在 Azure Kubernetes 服务 (AKS) 中安装和使用 IstioInstall and use Istio in Azure Kubernetes Service (AKS)

Istio 是跨 Kubernetes 群集中的微服务提供关键功能集的开源服务网格。Istio is an open-source service mesh that provides a key set of functionality across the microservices in a Kubernetes cluster. 这些功能包括流量管理、服务标识和安全性、策略执行以及可观察性。These features include traffic management, service identity and security, policy enforcement, and observability. 有关 Istio 的详细信息,请参阅官方文档什么是 Istio?For more information about Istio, see the official What is Istio? documentation.

本文介绍如何安装 Istio。This article shows you how to install Istio. Istio istioctl 客户端二进制文件已安装到客户端计算机上,Istio 组件将安装到 AKS 上的 Kubernetes 群集中。The Istio istioctl client binary is installed onto your client machine and the Istio components are installed into a Kubernetes cluster on AKS.

备注

以下说明引用 Istio 版本 1.4.0The following instructions reference Istio version 1.4.0.

Istio 团队已针对 Kubernetes 版本 1.131.141.15 测试了 1.4.x 版本。The Istio 1.4.x releases have been tested by the Istio team against Kubernetes versions 1.13, 1.14, 1.15. 可以在 GitHub - Istio 版本中找到其他 Istio 版本,在 Istio 新闻中找到有关每个版本的信息,在一般的 Istio 常见问题解答中找到支持的 Kubernetes 版本。You can find additional Istio versions at GitHub - Istio Releases, information about each of the releases at Istio News and supported Kubernetes versions at Istio General FAQ.

在本文中,学习如何:In this article, you learn how to:

  • 下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary
  • 在 AKS 上安装 IstioInstall Istio on AKS
  • 验证 Istio 安装Validate the Istio installation
  • 访问加载项Access the add-ons
  • 从 AKS 中卸载 IstioUninstall Istio from AKS

准备阶段Before you begin

本文中详述的步骤假设已创建 AKS 群集(已启用 RBAC 的 Kubernetes 1.13 及更高版本)并已与该群集建立 kubectl 连接。The steps detailed in this article assume that you've created an AKS cluster (Kubernetes 1.13 and above, with RBAC enabled) and have established a kubectl connection with the cluster. 如果需要帮助完成这些项目,请参阅 AKS 快速入门If you need help with any of these items, then see the AKS quickstart.

确保你已阅读 Istio 性能和可伸缩性文档,以了解在 AKS 群集中运行 Istio 时的其他资源要求。Make sure that you have read the Istio Performance and Scalability documentation to understand the additional resource requirements for running Istio in your AKS cluster. 核心和内存要求将因特定工作负荷而异。The core and memory requirements will vary based on your specific workload. 选择适当数量的节点和 VM 大小以适合你的设置。Choose an appropriate number of nodes and VM size to cater for your setup.

本文将 Istio 安装指南分为多个独立步骤。This article separates the Istio installation guidance into several discrete steps. 最终结果的结构与官方 Istio 安装指南相同。The end result is the same in structure as the official Istio installation guidance.

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 Linux 或适用于 Linux 的 Windows 子系统上的基于 bash 的 shell 中,使用 curl 下载 Istio 发行版,然后使用 tar 进行解压缩,如下所示:In a bash-based shell on Linux or Windows Subsystem for Linux, use curl to download the Istio release and then extract with tar as follows:

# Specify the Istio version that will be leveraged throughout these instructions
ISTIO_VERSION=1.4.0

curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-linux.tar.gz" | tar xz

istioctl 客户端二进制文件在客户端计算机上运行,用来与 Istio 服务网格交互。The istioctl client binary runs on your client machine and allows you to interact with the Istio service mesh. 使用以下命令在 Linux 或适用于 Linux 的 Windows 子系统上的基于 bash 的 shell 中安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a bash-based shell on Linux or Windows Subsystem for Linux. 这些命令可将 istioctl 客户端二进制文件复制到 PATH 中的标准用户程序位置。These commands copy the istioctl client binary to the standard user program location in your PATH.

