Kubernetes istio istioctl
ghdrako edited this page Aug 17, 2022
·
24 revisions
curl -L https://istio.io/downloadIstio | sh -
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.0 sh -
cd istio-1.13.0
./bin/istioctl version
# add to path istioctl
istioctl x precheck
istioctl install --set profile=demo
istioctl install --set profile=default
istioctl install --set profile=demo -y
kubectl get pod -n istio-system
istioctl verify-install
istioctl profile dump default # show settings
istioctl install --set addonComponents.kiali.enabled=true \
--set components.telemetry.enabled=true \
--set components.citadel.enabled=true \
--set values.global.proxy.privileged=true \
--set addonComponents.tracing.enabled=true \
--set values.pilot.traceSampling=100.0 \
--set values.global.proxy.tracer=datadog
While changing any config, make sure to pass all the previous flags with the new ones. Failing to add any previously enabled variable will revert the config to its default values. One way to store the dump in a file and do istioctl apply or use helm charts for Istio.
kubectl apply -f ./samples/addons
kubectl get pod -n istio-system
istioctl kube-inject -f services/catalog/kubernetes/catalog.yaml
The istioctl kube-inject
command takes a Kubernetes resource file and enriches
it with the sidecar deployment of the Istio service proxy and a few additional components
The YAML now includes a few extra containers as part of the deployment.
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- catalog.$(POD_NAMESPACE)
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --trust-domain=cluster.local
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
...
image: docker.io/istio/proxyv2:{1.13.0}
imagePullPolicy: Always
name: istio-proxy
To enable sidecar, we have to add labels at the namespace level.
kubectl label namespace dsl-test istio-injection=enabled
kubectl label namespace istioinaction istio-injection=enabled
For services, which do not require sidecar, we need to add the following annotation in the deployment template:
# Pod Annotations
podAnnotations:
sidecar.istio.io/inject: "false"
$ istioctl proxy-status # overview of your mesh
Test