istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Extract platform prerequisites (#1834) 

* Extract platform prerequisites

* Reorg

* Remove the inner pages from the menu

* Conform to the site directory structure

* Fix the link wording to match the title of the link and the uppercase

* Fix lint errors

* more lint errors
This commit is contained in:
Andra Cismaru 2018-07-17 22:49:37 -07:00 committed by istio-bot
parent f3a5f3e078
commit 78b4c20adf
7 changed files with 335 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/blog/2018/export-logs-through-stackdriver/index.md
View File

@ -50,7 +50,7 @@ Common setup for all sinks:
1. Record the ID of the dataset. It will be needed to configure the Stackdriver handler. 1. Record the ID of the dataset. It will be needed to configure the Stackdriver handler.
It would be of the form `bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]` It would be of the form `bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]`
1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` BigQuery Data Editor role in IAM. 1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` BigQuery Data Editor role in IAM.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. 1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
#### Google Cloud Storage (GCS) #### Google Cloud Storage (GCS)
@ -65,7 +65,7 @@ Common setup for all sinks:
1. Recode the ID of the topic. It will be needed to configure Stackdriver. 1. Recode the ID of the topic. It will be needed to configure Stackdriver.
It would be of the form `pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]` It would be of the form `pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]`
1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` Pub/Sub Publisher role in IAM. 1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` Pub/Sub Publisher role in IAM.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster. 1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
### Setting up Stackdriver ### Setting up Stackdriver

2
content/docs/examples/endpoints/index.md
View File

@ -21,7 +21,7 @@ You may test the service using the following command:
$ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${EXTERNAL_IP}:80/echo?key=${ENDPOINTS_KEY}" $ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${EXTERNAL_IP}:80/echo?key=${ENDPOINTS_KEY}"
{{< /text >}} {{< /text >}}
You need to install Istio with [instructions](/docs/setup/kubernetes/quick-start/#google-kubernetes-engine). You need to install Istio with [instructions](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine).
## HTTP Endpoints service ## HTTP Endpoints service

43
content/docs/setup/kubernetes/download-release/index.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Download the Istio release
description: Instructions to download the Istio release.
weight: 10
keywords: [kubernetes]
---
## Download and prepare for the installation
Istio is installed in its own `istio-system` namespace and can manage
services from all other namespaces.
1. Go to the [Istio release](https://github.com/istio/istio/releases) page to
download the installation file corresponding to your OS. On a macOS or
Linux system, you can run the following command to download and
extract the latest release automatically:
{{< text bash >}}
$ curl -L https://git.io/getLatestIstio | sh -
{{< /text >}}
1. Move to the Istio package directory . For example, if the package is
istio-{{< istio_version >}}.0:
{{< text bash >}}
$ cd istio-{{< istio_version >}}.0
{{< /text >}}
The installation directory contains:
* Installation `.yaml` files for Kubernetes in `install/`
* Sample applications in `samples/`
* The `istioctl` client binary in the `bin/` directory. `istioctl` is
used when manually injecting Envoy as a sidecar proxy and for creating
routing rules and policies.
* The `istio.VERSION` configuration file
1. Add the `istioctl` client to your PATH environment variable, on a macOS or
Linux system:
{{< text bash >}}
$ export PATH=$PWD/bin:$PATH
{{< /text >}}

6
content/docs/setup/kubernetes/helm-install/index.md
View File

@ -15,11 +15,9 @@ plane and the sidecars for the Istio data plane.
## Prerequisites ## Prerequisites
1. [Setup Istio in 1. [Download the Istio release](/docs/setup/kubernetes/download-release/).
Kubernetes](/docs/setup/kubernetes/quick-start/#platform-setup).
1. [Download](/docs/setup/kubernetes/quick-start/#download-and-prepare-for-the-installation) 1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/).
the latest Istio release.
1. [Install the Helm client](https://docs.helm.sh/using_helm/#installing-helm). 1. [Install the Helm client](https://docs.helm.sh/using_helm/#installing-helm).