cd istio-$ISTIO_VERSION
sudo cp ./bin/istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

如果想要通过命令行完成 istioctl 客户端二进制文件,则按如下所示进行设置:If you'd like command-line completion for the Istio istioctl client binary, then set it up as follows:

# Generate the bash completion file and source it in your current shell
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash

# Source the bash completion file in your .bashrc so that the command-line completions
# are permanently available in your shell
echo "source ~/completions/istioctl.bash" >> ~/.bashrc

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 MacOS 上基于 bash 的 shell 中,使用 curl 下载 Istio 发行版,然后使用 tar 进行解压缩,如下所示:In a bash-based shell on MacOS, use curl to download the Istio release and then extract with tar as follows:

# Specify the Istio version that will be leveraged throughout these instructions
ISTIO_VERSION=1.4.0

curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-osx.tar.gz" | tar xz

istioctl 客户端二进制文件在客户端计算机上运行,用来与 Istio 服务网格交互。The istioctl client binary runs on your client machine and allows you to interact with the Istio service mesh. 在 MacOS 上基于 bash 的 shell 中使用以下命令安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a bash-based shell on MacOS. 这些命令可将 istioctl 客户端二进制文件复制到 PATH 中的标准用户程序位置。These commands copy the istioctl client binary to the standard user program location in your PATH.

cd istio-$ISTIO_VERSION
sudo cp ./bin/istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

如果想要通过命令行完成 istioctl 客户端二进制文件,则按如下所示进行设置:If you'd like command-line completion for the Istio istioctl client binary, then set it up as follows:

# Generate the bash completion file and source it in your current shell
mkdir -p ~/completions && istioctl collateral --bash -o ~/completions
source ~/completions/istioctl.bash

# Source the bash completion file in your .bashrc so that the command-line completions
# are permanently available in your shell
echo "source ~/completions/istioctl.bash" >> ~/.bashrc

下载并安装 Istio istioctl 客户端二进制文件Download and install the Istio istioctl client binary

在 Windows 上基于 PowerShell 的 shell 中,使用 Invoke-WebRequest 下载 Istio 发行版,然后使用 Expand-Archive 进行解压缩,如下所示:In a PowerShell-based shell on Windows, use Invoke-WebRequest to download the Istio release and then extract with Expand-Archive as follows:

# Specify the Istio version that will be leveraged throughout these instructions
$ISTIO_VERSION="1.4.0"

# Enforce TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = "tls12"
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -URI "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-win.zip" -OutFile "istio-$ISTIO_VERSION.zip"
Expand-Archive -Path "istio-$ISTIO_VERSION.zip" -DestinationPath .

istioctl 客户端二进制文件在客户端计算机上运行,用来与 Istio 服务网格交互。The istioctl client binary runs on your client machine and allows you to interact with the Istio service mesh. 在 Windows 上基于 PowerShell 的 shell 中使用以下命令安装 Istio istioctl 客户端二进制文件。Use the following commands to install the Istio istioctl client binary in a PowerShell-based shell on Windows. 这些命令可将 istioctl 客户端二进制文件复制到某个 Istio 文件夹,然后你就可以通过 PATH 将其设置为立即可用(在当前 shell 中)或永久可用(跨 shell 重启)。These commands copy the istioctl client binary to an Istio folder and then make it available both immediately (in current shell) and permanently (across shell restarts) via your PATH. 不需要提升的(管理员)特权即可运行这些命令,不需重启 shell。You don't need elevated (Admin) privileges to run these commands and you don't need to restart your shell.

