本示例将kiali对外暴露
下面示例所做操作:开放kiali至集群外部,kiali 是一款istio服务网格可视化工具,提供了服务拓补图、全链路跟踪、指标遥测、配置校验、健康检查等功能。
查看Istio的api resource资源
[root@node1 istio-learn]# kubectl api-resources --api-group='networking.istio.io'
NAME SHORTNAMES APIVERSION NAMESPACED KIND
destinationrules dr networking.istio.io/v1beta1 true DestinationRule
envoyfilters networking.istio.io/v1alpha3 true EnvoyFilter
gateways gw networking.istio.io/v1beta1 true Gateway
proxyconfigs networking.istio.io/v1beta1 true ProxyConfig
serviceentries se networking.istio.io/v1beta1 true ServiceEntry
sidecars networking.istio.io/v1beta1 true Sidecar
virtualservices vs networking.istio.io/v1beta1 true VirtualService
workloadentries we networking.istio.io/v1beta1 true WorkloadEntry
workloadgroups wg networking.istio.io/v1beta1 true WorkloadGroup
[root@node1 istio-learn]#
查看集群安装的ingressgateway的标签
查看istio-ingressgateway-7f58d78f47-pcwff该pod的label,用于在定义yaml资源清单文件时候,让该ingress gateway解析我们所定义的资源清单文件
[root@node1 ~]# kubectl get pods -n istio-system --show-labels
NAME READY STATUS RESTARTS AGE LABELS
grafana-b8bbdc84d-hvg27 1/1 Running 0 5h27m app.kubernetes.io/instance=grafana,app.kubernetes.io/name=grafana,app=grafana,pod-template-hash=b8bbdc84d,sidecar.istio.io/inject=false
istio-egressgateway-7b8b76f497-vvwgg 1/1 Running 2 (20h ago) 30h app=istio-egressgateway,chart=gateways,heritage=Tiller,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=egressgateway,operator.istio.io/component=EgressGateways,pod-template-hash=7b8b76f497,release=istio,service.istio.io/canonical-name=istio-egressgateway,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
istio-ingressgateway-7f58d78f47-pcwff 1/1 Running 2 (20h ago) 30h app=istio-ingressgateway,chart=gateways,heritage=Tiller,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=ingressgateway,operator.istio.io/component=IngressGateways,pod-template-hash=7f58d78f47,release=istio,service.istio.io/canonical-name=istio-ingressgateway,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
istiod-86b84db666-mtxbr 1/1 Running 2 (20h ago) 30h app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=pilot,operator.istio.io/component=Pilot,pod-template-hash=86b84db666,sidecar.istio.io/inject=false
jaeger-7d7d59b9d-nvzp9 1/1 Running 0 5h27m app=jaeger,pod-template-hash=7d7d59b9d,sidecar.istio.io/inject=false
kiali-58d8c9c978-c9dvr 1/1 Running 0 5h27m app.kubernetes.io/instance=kiali,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=kiali,app.kubernetes.io/part-of=kiali,app.kubernetes.io/version=v1.72.0,app=kiali,helm.sh/chart=kiali-server-1.72.0,pod-template-hash=58d8c9c978,sidecar.istio.io/inject=false,version=v1.72.0
prometheus-db8b4588f-pd65j 2/2 Running 0 5h27m app=prometheus,chart=prometheus-19.6.1,component=server,heritage=Helm,pod-template-hash=db8b4588f,release=prometheus,sidecar.istio.io/inject=false
创建使用的yaml文件
# kialia-ingress.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: kiali-gateway
namespace: istio-system # 确保selector可以在该名称空间下选择gateway
spec:
selector:
app: istio-ingressgateway # 这个selector选择的是istio-system名称空间下的有该标签的pod
servers:
- port:
number: 20001
name: http-kiali # 名称很重要,http表示该套接字的协议,这里表示七层代理,如果不写这种格式,直接透传,做4层代理了
protocol: HTTP
hosts:
- "kiali.myk8s.cn" # 适配的主机名
应用yaml文件
