From 78b4c20adfccdd38b6c6ab83d1f8b964fcdf9c74 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 17 Jul 2018 22:49:37 -0700 Subject: [PATCH] Extract platform prerequisites (#1834) * Extract platform prerequisites * Reorg * Remove the inner pages from the menu * Conform to the site directory structure * Fix the link wording to match the title of the link and the uppercase * Fix lint errors * more lint errors --- .../export-logs-through-stackdriver/index.md | 4 +- content/docs/examples/endpoints/index.md | 2 +- .../kubernetes/download-release/index.md | 43 +++ .../setup/kubernetes/helm-install/index.md | 6 +- .../setup/kubernetes/platform-setup/index.md | 283 ++++++++++++++++ .../setup/kubernetes/quick-start/index.md | 312 +----------------- .../kubernetes/sidecar-injection/index.md | 2 +- 7 files changed, 335 insertions(+), 317 deletions(-) create mode 100644 content/docs/setup/kubernetes/download-release/index.md create mode 100644 content/docs/setup/kubernetes/platform-setup/index.md diff --git a/content/blog/2018/export-logs-through-stackdriver/index.md b/content/blog/2018/export-logs-through-stackdriver/index.md index cc345b085d..b910279ca1 100644 --- a/content/blog/2018/export-logs-through-stackdriver/index.md +++ b/content/blog/2018/export-logs-through-stackdriver/index.md @@ -50,7 +50,7 @@ Common setup for all sinks: 1. Record the ID of the dataset. It will be needed to configure the Stackdriver handler. It would be of the form `bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]` 1. Give [sink’s writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` BigQuery Data Editor role in IAM. -1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. +1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. #### Google Cloud Storage (GCS) @@ -65,7 +65,7 @@ Common setup for all sinks: 1. Recode the ID of the topic. It will be needed to configure Stackdriver. It would be of the form `pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]` 1. Give [sink’s writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` Pub/Sub Publisher role in IAM. -1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. +1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. ### Setting up Stackdriver diff --git a/content/docs/examples/endpoints/index.md b/content/docs/examples/endpoints/index.md index a208e2576a..208dc08c71 100644 --- a/content/docs/examples/endpoints/index.md +++ b/content/docs/examples/endpoints/index.md @@ -21,7 +21,7 @@ You may test the service using the following command: $ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${EXTERNAL_IP}:80/echo?key=${ENDPOINTS_KEY}" {{< /text >}} -You need to install Istio with [instructions](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine). +You need to install Istio with [instructions](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine). ## HTTP Endpoints service diff --git a/content/docs/setup/kubernetes/download-release/index.md b/content/docs/setup/kubernetes/download-release/index.md new file mode 100644 index 0000000000..3415a6d581 --- /dev/null +++ b/content/docs/setup/kubernetes/download-release/index.md @@ -0,0 +1,43 @@ +--- +title: Download the Istio release +description: Instructions to download the Istio release. +weight: 10 +keywords: [kubernetes] +--- + +## Download and prepare for the installation + +Istio is installed in its own `istio-system` namespace and can manage +services from all other namespaces. + +1. Go to the [Istio release](https://github.com/istio/istio/releases) page to + download the installation file corresponding to your OS. On a macOS or + Linux system, you can run the following command to download and + extract the latest release automatically: + + {{< text bash >}} + $ curl -L https://git.io/getLatestIstio | sh - + {{< /text >}} + +1. Move to the Istio package directory . For example, if the package is + istio-{{< istio_version >}}.0: + + {{< text bash >}} + $ cd istio-{{< istio_version >}}.0 + {{< /text >}} + + The installation directory contains: + + * Installation `.yaml` files for Kubernetes in `install/` + * Sample applications in `samples/` + * The `istioctl` client binary in the `bin/` directory. `istioctl` is + used when manually injecting Envoy as a sidecar proxy and for creating + routing rules and policies. + * The `istio.VERSION` configuration file + +1. Add the `istioctl` client to your PATH environment variable, on a macOS or + Linux system: + + {{< text bash >}} + $ export PATH=$PWD/bin:$PATH + {{< /text >}} diff --git a/content/docs/setup/kubernetes/helm-install/index.md b/content/docs/setup/kubernetes/helm-install/index.md index eb54bb0560..f37f1a879f 100644 --- a/content/docs/setup/kubernetes/helm-install/index.md +++ b/content/docs/setup/kubernetes/helm-install/index.md @@ -15,11 +15,9 @@ plane and the sidecars for the Istio data plane. ## Prerequisites -1. [Setup Istio in - Kubernetes](/docs/setup/kubernetes/quick-start/#platform-setup). +1. [Download the Istio release](/docs/setup/kubernetes/download-release/). -1. [Download](/docs/setup/kubernetes/quick-start/#download-and-prepare-for-the-installation) - the latest Istio release. +1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/). 1. [Install the Helm client](https://docs.helm.sh/using_helm/#installing-helm). diff --git a/content/docs/setup/kubernetes/platform-setup/index.md b/content/docs/setup/kubernetes/platform-setup/index.md new file mode 100644 index 0000000000..770647dd32 --- /dev/null +++ b/content/docs/setup/kubernetes/platform-setup/index.md @@ -0,0 +1,283 @@ +--- +title: Kubernetes platform setup +description: Instructions to setup the Kubernetes cluster for Istio. +weight: 10 +keywords: [kubernetes] +--- + +Follow these instructions to setup the Kubernetes cluster for Istio. + +## Prerequisites + +The following instructions require: + +* Access to a Kubernetes **1.9 or newer** cluster with + [RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + enabled. +* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or + newer** installed. Version **1.10** is recommended. + + > If you installed Istio 0.2.x, + > [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling) + > it completely before installing the newer version. Remember to uninstall + > the Istio sidecar for all Istio enabled application pods too. + +## Platform setup + +This section describes the setup in different Kubernetes providers. + +### Minikube + +1. To run Istio locally, install the latest version of + [Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or + later**. + +1. Select a + [VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart) + and substitute `your_vm_driver_choice` below with the installed virtual + machine (VM) driver. + + On Kubernetes **1.9**: + + {{< text bash >}} + $ minikube start --memory=4096 --kubernetes-version=v1.9.4 \ + --vm-driver=`your_vm_driver_choice` + {{< /text >}} + + On Kubernetes **1.10**: + + {{< text bash >}} + $ minikube start --memory=4096 --kubernetes-version=v1.10.0 \ + --vm-driver=`your_vm_driver_choice` + {{< /text >}} + +### Google Kubernetes Engine + +1. Create a new cluster. + + {{< text bash >}} + $ gcloud container clusters create \ + --cluster-version=1.10.5-gke.0 \ + --zone \ + --project + {{< /text >}} + +1. Retrieve your credentials for `kubectl`. + + {{< text bash >}} + $ gcloud container clusters get-credentials \ + --zone \ + --project + {{< /text >}} + +1. Grant cluster administrator (admin) permissions to the current user. To + create the necessary RBAC rules for Istio, the current user requires admin + permissions. + + {{< text bash >}} + $ kubectl create clusterrolebinding cluster-admin-binding \ + --clusterrole=cluster-admin \ + --user=$(gcloud config get-value core/account) + {{< /text >}} + +### IBM Cloud Kubernetes Service (IKS) + +1. Create a new lite cluster. + + {{< text bash >}} + $ bx cs cluster-create --name --kube-version 1.9.7 + {{< /text >}} + + Alternatively, you can create a new paid cluster: + + {{< text bash >}} + $ bx cs cluster-create --location location --machine-type u2c.2x4 \ + --name --kube-version 1.9.7 + {{< /text >}} + +1. Retrieve your credentials for `kubectl`. Replace `` with the + name of the cluster you want to use: + + {{< text bash >}} + $(bx cs cluster-config |grep "export KUBECONFIG") + {{< /text >}} + +### IBM Cloud Private + +[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html) +to access the IBM Cloud Private Cluster. + +### OpenShift Origin + +By default, OpenShift doesn't allow containers running with user ID (UID) 0. + +Enable containers running with UID 0 for Istio's service accounts: + +{{< text bash >}} +$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \ + -n istio-system +$ oc adm policy add-scc-to-user anyuid -z default -n istio-system +$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system +$ oc adm policy add-scc-to-user anyuid \ + -z istio-egressgateway-service-account -n istio-system +$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \ + -n istio-system +$ oc adm policy add-scc-to-user anyuid \ + -z istio-ingressgateway-service-account -n istio-system +$ oc adm policy add-scc-to-user anyuid \ + -z istio-cleanup-old-ca-service-account -n istio-system +$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \ + -n istio-system +$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \ + -n istio-system +$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \ + -n istio-system +$ oc adm policy add-scc-to-user anyuid \ + -z istio-sidecar-injector-service-account -n istio-system +{{< /text >}} + +The list above accounts for the default Istio service accounts. If you enabled +other Istio services, like _Grafana_ for example, you need to enable its +service account with a similar command. + +A service account that runs application pods needs privileged security context +constraints as part of sidecar injection. + +{{< text bash >}} +$ oc adm policy add-scc-to-user privileged -z default -n +{{< /text >}} + +> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34) +> with respect to Istio in case you see issues bringing up the Envoy. + +### AWS with Kops + +When you install a new cluster with Kubernetes version 1.9, the prerequisite to +enable `admissionregistration.k8s.io/v1beta1` is covered. + +Nevertheless, you must update the list of admission controllers. + +1. Open the configuration file: + + {{< text bash >}} + $ kops edit cluster $YOURCLUSTER + {{< /text >}} + +1. Add the following in the configuration file: + + {{< text yaml >}} + kubeAPIServer: + admissionControl: + - NamespaceLifecycle + - LimitRanger + - ServiceAccount + - PersistentVolumeLabel + - DefaultStorageClass + - DefaultTolerationSeconds + - MutatingAdmissionWebhook + - ValidatingAdmissionWebhook + - ResourceQuota + - NodeRestriction + - Priority + {{< /text >}} + +1. Perform the update: + + {{< text bash >}} + $ kops update cluster + $ kops update cluster --yes + {{< /text >}} + +1. Launch the rolling update: + + {{< text bash >}} + $ kops rolling-update cluster + $ kops rolling-update cluster --yes + {{< /text >}} + +1. Validate the update with the `kubectl` client on the `kube-api` pod, you + should see new admission controller: + + {{< text bash >}} + $ for i in `kubectl \ + get pods -nkube-system | grep api | awk '{print $1}'` ; \ + do kubectl describe pods -nkube-system \ + $i | grep "/usr/local/bin/kube-apiserver" ; done + {{< /text >}} + +1. Review the output: + + {{< text plain >}} + [...] + --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount, + PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds, + MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota, + NodeRestriction,Priority + [...] + {{< /text >}} + +### Azure + +You must use `ACS-Engine` to deploy your cluster. + +1. Follow the instructions to get and install the `acs-engine` binary with + [their instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install). + +1. Download Istio's `api model definition`: + + {{< text bash >}} + $ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json + {{< /text >}} + +1. Deploy your cluster using the `istio.json` template. You can find references + to the parameters in the + [official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition). + + | Parameter | Expected value | + |---------------------------------------|----------------------------| + | `subscription_id` | Azure