# Copy istioctl.exe to C:\Istio
cd istio-$ISTIO_VERSION
New-Item -ItemType Directory -Force -Path "C:\Istio"
Copy-Item -Path .\bin\istioctl.exe -Destination "C:\Istio\"

# Add C:\Istio to PATH. 
# Make the new PATH permanently available for the current User
$USER_PATH = [environment]::GetEnvironmentVariable("PATH", "User") + ";C:\Istio\"
[environment]::SetEnvironmentVariable("PATH", $USER_PATH, "User")
# Make the new PATH immediately available in the current shell
$env:PATH += ";C:\Istio\"

在 AKS 上安装 Istio 组件Install the Istio components on AKS

我们将安装 GrafanaKiali 作为 Istio 安装的一部分。We'll be installing Grafana and Kiali as part of our Istio installation. Grafana 提供分析和监视仪表板,Kiali 提供服务网格观察仪表板。Grafana provides analytics and monitoring dashboards, and Kiali provides a service mesh observability dashboard. 在设置中,上述每个组件都需要凭据,必须以机密的形式提供这些凭据。In our setup, each of these components requires credentials that must be provided as a Secret.

在安装 Istio 组件之前,必须为 Grafana 和 Kiali 创建机密。Before we can install the Istio components, we must create the secrets for both Grafana and Kiali. 需要将这些机密安装到 Istio 将使用的 istio-system 命名空间中,因此我们还需要创建该命名空间。These secrets need to be installed into the istio-system namespace that will be used by Istio, so we'll need to create the namespace too. 在通过 kubectl create 创建命名空间时,需要使用 --save-config 选项,以便 Istio 安装程序将来可以在此对象上运行 kubectl applyWe need to use the --save-config option when creating the namespace via kubectl create so that the Istio installer can run kubectl apply on this object in the future.

kubectl create namespace istio-system --save-config

添加 Grafana 机密Add Grafana Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

GRAFANA_USERNAME=$(echo -n "grafana" | base64)
GRAFANA_PASSPHRASE=$(echo -n "REPLACE_WITH_YOUR_SECURE_PASSWORD" | base64)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: grafana
  namespace: istio-system
  labels:
    app: grafana
type: Opaque
data:
  username: $GRAFANA_USERNAME
  passphrase: $GRAFANA_PASSPHRASE
EOF

添加 Kiali 机密Add Kiali Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

KIALI_USERNAME=$(echo -n "kiali" | base64)
KIALI_PASSPHRASE=$(echo -n "REPLACE_WITH_YOUR_SECURE_PASSWORD" | base64)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: kiali
  namespace: istio-system
  labels:
    app: kiali
type: Opaque
data:
  username: $KIALI_USERNAME
  passphrase: $KIALI_PASSPHRASE
EOF

添加 Grafana 机密Add Grafana Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

GRAFANA_USERNAME=$(echo -n "grafana" | base64)
GRAFANA_PASSPHRASE=$(echo -n "REPLACE_WITH_YOUR_SECURE_PASSWORD" | base64)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: grafana
  namespace: istio-system
  labels:
    app: grafana
type: Opaque
data:
  username: $GRAFANA_USERNAME
  passphrase: $GRAFANA_PASSPHRASE
EOF

添加 Kiali 机密Add Kiali Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

KIALI_USERNAME=$(echo -n "kiali" | base64)
KIALI_PASSPHRASE=$(echo -n "REPLACE_WITH_YOUR_SECURE_PASSWORD" | base64)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: kiali
  namespace: istio-system
  labels:
    app: kiali
type: Opaque
data:
  username: $KIALI_USERNAME
  passphrase: $KIALI_PASSPHRASE
EOF

添加 Grafana 机密Add Grafana Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

$GRAFANA_USERNAME=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("grafana"))
$GRAFANA_PASSPHRASE=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("REPLACE_WITH_YOUR_SECURE_PASSWORD"))