[root@node1 istio-learn]# kubectl apply -f kialia-ingress.yaml
gateway.networking.istio.io/kiali-gateway created
查看刚才创建的Gateway信息
查看名称
[root@node1 istio-learn]# kubectl get gateways -n istio-system
NAME AGE
kiali-gateway 15m
先获取下ingressgateway的pod的名称
[root@node1 istio-learn]# kubectl get pods -n istio-system -l app=istio-ingressgateway -o jsonpath={.items[0].metadata.name}
istio-ingressgateway-7f58d78f47-pcwff[root@node1 istio-learn]#
查看listener
[root@node1 istio-learn]# istioctl proxy-config listener istio-ingressgateway-7f58d78f47-pcwff -n istio-system
ADDRESSES PORT MATCH DESTINATION
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
0.0.0.0 20001 ALL Route: http.20001 # 可以看到新创建了该listener
查看routes
[root@node1 istio-learn]# istioctl proxy-config route istio-ingressgateway-7f58d78f47-pcwff -n istio-system
NAME VHOST NAME DOMAINS MATCH VIRTUAL SERVICE
http.20001 blackhole:20001 * /* 404 # 可以看到多了该条目,因为对于Ingress gateway来说,路由信息不会自动生成
backend * /healthz/ready*
backend * /stats/prometheus*
定义VirtualService
定义Virtualservice的作用是让前面创建的gateway绑定上service,后面gateway收到流量请求的话会发送到该VirtualService
定义yaml文件
# kiali-virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kiali-virtualservice
namespace: istio-system
spec:
hosts:
- "kiali.myk8s.cn" # hosts与前面创建的gateway中定义的主机头保持了一致
gateways:
- kiali-gateway
http: # 做路由
- match: # envoy上的路由匹配条件
- port: 20001 # 如果请求的端口是20001
route: # 如果端口是20001,那么路由到下面的destiation上
- destination:
host: kiali # 目标集群的名称,集群名称和service名称一样,流量不会经过service,而是直接传给了该service下面的pod
port:
number: 20001
应用yaml文件
[root@node1 istio-learn]# kubectl apply -f kiali-virtualservice.yaml
virtualservice.networking.istio.io/kiali-virtualservice created
查看创建的virtualservice
[root@node1 istio-learn]# kubectl get virtualservices -n istio-system
NAME GATEWAYS HOSTS AGE
kiali-virtualservice ["kiali-gateway"] ["kiali.myk8s.cn"] 24m
当创建好virtualservice后,再看下路由验证一下
[root@node1 istio-learn]# istioctl proxy-config routes istio-ingressgateway-7f58d78f47-pcwff -n istio-system
NAME VHOST NAME DOMAINS MATCH VIRTUAL SERVICE
http.20001 kiali.myk8s.cn:20001 kiali.myk8s.cn /* kiali-virtualservice.istio-system
backend * /healthz/ready*
backend * /stats/prometheus*
修改istio-ingressgateway的external-ip
[root@node1 istio-learn]# kubectl edit svc istio-ingressgateway -n istio-system
修改内容如下
重新查看istio-ingressgateway的external-ip
[root@node1 istio-learn]# kubectl get service -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.96.234.93 <none> 3000/TCP 7h2m
istio-egressgateway ClusterIP 10.96.24.219 <none> 80/TCP,443/TCP 32h
istio-ingressgateway LoadBalancer 10.96.174.147 192.168.0.111,192.168.0.222 15021:31848/TCP,80:31657/TCP,20001:31775/TCP,443:30425/TCP,31400:31780/TCP,15443:30671/TCP 32h
istiod ClusterIP 10.96.49.69 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 32h
jaeger-collector ClusterIP 10.96.63.79 <none> 14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 7h2m
kiali ClusterIP 10.96.202.30 <none> 20001/TCP,9090/TCP 7h2m
loki-headless ClusterIP None <none> 3100/TCP 7h2m
prometheus ClusterIP 10.96.109.177 <none> 9090/TCP 7h2m
tracing ClusterIP 10.96.141.120 <none> 80/TCP,16685/TCP 7h2m
zipkin ClusterIP 10.96.225.164 <none> 9411/TCP 7h2m
修改/etc/hosts
在需要访问该服务的电脑上修改hosts文件,添加如下内容: 192.168.0.111 kiali.myk8s.cn
浏览器访问
浏览器访问 kiali.myk8s.cn:20001