Subscription Id | + | `dns_prefix` | Cluster DNS Prefix | + | `location` | Cluster Location | + + {{< text bash >}} + $ acs-engine deploy --subscription-id \ + --dns-prefix --location --auto-suffix \ + --api-model istio.json + {{< /text >}} + + > After a few minutes, you can find your cluster on your Azure subscription + > in a resource group called `-`. Assuming `dns_prefix` has + > the value `myclustername`, a valid resource group with a unique cluster + > ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig` + > file in the `_output` folder. + +1. Use the `-` cluster ID, to copy your `kubeconfig` to your + machine from the `_output` folder: + + {{< text bash >}} + $ cp _output/-/kubeconfig/kubeconfig..json \ + ~/.kube/config + {{< /text >}} + + For example: + + {{< text bash >}} + $ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \ + ~/.kube/config + {{< /text >}} + +1. Check if the right Istio flags were deployed: + + {{< text bash >}} + $ kubectl describe pod --namespace kube-system + $(kubectl get pods --namespace kube-system | grep api | cut -d ' ' -f 1) \ + | grep admission-control + {{< /text >}} + +1. Confirm the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` + flags are present: + + {{< text plain >}} + --admission-control=...,MutatingAdmissionWebhook,..., + ValidatingAdmissionWebhook,... + {{< /text >}} diff --git a/content/docs/setup/kubernetes/quick-start/index.md b/content/docs/setup/kubernetes/quick-start/index.md index d9dfd30ced..e64ce2acbd 100644 --- a/content/docs/setup/kubernetes/quick-start/index.md +++ b/content/docs/setup/kubernetes/quick-start/index.md @@ -1,5 +1,5 @@ --- -title: Istio Setup in Kubernetes +title: Quick Start with Kubernetes description: Instructions to setup the Istio service mesh in a Kubernetes cluster. weight: 10 keywords: [kubernetes] @@ -10,315 +10,9 @@ cluster. ## Prerequisites -The following instructions require: +1. [Download the Istio release](/docs/setup/kubernetes/download-release/). -* Access to a Kubernetes **1.9 or newer** cluster with - [RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) - enabled. -* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or - newer** installed. Version **1.10** is recommended. - - > If you installed Istio 0.2.x, - > [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling) - > it completely before installing the newer version. Remember to uninstall - > the Istio sidecar for all Istio enabled application pods too. - -## Platform setup - -This section describes the setup in different platforms. - -### Setup Minikube - -1. To install Istio locally, install the latest version of - [Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or - later**. - -1. Select a - [VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart) - and substitute `your_vm_driver_choice` below with the installed virtual - machine (VM) driver. - - On Kubernetes **1.9**: - - {{< text bash >}} - $ minikube start --memory=4096 --kubernetes-version=v1.9.4 \ - --vm-driver=`your_vm_driver_choice` - {{< /text >}} - - On Kubernetes **1.10**: - - {{< text bash >}} - $ minikube start --memory=4096 --kubernetes-version=v1.10.0 \ - --vm-driver=`your_vm_driver_choice` - {{< /text >}} - -### Google Kubernetes Engine - -1. Create a new cluster. - - {{< text bash >}} - $ gcloud container clusters create \ - --cluster-version=1.10.5-gke.0 \ - --zone \ - --project - {{< /text >}} - -1. Retrieve your credentials for `kubectl`. - - {{< text bash >}} - $ gcloud container clusters get-credentials \ - --zone \ - --project - {{< /text >}} - -1. Grant cluster administrator (admin) permissions to the current user. To - create the necessary RBAC rules for Istio, the current user requires admin - permissions. - - {{< text bash >}} - $ kubectl create clusterrolebinding cluster-admin-binding \ - --clusterrole=cluster-admin \ - --user=$(gcloud config get-value core/account) - {{< /text >}} - -### IBM Cloud Kubernetes Service (IKS) - -1. Create a new lite cluster. - - {{< text bash >}} - $ bx cs cluster-create --name --kube-version 1.9.7 - {{< /text >}} - - Alternatively, you can create a new paid cluster: - - {{< text bash >}} - $ bx cs cluster-create --location location --machine-type u2c.2x4 \ - --name --kube-version 1.9.7 - {{< /text >}} - -1. Retrieve your credentials for `kubectl`. Replace `` with the - name of the cluster you want to use: - - {{< text bash >}} - $(bx cs cluster-config |grep "export KUBECONFIG") - {{< /text >}} - -### IBM Cloud Private - -[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html) -to access the IBM Cloud Private Cluster. - -### OpenShift Origin - -By default, OpenShift doesn't allow containers running with user ID (UID) 0. - -Enable containers running with UID 0 for Istio's service accounts: - -{{< text bash >}} -$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \ - -n istio-system -$ oc adm policy add-scc-to-user anyuid -z default -n istio-system -$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system -$ oc adm policy add-scc-to-user anyuid \ - -z istio-egressgateway-service-account -n istio-system -$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \ - -n istio-system -$ oc adm policy add-scc-to-user anyuid \ - -z istio-ingressgateway-service-account -n istio-system -$ oc adm policy add-scc-to-user anyuid \ - -z istio-cleanup-old-ca-service-account -n istio-system -$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \ - -n istio-system -$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \ - -n istio-system -$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \ - -n istio-system -$ oc adm policy add-scc-to-user anyuid \ - -z istio-sidecar-injector-service-account -n istio-system -{{< /text >}} - -The list above accounts for the default Istio service accounts. If you enabled -other Istio services, like _Grafana_ for example, you need to enable its -service account with a similar command. - -A service account that runs application pods needs privileged security context -constraints as part of sidecar injection. - -{{< text bash >}} -$ oc adm policy add-scc-to-user privileged -z default -n -{{< /text >}} - -> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34) -> with respect to Istio in case you see issues bringing up the Envoy. - -### AWS with Kops - -When you install a new cluster with Kubernetes version 1.9, the prerequisite to -enable `admissionregistration.k8s.io/v1beta1` is covered. - -Nevertheless, you must update the list of admission controllers. - -1. Open the configuration file: - - {{< text bash >}} - $ kops edit cluster $YOURCLUSTER - {{< /text >}} - -1. Add the following in the configuration file: - - {{< text yaml >}} - kubeAPIServer: - admissionControl: - - NamespaceLifecycle - - LimitRanger - - ServiceAccount - - PersistentVolumeLabel - - DefaultStorageClass - - DefaultTolerationSeconds - - MutatingAdmissionWebhook - - ValidatingAdmissionWebhook - - ResourceQuota - - NodeRestriction - - Priority - {{< /text >}} - -1. Perform the update: - - {{< text bash >}} - $ kops update cluster - $ kops update cluster --yes - {{< /text >}} - -1. Launch the rolling update: - - {{< text bash >}} - $ kops rolling-update cluster - $ kops rolling-update cluster --yes - {{< /text >}} - -1. Validate the update with the `kubectl` client on the `kube-api` pod, you - should see new admission controller: - - {{< text bash >}} - $ for i in `kubectl \ - get pods -nkube-system | grep api | awk '{print $1}'` ; \ - do kubectl describe pods -nkube-system \ - $i | grep "/usr/local/bin/kube-apiserver" ; done - {{< /text >}} - -1. Review the output: - - {{< text plain >}} - [...] - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount, - PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds, - MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota, - NodeRestriction,Priority - [...] - {{< /text >}} - -### Azure - -You must use `ACS-Engine` to deploy your cluster. - -1. Follow the instructions to get and install the `acs-engine` binary with - [their instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install). - -1. Download Istio's `api model definition`: - - {{< text bash >}} - $ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json - {{< /text >}} - -1. Deploy your cluster using the `istio.json` template. You can find references - to the parameters in the - [official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition). - - | Parameter | Expected value | - |---------------------------------------|----------------------------| - | `subscription_id` | Azure Subscription Id | - | `dns_prefix` | Cluster DNS Prefix | - | `location` | Cluster Location | - - {{< text bash >}} - $ acs-engine deploy --subscription-id \ - --dns-prefix --location --auto-suffix \ - --api-model istio.json - {{< /text >}} - - > After a few minutes, you can find your cluster on your Azure subscription - > in a resource group called `-`. Assuming `dns_prefix` has - > the value `myclustername`, a valid resource group with a unique cluster - > ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig` - > file in the `_output` folder. - -1. Use the `-` cluster ID, to copy your `kubeconfig` to your - machine from the `_output` folder: - - {{< text bash >}} - $ cp _output/-/kubeconfig/kubeconfig..json \ - ~/.kube/config - {{< /text >}} - - For example: - - {{< text bash >}} - $ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \ - ~/.kube/config - {{< /text >}} - -1. Check if the right Istio flags were deployed: - - {{< text bash >}} - $ kubectl describe pod --namespace kube-system - $(kubectl get pods --namespace kube-system | grep api | cut -d ' ' -f 1) \ - | grep admission-control - {{< /text >}} - -1. Confirm the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` - flags are present: - - {{< text plain >}} - --admission-control=...,MutatingAdmissionWebhook,..., - ValidatingAdmissionWebhook,... - {{< /text >}} - -## Download and prepare for the installation - -Istio is installed in its own `istio-system` namespace and can manage -services from all other namespaces. - -1. Go to the [Istio release](https://github.com/istio/istio/releases) page to - download the installation file corresponding to your OS. On a macOS or - Linux system, you can run the following command to download and - extract the latest release automatically: - - {{< text bash >}} - $ curl -L https://git.io/getLatestIstio | sh - - {{< /text >}} - -1. Move to the Istio package directory . For example, if the package is - istio-{{< istio_version >}}.0: - - {{< text bash >}} - $ cd istio-{{< istio_version >}}.0 - {{< /text >}} - - The installation directory contains: - - * Installation `.yaml` files for Kubernetes in `install/` - * Sample applications in `samples/` - * The `istioctl` client binary in the `bin/` directory. `istioctl` is - used when manually injecting Envoy as a sidecar proxy and for creating - routing rules and policies. - * The `istio.VERSION` configuration file - -1. Add the `istioctl` client to your PATH environment variable, on a macOS or - Linux system: - - {{< text bash >}} - $ export PATH=$PWD/bin:$PATH - {{< /text >}} +1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/). ## Installation steps diff --git a/content_zh/docs/setup/kubernetes/sidecar-injection/index.md b/content_zh/docs/setup/kubernetes/sidecar-injection/index.md index c1061eaad6..041870c83b 100644 --- a/content_zh/docs/setup/kubernetes/sidecar-injection/index.md +++ b/content_zh/docs/setup/kubernetes/sidecar-injection/index.md @@ -64,7 +64,7 @@ sleep 1 1 1 1 2h sleep,istio-pro ### Sidecar 的自动注入 -使用 Kubernetes 的 [mutating webhook admission controller](https://kubernetes.io/docs/admin/admission-controllers),可以进行 Sidecar 的自动注入。Kubernetes 1.9 以后的版本才具备这一能力。使用这一功能之前首先要检查 kube-apiserver 的进程,是否具备 `admission-control` 参数,并且这个参数的值中需要包含 `MutatingAdmissionWebhook` 以及 `ValidatingAdmissionWebhook` 两项,并且按照正确的顺序加载,这样才能启用 `admissionregistration` API: +使用 Kubernetes 的 [mutating webhook admission controller](https://kubernetes.io/docs/admin/admission-controllers/),可以进行 Sidecar 的自动注入。Kubernetes 1.9 以后的版本才具备这一能力。使用这一功能之前首先要检查 kube-apiserver 的进程,是否具备 `admission-control` 参数,并且这个参数的值中需要包含 `MutatingAdmissionWebhook` 以及 `ValidatingAdmissionWebhook` 两项,并且按照正确的顺序加载,这样才能启用 `admissionregistration` API: {{< text bash >}} $ kubectl api-versions | grep admissionregistration