and updates to the Istio components within your AKS cluster. 我们将使用 istioctl 客户端二进制文件来安装 Istio Operator。We'll install the Istio Operator using the istioctl client binary.

istioctl operator init

你应该会看到类似于以下输出的内容,从而可以确认已经安装了 Istio Operator。You should see something like the following output to confirm that the Istio Operator has been installed.

Using operator Deployment image: dockerhub.azk8s.cn/istio/operator:1.7.3
✔ Istio operator installed
✔ Installation complete

Istio Operator 会安装到 istio-operator 命名空间中。The Istio Operator is installed into the istio-operator namespace. 请查询该命名空间。Query the namespace.

kubectl get all -n istio-operator

你应该会看到已经部署了以下组件。You should see the following components deployed.

NAME                                  READY   STATUS    RESTARTS   AGE
pod/istio-operator-6d7958b7bf-wxgdc   1/1     Running   0          2m43s

NAME                     TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
service/istio-operator   ClusterIP   10.0.8.57    <none>        8383/TCP   2m43s

NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-operator   1/1     1            1           2m43s

NAME                                        DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-operator-6d7958b7bf   1         1         1       2m43s

可以通过 kubernetes.io 来详细了解 Operator 模式以及该模式如何帮助自动执行复杂任务。You can learn more about the Operator pattern and how it can help automate complex tasks via kubernetes.io.

安装 Istio 组件Install Istio components

我们已经在 AKS 群集中成功安装了 Istio Operator,现在来安装 Istio 组件。Now that we've successfully installed the Istio Operator in our AKS cluster, it's time to install the Istio components.

我们将利用 default Istio 配置文件来构建 Istio Operator 规范We will leverage the default Istio Configuration Profile to build the Istio Operator Spec.

可以运行下面的 istioctl 命令来查看 default Istio 配置文件的配置。You can run the following istioctl command to view the configuration for the default Istio Configuration Profile.

istioctl profile dump default

备注

Istio 目前必须计划在 Linux 节点上运行。Istio currently must be scheduled to run on Linux nodes. 如果群集中有 Windows Server 节点,则必须确保 Istio Pod 仅计划在 Linux 节点上运行。If you have Windows Server nodes in your cluster, you must ensure that the Istio pods are only scheduled to run on Linux nodes. 我们将使用节点选择器来确保将 Pod 安排到正确的节点。We'll use node selectors to make sure pods are scheduled to the correct nodes.

注意

Istio CNI Istio 功能目前以 Alpha 版提供,因此,在启用这些功能之前应该谨慎。The Istio CNI Istio features are currently in Alpha, so thought should be given before enabling these.

使用以下内容创建名为 istio.aks.yaml 的文件。Create a file called istio.aks.yaml with the following content. 此文件将保留 Istio Operator 规范以用于配置 Istio。This file will hold the Istio Operator Spec for configuring Istio.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  # Enable the addons that we will want to use
  addonComponents:
    grafana:
      enabled: true
    prometheus:
      enabled: true
    tracing:
      enabled: true
    kiali:
      enabled: true
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
    kiali:
      dashboard:
        auth:
          strategy: anonymous 

请创建 istio-system 命名空间,并将 Istio Operator 规范部署到该命名空间。Create the istio-system namespace and deploy the Istio Operator Spec to that namespace. Istio Operator 将会监视 Istio Operator 规范,并且将会使用该规范在 AKS 群集中安装和配置 Istio。The Istio Operator will be watching for the Istio Operator Spec and will use it to install and configure Istio in your AKS cluster.

kubectl create ns istio-system

kubectl apply -f istio.aks.yaml 

此时,已将 Istio 部署到 AKS 群集。At this point, you've deployed Istio to your AKS cluster. 为确保成功部署 Istio,让我们转到验证 Istio 安装部分。To ensure that we have a successful deployment of Istio, let's move on to the next section to Validate the Istio installation.