"apiVersion: v1
kind: Secret
metadata:
  name: grafana
  namespace: istio-system
  labels:
    app: grafana
type: Opaque
data:
  username: $GRAFANA_USERNAME
  passphrase: $GRAFANA_PASSPHRASE" | kubectl apply -f -

添加 Kiali 机密Add Kiali Secret

请将 REPLACE_WITH_YOUR_SECURE_PASSWORD 令牌替换为你的密码,然后运行以下命令:Replace the REPLACE_WITH_YOUR_SECURE_PASSWORD token with your password and run the following commands:

$KIALI_USERNAME=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("kiali"))
$KIALI_PASSPHRASE=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("REPLACE_WITH_YOUR_SECURE_PASSWORD"))

"apiVersion: v1
kind: Secret
metadata:
  name: kiali
  namespace: istio-system
  labels:
    app: kiali
type: Opaque
data:
  username: $KIALI_USERNAME
  passphrase: $KIALI_PASSPHRASE" | kubectl apply -f -

安装 Istio 组件Install Istio components

在 AKS 群集中成功创建 Grafana 和 Kiali 机密后,可以开始安装 Istio 组件了。Now that we've successfully created the Grafana and Kiali secrets in our AKS cluster, it's time to install the Istio components.

用于 Istio 的 Helm 安装方法会在以后弃用。The Helm installation approach for Istio will be deprecated in the future. 新的 Istio 安装方法利用 istioctl 客户端二进制文件、Istio 配置文件,以及新的 Istio 控制平面规范和 APIThe new installation approach for Istio leverages the istioctl client binary, the Istio configuration profiles, and the new Istio control plane spec and api. 这种新方法是我们将用于安装 Istio 的方法。This new approach is what we'll be using to install Istio.

备注

Istio 目前必须计划在 Linux 节点上运行。Istio currently must be scheduled to run on Linux nodes. 如果群集中有 Windows Server 节点,则必须确保 Istio Pod 仅计划在 Linux 节点上运行。If you have Windows Server nodes in your cluster, you must ensure that the Istio pods are only scheduled to run on Linux nodes. 我们将使用节点选择器来确保将 Pod 安排到正确的节点。We'll use node selectors to make sure pods are scheduled to the correct nodes.

注意

SDS(机密发现服务)Istio CNI Istio 功能目前为 Alpha 版,因此在启用它们之前应谨慎。The SDS (secret discovery service) and Istio CNI Istio features are currently in Alpha, so thought should be given before enabling these.

请注意,对于 AKS 中的所有 Kubernetes 1.13 以及更高版本,现在已启用服务帐户令牌卷投影 Kubernetes 功能(SDS 所必需的)。Note that the Service Account Token Volume Projection Kubernetes feature (a requirement for SDS) is now enabled for all Kubernetes 1.13 and higher versions on AKS.

使用以下内容创建名为 istio.aks.yaml 的文件。Create a file called istio.aks.yaml with the following content. 此文件将保存用于配置 Istio 的 Istio 控制平面规范详细信息。This file will hold the Istio control plane spec details for configuring Istio.

apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
      # Enable mutual TLS for the control plane
      controlPlaneSecurityEnabled: true
      mtls:
        # Require all service to service communication to have mtls
        enabled: false
    grafana:
      # Enable Grafana deployment for analytics and monitoring dashboards
      enabled: true
      security:
        # Enable authentication for Grafana
        enabled: true
    kiali:
      # Enable the Kiali deployment for a service mesh observability dashboard
      enabled: true
    tracing:
      # Enable the Jaeger deployment for tracing
      enabled: true

使用 istioctl apply 命令和上述 istio.aks.yaml Istio 控制平面规范文件安装 Istio,如下所示:Install istio using the istioctl apply command and the above istio.aks.yaml Istio control plane spec file as follows:

istioctl manifest apply -f istio.aks.yaml --logtostderr --set installPackagePath=./install/kubernetes/operator/charts

安装程序会部署大量 CRD,然后管理依赖项,以便安装针对 Istio 的此配置定义的所有相关对象。The installer will deploy a number of CRDs and then manage dependencies to install all of the relevant objects defined for this configuration of Istio. 应会看到类似于以下输出代码段的内容。You should see something like the following output snippet.

