准备k8s集群
本文使用sealos工具部署了发文时最新的k8s集群(1master+3node),具体步骤详见官方说明:
https://sealos.run/docs/self-hosting/lifecycle-management/quick-start/deploy-kubernetes
本文部署的k8s版本是v1.29.1
下载istio介质
前往github官网下载:https://github.com/istio/istio/releases
本文使用的版本是 Istio 1.17.0
安装istio
- 解压安装包到/opt
tar zxf istioctl-1.17.0-linux-amd64.tar.gz
cp istio-1.17.0/bin/istioctl /usr/bin/- 安装istio
istioctl install --set profile=demo -y
This will install the Istio 1.17.0 "demo" profile (with components: Istio core, Istiod, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
Made this installation the default for injection and validation.关于不同profile的说明如下:
https://istio.io/latest/zh/docs/setup/additional-setup/config-profiles/
| 核心组件 | default | demo | minimal | remote | empty | preview | ambient |
|---|---|---|---|---|---|---|---|
| istio-egressgateway | ✔ | ||||||
| istio-ingressgateway | ✔ | ✔ | ✔ | ||||
| istiod | ✔ | ✔ | ✔ | ✔ | ✔ | ||
| CNI | ✔ | ||||||
| Ztunnel | ✔ |
有时候安装istio会失败,主要报错为istio-egressgateway或者istio-ingressgateway的istio-proxy容器起不来,看日志报错为
istio-proxy warn sds failed to warm certificate: failed to generate workload
……
Readiness probe failed: Get "http://10.233.113.10:15021/healthz/ready": dial tcp 10.233.113.10:15021: connect: connection refused
……
lookup istiod.istio-system.svc on 10.96.0.10:53: read udp 10.244.153.113:41187->10.96.0.10:53: i/o timeout"猜测为宿主机的dns没配好,解决办法:
- k8s所有节点/etc/resolve.conf里配置正确的dns
- 铲掉k8s集群,重新部署k8s,再装istio
注意,如果安装istio这里有问题,后面就没法正常使用istio的各项功能,所以这里必须安装成功。
- 装好以后验证istio的版本
istioctl version
client version: 1.17.0
control plane version: 1.17.0
data plane version: 1.17.0 (2 proxies)- 验证istio各个pod状态
kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-687f4db598-b5llq 1/1 Running 0 12h
istio-ingressgateway-78f69bd5db-bxnvr 1/1 Running 0 12h
istiod-76d66d9876-w4wpv 1/1 Running 0 12h到此istio就安装成功了