283
content/docs/setup/kubernetes/platform-setup/index.md Normal file
View File

@ -0,0 +1,283 @@
---
title: Kubernetes platform setup
description: Instructions to setup the Kubernetes cluster for Istio.
weight: 10
keywords: [kubernetes]
---
Follow these instructions to setup the Kubernetes cluster for Istio.
## Prerequisites
The following instructions require:
* Access to a Kubernetes **1.9 or newer** cluster with
[RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
enabled.
* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or
newer** installed. Version **1.10** is recommended.
> If you installed Istio 0.2.x,
> [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling)
> it completely before installing the newer version. Remember to uninstall
> the Istio sidecar for all Istio enabled application pods too.
## Platform setup
This section describes the setup in different Kubernetes providers.
### Minikube
1. To run Istio locally, install the latest version of
[Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or
later**.
1. Select a
[VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart)
and substitute `your_vm_driver_choice` below with the installed virtual
machine (VM) driver.
On Kubernetes **1.9**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.9.4 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
On Kubernetes **1.10**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.10.0 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
### Google Kubernetes Engine
1. Create a new cluster.
{{< text bash >}}
$ gcloud container clusters create <cluster-name> \
--cluster-version=1.10.5-gke.0 \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Retrieve your credentials for `kubectl`.
{{< text bash >}}
$ gcloud container clusters get-credentials <cluster-name> \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Grant cluster administrator (admin) permissions to the current user. To
create the necessary RBAC rules for Istio, the current user requires admin
permissions.
{{< text bash >}}
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
{{< /text >}}
### IBM Cloud Kubernetes Service (IKS)
1. Create a new lite cluster.
{{< text bash >}}
$ bx cs cluster-create --name <cluster-name> --kube-version 1.9.7
{{< /text >}}
Alternatively, you can create a new paid cluster:
{{< text bash >}}
$ bx cs cluster-create --location location --machine-type u2c.2x4 \
--name <cluster-name> --kube-version 1.9.7
{{< /text >}}
1. Retrieve your credentials for `kubectl`. Replace `<cluster-name>` with the
name of the cluster you want to use:
{{< text bash >}}
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
{{< /text >}}
### IBM Cloud Private
[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html)
to access the IBM Cloud Private Cluster.
### OpenShift Origin
By default, OpenShift doesn't allow containers running with user ID (UID) 0.
Enable containers running with UID 0 for Istio's service accounts:
{{< text bash >}}
$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-egressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-ingressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-cleanup-old-ca-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-sidecar-injector-service-account -n istio-system
{{< /text >}}
The list above accounts for the default Istio service accounts. If you enabled
other Istio services, like _Grafana_ for example, you need to enable its
service account with a similar command.
A service account that runs application pods needs privileged security context
constraints as part of sidecar injection.
{{< text bash >}}
$ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
{{< /text >}}
> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34)
> with respect to Istio in case you see issues bringing up the Envoy.
### AWS with Kops
When you install a new cluster with Kubernetes version 1.9, the prerequisite to
enable `admissionregistration.k8s.io/v1beta1` is covered.
Nevertheless, you must update the list of admission controllers.
1. Open the configuration file:
{{< text bash >}}
$ kops edit cluster $YOURCLUSTER
{{< /text >}}
1. Add the following in the configuration file:
{{< text yaml >}}
kubeAPIServer:
admissionControl:
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- ResourceQuota
- NodeRestriction
- Priority
{{< /text >}}
1. Perform the update:
{{< text bash >}}
$ kops update cluster
$ kops update cluster --yes
{{< /text >}}
1. Launch the rolling update:
{{< text bash >}}
$ kops rolling-update cluster
$ kops rolling-update cluster --yes
{{< /text >}}
1. Validate the update with the `kubectl` client on the `kube-api` pod, you
should see new admission controller:
{{< text bash >}}
$ for i in `kubectl \
get pods -nkube-system | grep api | awk '{print $1}'` ; \
do kubectl describe pods -nkube-system \
$i | grep "/usr/local/bin/kube-apiserver" ; done
{{< /text >}}
1. Review the output:
{{< text plain >}}
[...]
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,
PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,
MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,
NodeRestriction,Priority
[...]
{{< /text >}}
### Azure
You must use `ACS-Engine` to deploy your cluster.
1. Follow the instructions to get and install the `acs-engine` binary with
[their instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install).
1. Download Istio's `api model definition`:
{{< text bash >}}
$ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json
{{< /text >}}
1. Deploy your cluster using the `istio.json` template. You can find references
to the parameters in the
[official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition).
| Parameter | Expected value |
|---------------------------------------|----------------------------|
| `subscription_id` | Azure Subscription Id |
| `dns_prefix` | Cluster DNS Prefix |
| `location` | Cluster Location |
{{< text bash >}}
$ acs-engine deploy --subscription-id <subscription_id> \
--dns-prefix <dns_prefix> --location <location> --auto-suffix \
--api-model istio.json
{{< /text >}}
> After a few minutes, you can find your cluster on your Azure subscription
> in a resource group called `<dns_prefix>-<id>`. Assuming `dns_prefix` has
> the value `myclustername`, a valid resource group with a unique cluster
> ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig`
> file in the `_output` folder.
1. Use the `<dns_prefix>-<id>` cluster ID, to copy your `kubeconfig` to your
machine from the `_output` folder:
{{< text bash >}}
$ cp _output/<dns_prefix>-<id>/kubeconfig/kubeconfig.<location>.json \
~/.kube/config
{{< /text >}}
For example:
{{< text bash >}}
$ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \
~/.kube/config
{{< /text >}}
1. Check if the right Istio flags were deployed:
{{< text bash >}}
$ kubectl describe pod --namespace kube-system
$(kubectl get pods --namespace kube-system | grep api | cut -d ' ' -f 1) \
| grep admission-control
{{< /text >}}
1. Confirm the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`
flags are present:
{{< text plain >}}
--admission-control=...,MutatingAdmissionWebhook,...,
ValidatingAdmissionWebhook,...
{{< /text >}}