验证 Istio 安装Validate the Istio installation

请查询 istio-system 命名空间,Istio Operator 已在其中安装了 Istio 和附加产品组件:Query the istio-system namespace, where the Istio and add-on components were installed by the Istio Operator:

kubectl get all -n istio-system

你应该会看到以下组件:You should see the following components:

  • istio* - Istio 组件istio* - the Istio components
  • jaeger-*tracingzipkin - 用于跟踪的附加产品jaeger-*, tracing, and zipkin - tracing addon
  • prometheus - 指标附加产品prometheus - metrics addon
  • grafana - 分析和监视仪表板附加产品grafana - analytics and monitoring dashboard addon
  • kiali - 服务网格仪表板附加产品kiali - service mesh dashboard addon
NAME                                        READY   STATUS    RESTARTS   AGE
pod/grafana-7cf9794c74-mpfbp                1/1     Running   0          5m53s
pod/istio-ingressgateway-86b5dbdcb9-ndrp5   1/1     Running   0          5m57s
pod/istio-tracing-c98f4b8fc-zqklg           1/1     Running   0          82s
pod/istiod-6965c56995-4ph9h                 1/1     Running   0          6m15s
pod/kiali-7b44985d68-p87zh                  1/1     Running   0          81s
pod/prometheus-6868989549-5ghzz             1/1     Running   0          81s

NAME                                TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                                                      AGE
service/grafana                     ClusterIP      10.0.226.39    <none>         3000/TCP                                                     5m54s
service/istio-ingressgateway        LoadBalancer   10.0.143.56    20.53.72.254   15021:32166/TCP,80:31684/TCP,443:31302/TCP,15443:30863/TCP   5m57s
service/istiod                      ClusterIP      10.0.211.228   <none>         15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP                6m16s
service/jaeger-agent                ClusterIP      None           <none>         5775/UDP,6831/UDP,6832/UDP                                   82s
service/jaeger-collector            ClusterIP      10.0.7.62      <none>         14267/TCP,14268/TCP,14250/TCP                                82s
service/jaeger-collector-headless   ClusterIP      None           <none>         14250/TCP                                                    82s
service/jaeger-query                ClusterIP      10.0.52.172    <none>         16686/TCP                                                    82s
service/kiali                       ClusterIP      10.0.71.179    <none>         20001/TCP                                                    82s
service/prometheus                  ClusterIP      10.0.171.151   <none>         9090/TCP                                                     82s
service/tracing                     ClusterIP      10.0.195.137   <none>         80/TCP                                                       82s
service/zipkin                      ClusterIP      10.0.136.111   <none>         9411/TCP                                                     82s

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana                1/1     1            1           5m54s
deployment.apps/istio-ingressgateway   1/1     1            1           5m58s
deployment.apps/istio-tracing          1/1     1            1           83s
deployment.apps/istiod                 1/1     1            1           6m16s
deployment.apps/kiali                  1/1     1            1           83s
deployment.apps/prometheus             1/1     1            1           82s

NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/grafana-7cf9794c74                1         1         1       5m54s
replicaset.apps/istio-ingressgateway-86b5dbdcb9   1         1         1       5m58s
replicaset.apps/istio-tracing-c98f4b8fc           1         1         1       83s
replicaset.apps/istiod-6965c56995                 1         1         1       6m16s
replicaset.apps/kiali-7b44985d68                  1         1         1       82s
replicaset.apps/prometheus-6868989549             1         1         1       82s

NAME                                                       REFERENCE                         TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/istio-ingressgateway   Deployment/istio-ingressgateway   7%/80%    1         5         1          5m57s
horizontalpodautoscaler.autoscaling/istiod                 Deployment/istiod                 1%/80%    1         5         1          6m16s

也可以通过监视 Istio Operator 的日志来进一步了解安装情况。You can also gain additional insight into the installation by watching the logs for the Istio Operator.

kubectl logs -n istio-operator -l name=istio-operator -f

如果 istio-ingressgateway 显示 <pending> 的外部 IP,请在 Azure 网络分配 IP 地址之前等待几分钟。If the istio-ingressgateway shows an external ip of <pending>, wait a few minutes until an IP address has been assigned by Azure networking.

所有 pod 应显示 Running 状态。All of the pods should show a status of Running. 如果 Pod 没有这些状态,请在运行之前等待一两分钟。If your pods don't have these statuses, wait a minute or two until they do. 如果任何 Pod 报告问题,请使用 kubectl describe pod 命令查看其输出和状态。If any pods report an issue, use the kubectl describe pod command to review their output and status.

访问加载项Accessing the add-ons

Istio Operator 安装了多种提供附加功能的附加产品。A number of add-ons were installed by the Istio Operator that provide additional functionality. 加载项 Web 应用程序 通过外部 IP 地址公开。The web applications for the add-ons are not exposed publicly via an external ip address.

若要访问加载项用户界面,请使用 istioctl dashboard 命令。To access the add-on user interfaces, use the istioctl dashboard command. 此命令使用 kubectl port-forward 和一个随机端口在客户端计算机与 AKS 群集中的相关 Pod 之间建立安全连接。This command uses kubectl port-forward and a random port to create a secure connection between your client machine and the relevant pod in your AKS cluster. 然后,它会在默认浏览器中自动打开加载项 Web 应用程序。It will then automatically open the add-on web application in your default browser.

GrafanaGrafana

Istio 的分析和监视仪表板由 Grafana 提供。The analytics and monitoring dashboards for Istio are provided by Grafana. 出现提示时,请记得使用前面通过 Grafana 机密创建的凭据。Remember to use the credentials you created via the Grafana secret earlier when prompted. 以安全方式打开 Grafana 仪表板,如下所示:Open the Grafana dashboard securely as follows:

istioctl dashboard grafana

PrometheusPrometheus

Istio 的指标由 Prometheus 提供。Metrics for Istio are provided by Prometheus. 以安全方式打开 Prometheus 仪表板,如下所示:Open the Prometheus dashboard securely as follows:

istioctl dashboard prometheus

JaegerJaeger

Istio 中的跟踪由 Jaeger 提供。Tracing within Istio is provided by Jaeger. 以安全方式打开 Jaeger 仪表板,如下所示:Open the Jaeger dashboard securely as follows:

istioctl dashboard jaeger

KialiKiali

服务网格可观察性仪表板由 Kiali 提供。A service mesh observability dashboard is provided by Kiali. 出现提示时,请记得使用前面通过 Kiali 机密创建的凭据。Remember to use the credentials you created via the Kiali secret earlier when prompted. 以安全方式打开 Kiali 仪表板,如下所示:Open the Kiali dashboard securely as follows:

istioctl dashboard kiali

EnvoyEnvoy

提供一个简单的连接 Envoy 代理的接口。A simple interface to the Envoy proxies is available. 它提供 Envoy 代理在指定 Pod 中运行所需的配置信息和指标。It provides configuration information and metrics for an Envoy proxy running in a specified pod. 以安全方式打开 Envoy 接口,如下所示:Open the Envoy interface securely as follows:

istioctl dashboard envoy <pod-name>.<namespace>

从 AKS 中卸载 IstioUninstall Istio from AKS

警告

从正在运行的系统中删除 Istio 可能会导致服务之间出现流量相关的问题。Deleting Istio from a running system may result in traffic related issues between your services. 在继续之前,请确保对系统进行预配,以便在没有 Istio 的情况下系统仍可正常运行。Ensure that you have made provisions for your system to still operate correctly without Istio before proceeding.

删除 IstioRemove Istio

若要从 AKS 群集中删除 Istio,请删除我们在之前的操作中添加的名为 istio-control-planeIstioOperator 资源。To remove Istio from your AKS cluster, delete the IstioOperator resource named istio-control-plane that we added earlier. Istio Operator 将会识别出 Istio Operator 规范已删除,然后会删除所有关联的 Istio 组件。The Istio Operator will recognize that the Istio Operator Spec has been removed, and then delete all the associated Istio components.

kubectl delete istiooperator istio-control-plane -n istio-system

删除了所有 Istio 组件后,可运行以下命令进行检查。You can run the following to check when all the Istio components have been deleted.

kubectl get all -n istio-system

删除 Istio OperatorRemove Istio Operator

成功卸载了 Istio 之后,还可以删除 Istio Operator。Once Istio has been successfully uninstalled, you can also remove the Istio Operator.

istioctl operator remove

最后,请删除 istio- 命名空间。And then finally, remove the istio- namespaces.

kubectl delete ns istio-system
kubectl delete ns istio-operator

后续步骤Next steps

若要了解 Istio 的更多安装和配置选项,请参阅以下官方 Istio 指南:To explore more installation and configuration options for Istio, see the following official Istio guidance:

也可以使用以下示例应用程序按照其他方案操作:You can also follow additional scenarios using: