我的书签
添加书签
移除书签Setup a Kubernetes Cluster
This is work in progress. We will add its sections in pieces. Your feedback is welcome at discuss.istio.io.
In this module, you set up a Kubernetes cluster that has Istio installed and anamespace to use throughout the tutorial.
If you are in a workshop and the instructors provide a cluster for you,proceed to setting up your local computer.
Ensure you have access to a Kubernetes cluster.You can use the Google Kubernetes Engine or theIBM Cloud Kubernetes Service.
Connect to your cluster and create an environment variable to store the nameof a namespace that you will use when you run the tutorial commands.You can use any name, for example
tutorial.
$ export NAMESPACE=tutorial
- Create the namespace:
$ kubectl create namespace $NAMESPACE
If you are an instructor, you should allocate a separate namespace per eachparticipant. The tutorial supports work in multiple namespacessimultaneously by multiple participants.
Install Istio with strict mutual TLS enabled. TODO: add command or point to instructions.
Create a Kubernetes Ingress resource for these common Istio services usingthe
kubectlcommand shown. It is not necessary to be familiar with each ofthese services at this point in the tutorial.- Grafana
- Jaeger
- Prometheus
- KialiThe
kubectlcommand can accept an in-line configuration to create theIngress resources for each service:
$ kubectl apply -f - <<EOFapiVersion: extensions/v1beta1kind: Ingressmetadata:name: istio-systemnamespace: istio-systemspec:rules:- host: my-istio-dashboard.iohttp:paths:- path: /backend:serviceName: grafanaservicePort: 3000- host: my-istio-tracing.iohttp:paths:- path: /backend:serviceName: tracingservicePort: 80- host: my-istio-logs-database.iohttp:paths:- path: /backend:serviceName: prometheusservicePort: 9090- host: my-kiali.iohttp:paths:- path: /backend:serviceName: kialiservicePort: 20001EOF
- Create a role to provide read access to the
istio-systemnamespace. Thisrole is required to limit permissions of the participants in the stepsbelow.
$ kubectl apply -f - <<EOFkind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: istio-system-accessnamespace: istio-systemrules:- apiGroups: ["", "extensions", "apps"]resources: ["*"]verbs: ["get", "list"]EOF
- Create a service account for each participant:
$ kubectl apply -f - <<EOFapiVersion: v1kind: ServiceAccountmetadata:name: ${NAMESPACE}-usernamespace: $NAMESPACEEOF
- Limit each participant’s permissions. During the tutorial, participants onlyneed to create resources in their namespace and to read resources from
istio-systemnamespace. It is a good practice, even if using your owncluster, to avoid interfering with other namespaces inyour cluster.
Create a role to allow read-write access to each participant’s namespace.Bind the participant’s service account to this role and to the role forreading resources from istio-system:
$ kubectl apply -f - <<EOFkind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: ${NAMESPACE}-accessnamespace: $NAMESPACErules:- apiGroups: ["", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io","rbac.istio.io", "config.istio.io"]resources: ["*"]verbs: ["*"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: ${NAMESPACE}-accessnamespace: $NAMESPACEsubjects:- kind: ServiceAccountname: ${NAMESPACE}-usernamespace: $NAMESPACEroleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ${NAMESPACE}-access---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: ${NAMESPACE}-istio-system-accessnamespace: istio-systemsubjects:- kind: ServiceAccountname: ${NAMESPACE}-usernamespace: $NAMESPACEroleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: istio-system-accessEOF
- Each participant needs to use their own Kubernetes configuration file. This configuration file specifiesthe cluster details, the service account, the credentials and the namespace of the participant.The
kubectlcommand uses the configuration file to operate on the cluster.
Generate a Kubernetes configuration file for each participant:
$ cat <<EOF > ./${NAMESPACE}-user-config.yamlapiVersion: v1kind: Configpreferences: {}clusters:- cluster:certificate-authority-data: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath='{.data.ca\.crt}')server: $(kubectl config view -o jsonpath="{.clusters[?(.name==\"$(kubectl config view -o jsonpath="{.contexts[?(.name==\"$(kubectl config current-context)\")].context.cluster}")\")].cluster.server}")name: ${NAMESPACE}-clusterusers:- name: ${NAMESPACE}-useruser:as-user-extra: {}client-key-data: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath='{.data.ca\.crt}')token: $(kubectl get secret $(kubectl get sa ${NAMESPACE}-user -n $NAMESPACE -o jsonpath={.secrets..name}) -n $NAMESPACE -o jsonpath={.data.token} | base64 --decode)contexts:- context:cluster: ${NAMESPACE}-clusternamespace: ${NAMESPACE}user: ${NAMESPACE}-username: ${NAMESPACE}current-context: ${NAMESPACE}EOF
- If you are setting up the cluster for yourself, copy the
${NAMESPACE}-user-config.yamlfile mentioned in the previous steps to yourlocal computer, where${NAMESPACE}is the name of the namespace youprovided in the previous steps. For example,tutorial-user-config.yaml.You will need this file later in the tutorial.
If you are an instructor, send the generated configuration files to eachparticipant who should copy it to their local computer.
Congratulations, you configured your cluster for the tutorials!
You are ready to setup a local computer.