Applying manifests for these components:
- Tracing
- EgressGateway
- NodeAgent
- Grafana
- Policy
- Citadel
- CertManager
- IngressGateway
- Injector
- Prometheus
- PrometheusOperator
- Kiali
- Telemetry
- Galley
- Cni
- Pilot
- Base
- CoreDNS
NodeAgent is waiting on a prerequisite...
Telemetry is waiting on a prerequisite...
Galley is waiting on a prerequisite...
Cni is waiting on a prerequisite...
Grafana is waiting on a prerequisite...
Policy is waiting on a prerequisite...
Citadel is waiting on a prerequisite...
EgressGateway is waiting on a prerequisite...
Tracing is waiting on a prerequisite...
Kiali is waiting on a prerequisite...
PrometheusOperator is waiting on a prerequisite...
IngressGateway is waiting on a prerequisite...
Prometheus is waiting on a prerequisite...
CertManager is waiting on a prerequisite...
Injector is waiting on a prerequisite...
Pilot is waiting on a prerequisite...
Applying manifest for component Base
Waiting for CRDs to be applied.
CRDs applied.
Finished applying manifest for component Base
Prerequisite for Tracing has completed, proceeding with install.
Prerequisite for Injector has completed, proceeding with install.
Prerequisite for Telemetry has completed, proceeding with install.
Prerequisite for Policy has completed, proceeding with install.
Prerequisite for PrometheusOperator has completed, proceeding with install.
Prerequisite for NodeAgent has completed, proceeding with install.
Prerequisite for IngressGateway has completed, proceeding with install.
Prerequisite for Kiali has completed, proceeding with install.
Prerequisite for EgressGateway has completed, proceeding with install.
Prerequisite for Galley has completed, proceeding with install.
Prerequisite for Grafana has completed, proceeding with install.
Prerequisite for Cni has completed, proceeding with install.
Prerequisite for Citadel has completed, proceeding with install.
Applying manifest for component Tracing
Prerequisite for Prometheus has completed, proceeding with install.
Prerequisite for Pilot has completed, proceeding with install.
Prerequisite for CertManager has completed, proceeding with install.
Applying manifest for component Kiali
Applying manifest for component Prometheus
Applying manifest for component IngressGateway
Applying manifest for component Policy
Applying manifest for component Telemetry
Applying manifest for component Citadel
Applying manifest for component Galley
Applying manifest for component Pilot
Applying manifest for component Injector
Applying manifest for component Grafana
Finished applying manifest for component Kiali
Finished applying manifest for component Tracing
Finished applying manifest for component Prometheus
Finished applying manifest for component Citadel
Finished applying manifest for component Policy
Finished applying manifest for component IngressGateway
Finished applying manifest for component Injector
Finished applying manifest for component Galley
Finished applying manifest for component Pilot
Finished applying manifest for component Grafana
Finished applying manifest for component Telemetry

Component IngressGateway installed successfully:
================================================

serviceaccount/istio-ingressgateway-service-account created
deployment.apps/istio-ingressgateway created
gateway.networking.istio.io/ingressgateway created
sidecar.networking.istio.io/default created
poddisruptionbudget.policy/ingressgateway created
horizontalpodautoscaler.autoscaling/istio-ingressgateway created
service/istio-ingressgateway created

...

此时,已将 Istio 部署到 AKS 群集。At this point, you've deployed Istio to your AKS cluster. 为确保成功部署 Istio,让我们转到验证 Istio 安装部分。To ensure that we have a successful deployment of Istio, let's move on to the next section to Validate the Istio installation.