312
content/docs/setup/kubernetes/quick-start/index.md
View File

@ -1,5 +1,5 @@
--- ---
title: Istio Setup in Kubernetes title: Quick Start with Kubernetes
description: Instructions to setup the Istio service mesh in a Kubernetes cluster. description: Instructions to setup the Istio service mesh in a Kubernetes cluster.
weight: 10 weight: 10
keywords: [kubernetes] keywords: [kubernetes]
@ -10,315 +10,9 @@ cluster.
## Prerequisites ## Prerequisites
The following instructions require: 1. [Download the Istio release](/docs/setup/kubernetes/download-release/).
* Access to a Kubernetes **1.9 or newer** cluster with 1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/).
[RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
enabled.
* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or
newer** installed. Version **1.10** is recommended.
> If you installed Istio 0.2.x,
> [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling)
> it completely before installing the newer version. Remember to uninstall
> the Istio sidecar for all Istio enabled application pods too.
## Platform setup
This section describes the setup in different platforms.
### Setup Minikube
1. To install Istio locally, install the latest version of
[Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or
later**.
1. Select a
[VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart)
and substitute `your_vm_driver_choice` below with the installed virtual
machine (VM) driver.
On Kubernetes **1.9**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.9.4 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
On Kubernetes **1.10**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.10.0 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
### Google Kubernetes Engine
1. Create a new cluster.
{{< text bash >}}
$ gcloud container clusters create <cluster-name> \
--cluster-version=1.10.5-gke.0 \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Retrieve your credentials for `kubectl`.
{{< text bash >}}
$ gcloud container clusters get-credentials <cluster-name> \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Grant cluster administrator (admin) permissions to the current user. To
create the necessary RBAC rules for Istio, the current user requires admin
permissions.
{{< text bash >}}
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
{{< /text >}}
### IBM Cloud Kubernetes Service (IKS)
1. Create a new lite cluster.
{{< text bash >}}
$ bx cs cluster-create --name <cluster-name> --kube-version 1.9.7
{{< /text >}}
Alternatively, you can create a new paid cluster:
{{< text bash >}}
$ bx cs cluster-create --location location --machine-type u2c.2x4 \
--name <cluster-name> --kube-version 1.9.7
{{< /text >}}
1. Retrieve your credentials for `kubectl`. Replace `<cluster-name>` with the
name of the cluster you want to use:
{{< text bash >}}
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
{{< /text >}}
### IBM Cloud Private
[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html)
to access the IBM Cloud Private Cluster.
### OpenShift Origin
By default, OpenShift doesn't allow containers running with user ID (UID) 0.
Enable containers running with UID 0 for Istio's service accounts:
{{< text bash >}}
$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-egressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-ingressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-cleanup-old-ca-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-sidecar-injector-service-account -n istio-system
{{< /text >}}
The list above accounts for the default Istio service accounts. If you enabled
other Istio services, like _Grafana_ for example, you need to enable its
service account with a similar command.
A service account that runs application pods needs privileged security context
constraints as part of sidecar injection.
{{< text bash >}}
$ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
{{< /text >}}
> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34)
> with respect to Istio in case you see issues bringing up the Envoy.
### AWS with Kops
When you install a new cluster with Kubernetes version 1.9, the prerequisite to
enable `admissionregistration.k8s.io/v1beta1` is covered.
Nevertheless, you must update the list of admission controllers.
1. Open the configuration file:
{{< text bash >}}
$ kops edit cluster $YOURCLUSTER
{{< /text >}}
1. Add the following in the configuration file:
{{< text yaml >}}
kubeAPIServer:
admissionControl:
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- ResourceQuota
- NodeRestriction
- Priority
{{< /text >}}
1. Perform the update:
{{< text bash >}}
$ kops update cluster
$ kops update cluster --yes
{{< /text >}}
1. Launch the rolling update:
{{< text bash >}}
$ kops rolling-update cluster
$ kops rolling-update cluster --yes
{{< /text >}}
1. Validate the update with the `kubectl` client on the `kube-api` pod, you
should see new admission controller:
{{< text bash >}}
$ for i in `kubectl \
get pods -nkube-system | grep api | awk '{print $1}'` ; \
do kubectl describe pods -nkube-system \
$i | grep "/usr/local/bin/kube-apiserver" ; done
{{< /text >}}
1. Review the output:
{{< text plain >}}
[...]
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,
PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,
MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,
NodeRestriction,Priority
[...]
{{< /text >}}
### Azure
You must use `ACS-Engine` to deploy your cluster.
1. Follow the instructions to get and install the `acs-engine` binary with
[their instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install).
1. Download Istio's `api model definition`:
{{< text bash >}}
$ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json
{{< /text >}}
1. Deploy your cluster using the `istio.json` template. You can find references
to the parameters in the
[official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition).
| Parameter | Expected value |
|---------------------------------------|----------------------------|
| `subscription_id` | Azure Subscription Id |
| `dns_prefix` | Cluster DNS Prefix |
| `location` | Cluster Location |
{{< text bash >}}
$ acs-engine deploy --subscription-id <subscription_id> \
--dns-prefix <dns_prefix> --location <location> --auto-suffix \
--api-model istio.json
{{< /text >}}
> After a few minutes, you can find your cluster on your Azure subscription
> in a resource group called `<dns_prefix>-<id>`. Assuming `dns_prefix` has
> the value `myclustername`, a valid resource group with a unique cluster
> ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig`
> file in the `_output` folder.
1. Use the `<dns_prefix>-<id>` cluster ID, to copy your `kubeconfig` to your
machine from the `_output` folder:
{{< text bash >}}
$ cp _output/<dns_prefix>-<id>/kubeconfig/kubeconfig.<location>.json \
~/.kube/config
{{< /text >}}
For example:
{{< text bash >}}
$ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \
~/.kube/config
{{< /text >}}
1. Check if the right Istio flags were deployed:
{{< text bash >}}
$ kubectl describe pod --namespace kube-system
$(kubectl get pods --namespace kube-system | grep api | cut -d ' ' -f 1) \
| grep admission-control
{{< /text >}}
1. Confirm the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`
flags are present:
{{< text plain >}}
--admission-control=...,MutatingAdmissionWebhook,...,
ValidatingAdmissionWebhook,...
{{< /text >}}
## Download and prepare for the installation
Istio is installed in its own `istio-system` namespace and can manage
services from all other namespaces.
1. Go to the [Istio release](https://github.com/istio/istio/releases) page to
download the installation file corresponding to your OS. On a macOS or
Linux system, you can run the following command to download and
extract the latest release automatically:
{{< text bash >}}
$ curl -L https://git.io/getLatestIstio | sh -
{{< /text >}}
1. Move to the Istio package directory . For example, if the package is
istio-{{< istio_version >}}.0:
{{< text bash >}}
$ cd istio-{{< istio_version >}}.0
{{< /text >}}
The installation directory contains:
* Installation `.yaml` files for Kubernetes in `install/`
* Sample applications in `samples/`
* The `istioctl` client binary in the `bin/` directory. `istioctl` is
used when manually injecting Envoy as a sidecar proxy and for creating
routing rules and policies.
* The `istio.VERSION` configuration file
1. Add the `istioctl` client to your PATH environment variable, on a macOS or
Linux system:
{{< text bash >}}
$ export PATH=$PWD/bin:$PATH
{{< /text >}}
## Installation steps ## Installation steps

2
content_zh/docs/setup/kubernetes/sidecar-injection/index.md
View File

@ -64,7 +64,7 @@ sleep 1 1 1 1 2h sleep,istio-pro
### Sidecar 的自动注入 ### Sidecar 的自动注入
使用 Kubernetes 的 [mutating webhook admission controller](https://kubernetes.io/docs/admin/admission-controllers),可以进行 Sidecar 的自动注入。Kubernetes 1.9 以后的版本才具备这一能力。使用这一功能之前首先要检查 kube-apiserver 的进程,是否具备 `admission-control` 参数,并且这个参数的值中需要包含 `MutatingAdmissionWebhook` 以及 `ValidatingAdmissionWebhook` 两项,并且按照正确的顺序加载,这样才能启用 `admissionregistration` API 使用 Kubernetes 的 [mutating webhook admission controller](https://kubernetes.io/docs/admin/admission-controllers/),可以进行 Sidecar 的自动注入。Kubernetes 1.9 以后的版本才具备这一能力。使用这一功能之前首先要检查 kube-apiserver 的进程,是否具备 `admission-control` 参数,并且这个参数的值中需要包含 `MutatingAdmissionWebhook` 以及 `ValidatingAdmissionWebhook` 两项,并且按照正确的顺序加载,这样才能启用 `admissionregistration` API
{{< text bash >}} {{< text bash >}}
$ kubectl api-versions | grep admissionregistration $ kubectl api-versions | grep admissionregistration