验证 Istio 安装Validate the Istio installation

首先,确认已创建所需的服务。First confirm that the expected services have been created. 使用 kubectl get svc 命令查看正在运行的服务。Use the kubectl get svc command to view the running services. 查询 istio-system 命名空间,istio Helm 图表在其中已安装了 Istio 和加载项组件:Query the istio-system namespace, where the Istio and add-on components were installed by the istio Helm chart:

kubectl get svc --namespace istio-system --output wide

以下示例输出显示了现在应正在运行的服务:The following example output shows the services that should now be running:

  • istio-* 服务istio-* services
  • jaeger-*tracingzipkin 加载项跟踪服务jaeger-*, tracing, and zipkin add-on tracing services
  • prometheus 加载项指标服务prometheus add-on metrics service
  • grafana 加载项分析和监视仪表板服务grafana add-on analytics and monitoring dashboard service
  • kiali 加载项服务网格仪表板服务kiali add-on service mesh dashboard service

如果 istio-ingressgateway 显示 <pending> 的外部 IP,请在 Azure 网络分配 IP 地址之前等待几分钟。If the istio-ingressgateway shows an external ip of <pending>, wait a few minutes until an IP address has been assigned by Azure networking.

NAME                     TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                                                                                                      AGE   SELECTOR
grafana                  ClusterIP      10.0.116.147   <none>           3000/TCP                                                                                                                     92s   app=grafana
istio-citadel            ClusterIP      10.0.248.152   <none>           8060/TCP,15014/TCP                                                                                                           94s   app=citadel
istio-galley             ClusterIP      10.0.50.100    <none>           443/TCP,15014/TCP,9901/TCP,15019/TCP                                                                                         93s   istio=galley
istio-ingressgateway     LoadBalancer   10.0.36.213    20.188.221.111   15020:30369/TCP,80:31368/TCP,443:30045/TCP,15029:32011/TCP,15030:31212/TCP,15031:32411/TCP,15032:30009/TCP,15443:30010/TCP   93s   app=istio-ingressgateway
istio-pilot              ClusterIP      10.0.23.222    <none>           15010/TCP,15011/TCP,8080/TCP,15014/TCP                                                                                       93s   istio=pilot
istio-policy             ClusterIP      10.0.59.250    <none>           9091/TCP,15004/TCP,15014/TCP                                                                                                 93s   istio-mixer-type=policy,istio=mixer
istio-sidecar-injector   ClusterIP      10.0.123.219   <none>           443/TCP                                                                                                                      93s   istio=sidecar-injector
istio-telemetry          ClusterIP      10.0.216.9     <none>           9091/TCP,15004/TCP,15014/TCP,42422/TCP                                                                                       89s   istio-mixer-type=telemetry,istio=mixer
jaeger-agent             ClusterIP      None           <none>           5775/UDP,6831/UDP,6832/UDP                                                                                                   96s   app=jaeger
jaeger-collector         ClusterIP      10.0.221.24    <none>           14267/TCP,14268/TCP,14250/TCP                                                                                                95s   app=jaeger
jaeger-query             ClusterIP      10.0.46.154    <none>           16686/TCP                                                                                                                    95s   app=jaeger
kiali                    ClusterIP      10.0.174.97    <none>           20001/TCP                                                                                                                    94s   app=kiali
prometheus               ClusterIP      10.0.245.226   <none>           9090/TCP                                                                                                                     94s   app=prometheus
tracing                  ClusterIP      10.0.249.95    <none>           9411/TCP                                                                                                                     95s   app=jaeger
zipkin                   ClusterIP      10.0.154.89    <none>           9411/TCP                                                                                                                     94s   app=jaeger

接下来,确认已创建所需的 Pod。Next, confirm that the required pods have been created. 使用 kubectl get pods 命令,然后再次查询 istio-system 命名空间:Use the kubectl get pods command, and again query the istio-system namespace:

kubectl get pods --namespace istio-system

以下示例输出显示了正在运行的 Pod:The following example output shows the pods that are running:

  • istio-* podthe istio-* pods
  • prometheus-* 加载项指标 podthe prometheus-* add-on metrics pod
  • grafana-* 加载项分析和监视仪表板 podthe grafana-* add-on analytics and monitoring dashboard pod
  • kiali 加载项服务网格仪表板 podthe kiali add-on service mesh dashboard pod
NAME                                          READY   STATUS    RESTARTS   AGE
grafana-6bc97ff99-k9sk4                       1/1     Running   0          92s
istio-citadel-6b5c754454-tb8nf                1/1     Running   0          94s
istio-galley-7d6d78d7c5-zshsd                 2/2     Running   0          94s
istio-ingressgateway-85869c5cc7-x5d76         1/1     Running   0          95s
istio-pilot-787d6995b5-n5vrj                  2/2     Running   0          94s
istio-policy-6cf4fbc8dc-sdsg5                 2/2     Running   2          94s
istio-sidecar-injector-5d5b978668-wrz2s       1/1     Running   0          94s
istio-telemetry-5498db684-6kdnw               2/2     Running   1          94s
istio-tracing-78548677bc-74tx6                1/1     Running   0          96s
kiali-59b7fd7f68-92zrh                        1/1     Running   0          95s
prometheus-7c7cf9dbd6-rjxcv                   1/1     Running   0          94s

所有 pod 应显示 Running 状态。All of the pods should show a status of Running. 如果 Pod 没有这些状态,请在运行之前等待一两分钟。If your pods don't have these statuses, wait a minute or two until they do. 如果任何 Pod 报告问题,请使用 kubectl describe pod 命令查看其输出和状态。If any pods report an issue, use the kubectl describe pod command to review their output and status.

访问加载项Accessing the add-ons

上述安装程序中由 Istio 安装了大量提供附加功能的加载项。A number of add-ons were installed by Istio in our setup above that provide additional functionality. 加载项 Web 应用程序通过外部 IP 地址公开。The web applications for the add-ons are not exposed publicly via an external ip address.

若要访问加载项用户界面,请使用 istioctl dashboard 命令。To access the add-on user interfaces, use the istioctl dashboard command. 此命令利用 kubectl port-forward 和一个随机端口在客户端计算机与 AKS 群集中相关 Pod 之间建立安全连接。This command leverages kubectl port-forward and a random port to create a secure connection between your client machine and the relevant pod in your AKS cluster. 然后,它会在默认浏览器中自动打开加载项 Web 应用程序。It will then automatically open the add-on web application in your default browser.

在本文的前面部分,我们已通过为 Grafana 和 Kiali 指定凭据,为其添加了额外的安全层。We added an additional layer of security for Grafana and Kiali by specifying credentials for them earlier in this article.

GrafanaGrafana

Istio 的分析和监视仪表板由 Grafana 提供。The analytics and monitoring dashboards for Istio are provided by Grafana. 出现提示时,请记得使用前面通过 Grafana 机密创建的凭据。Remember to use the credentials you created via the Grafana secret earlier when prompted. 以安全方式打开 Grafana 仪表板,如下所示:Open the Grafana dashboard securely as follows:

istioctl dashboard grafana

PrometheusPrometheus

Istio 的指标由 Prometheus 提供。Metrics for Istio are provided by Prometheus. 以安全方式打开 Prometheus 仪表板,如下所示:Open the Prometheus dashboard securely as follows:

istioctl dashboard prometheus

JaegerJaeger

Istio 中的跟踪由 Jaeger 提供。Tracing within Istio is provided by Jaeger. 以安全方式打开 Jaeger 仪表板,如下所示:Open the Jaeger dashboard securely as follows:

istioctl dashboard jaeger

KialiKiali

服务网格可观察性仪表板由 Kiali 提供。A service mesh observability dashboard is provided by Kiali. 出现提示时,请记得使用前面通过 Kiali 机密创建的凭据。Remember to use the credentials you created via the Kiali secret earlier when prompted. 以安全方式打开 Kiali 仪表板,如下所示:Open the Kiali dashboard securely as follows:

istioctl dashboard kiali

EnvoyEnvoy

提供一个简单的连接 Envoy 代理的接口。A simple interface to the Envoy proxies is available. 它提供 Envoy 代理在指定 Pod 中运行所需的配置信息和指标。It provides configuration information and metrics for an Envoy proxy running in a specified pod. 以安全方式打开 Envoy 接口,如下所示:Open the Envoy interface securely as follows:

istioctl dashboard envoy <pod-name>.<namespace>

从 AKS 中卸载 IstioUninstall Istio from AKS

警告

从正在运行的系统中删除 Istio 可能会导致服务之间出现流量相关的问题。Deleting Istio from a running system may result in traffic related issues between your services. 在继续之前,请确保对系统进行预配,以便在没有 Istio 的情况下系统仍可正常运行。Ensure that you have made provisions for your system to still operate correctly without Istio before proceeding.

删除 Istio 组件和命名空间Remove Istio components and namespace

若要从 AKS 群集中删除 Istio,请将 istioctl manifest generate 命令与 istio.aks.yaml Istio 控制平面规范文件配合使用。To remove Istio from your AKS cluster, use the istioctl manifest generate command with the istio.aks.yaml Istio control plane spec file. 这会生成已部署清单,我们将通过管道将其传递到 kubectl delete,以便删除所有已安装的组件和 istio-system 命名空间。This will generate the deployed manifest, which we will pipe to kubectl delete in order to remove all the installed components and the istio-system namespace.

istioctl manifest generate -f istio.aks.yaml -o istio-components-aks --logtostderr --set installPackagePath=./install/kubernetes/operator/charts 

kubectl delete -f istio-components-aks -R

删除 Istio CRD 和机密Remove Istio CRDs and Secrets

上述命令删除所有 Istio 组件和命名空间,但我们仍保留了生成的 Istio 机密。The above commands delete all the Istio components and namespace, but we are still left with generated Istio secrets.

若要删除机密,请运行以下命令:To delete the secrets, run the following command:

kubectl get secret --all-namespaces -o json | jq '.items[].metadata | ["kubectl delete secret -n", .namespace, .name] | join(" ")' -r | fgrep "istio." | xargs -t0 bash -c

若要删除机密,请运行以下命令:To delete the secrets, run the following command:

kubectl get secret --all-namespaces -o json | jq '.items[].metadata | ["kubectl delete secret -n", .namespace, .name] | join(" ")' -r | fgrep "istio." | xargs -t0 bash -c

若要删除 CRD,请运行以下命令:To delete the CRDs, run the following command:

kubectl get crds -o name | Select-String -Pattern 'istio.io' |% { kubectl delete $_ }

若要删除机密,请运行以下命令:To delete the secrets, run the following command:

(kubectl get secret --all-namespaces -o json | ConvertFrom-Json).items.metadata |% { if ($_.name -match "istio.") { "Deleting {0}.{1}" -f $_.namespace, $_.name; kubectl delete secret -n $_.namespace $_.name } }

后续步骤Next steps

以下文档介绍了如何使用 Istio 提供智能路由,以推出 canary 版本:The following documentation describes how you can use Istio to provide intelligent routing to roll out a canary release:

若要了解 Istio 的更多安装和配置选项,请参阅以下官方 Istio 指南:To explore more installation and configuration options for Istio, see the following official Istio guidance:

也可以使用以下示例应用程序按照其他方案操作:You can also follow additional scenarios using:

若要了解如何使用 Application Insights 和 Istio 来监视 AKS 应用程序,请参阅以下 Azure Monitor 文档:To learn how to monitor your AKS application using Application Insights and Istio, see the following Azure Monitor documentation: