istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move each platform setup into its own file (#1948)

This commit is contained in:
Andra Cismaru 2018-07-25 06:30:26 -07:00 committed by Martin Taillefer
parent d67ba5729f
commit 938eb8b40d
20 changed files with 348 additions and 633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.spelling
View File

@ -126,6 +126,7 @@ OP_QUERY
OpenID_Connect
OpenSSL
OpenShift
openshift
Ostrowski
PaaS
Papertrail

4
content/blog/2018/export-logs-through-stackdriver/index.md
View File

@ -50,7 +50,7 @@ Common setup for all sinks:
1. Record the ID of the dataset. It will be needed to configure the Stackdriver handler.
It would be of the form `bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]`
1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` BigQuery Data Editor role in IAM.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/gke/), make sure `bigquery` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
#### Google Cloud Storage (GCS)
@ -65,7 +65,7 @@ Common setup for all sinks:
1. Recode the ID of the topic. It will be needed to configure Stackdriver.
It would be of the form `pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]`
1. Give [sinks writer identity](https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination): `cloud-logs@system.gserviceaccount.com` Pub/Sub Publisher role in IAM.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
1. If using [Google Kubernetes Engine](/docs/setup/kubernetes/gke/), make sure `pubsub` [Scope](https://cloud.google.com/sdk/gcloud/reference/container/clusters/create) is enabled on the cluster.
### Setting up Stackdriver

2
content/docs/examples/endpoints/index.md
View File

@ -21,7 +21,7 @@ You may test the service using the following command:
$ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${EXTERNAL_IP}:80/echo?key=${ENDPOINTS_KEY}"
{{< /text >}}
You need to install Istio with [instructions](/docs/setup/kubernetes/platform-setup/#google-kubernetes-engine).
To install Istio for GKE, follow our [Quick Start with Google Kubernetes Engine](/docs/setup/kubernetes/gke).
## HTTP Endpoints service

2
content/docs/setup/kubernetes/ansible-install/index.md
View File

@ -1,7 +1,7 @@
---
title: Installation with Ansible
description: Install Istio with the included Ansible playbook.
weight: 40
weight: 4
keywords: [kubernetes,ansible]
---

72
content/docs/setup/kubernetes/aws/index.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Platform setup for Amazon Web Services
description: Instructions to setup the AWS with Kops cluster for Istio.
weight: 14
keywords: [aws]
---
To setup the AWS with Kops cluster for Istio, follow these instructions:
When you install a new cluster with Kubernetes version 1.9, the prerequisite to
enable `admissionregistration.k8s.io/v1beta1` is covered.
Nevertheless, you must update the list of admission controllers.
1. Open the configuration file:
{{< text bash >}}
$ kops edit cluster $YOURCLUSTER
{{< /text >}}
1. Add the following in the configuration file:
{{< text yaml >}}
kubeAPIServer:
admissionControl:
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- ResourceQuota
- NodeRestriction
- Priority
{{< /text >}}
1. Perform the update:
{{< text bash >}}
$ kops update cluster
$ kops update cluster --yes
{{< /text >}}
1. Launch the rolling update:
{{< text bash >}}
$ kops rolling-update cluster
$ kops rolling-update cluster --yes
{{< /text >}}
1. Validate the update with the `kubectl` client on the `kube-api` pod, you
should see new admission controller:
{{< text bash >}}
$ for i in `kubectl \
get pods -nkube-system | grep api | awk '{print $1}'` ; \
do kubectl describe pods -nkube-system \
$i | grep "/usr/local/bin/kube-apiserver" ; done
{{< /text >}}
1. Review the output:
{{< text plain >}}
[...]
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,
PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,
MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,
NodeRestriction,Priority
[...]
{{< /text >}}

98
content/docs/setup/kubernetes/azure/index.md Normal file
View File

@ -0,0 +1,98 @@
---
title: Platform setup for Azure
description: Instructions to setup the Azure cluster for Istio.
weight: 15
keywords: [azure]
---
To setup the Azure cluster for Istio, follow these instructions:
You can deploy a Kubernetes cluster to Azure via [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) or [ACS-Engine](https://github.com/azure/acs-engine) which fully supports Istio.
## Instructions for AKS
You can create an AKS cluster via [the az cli](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough) or [the Azure portal](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal).
For the `az` cli option, complete `az login` authentication OR use cloud shell, then run the following commands below.
1. Determine the desired region name which supports AKS
{{< text bash >}}
$ az provider list --query "[?namespace=='Microsoft.ContainerService'].resourceTypes[] | [?resourceType=='managedClusters'].locations[]" -o tsv
{{< /text >}}
1. Verify the supported Kubernetes versions for the desired region
Replace `my location` using the desired region value from the above step, and then execute:
{{< text bash >}}
$ az aks get-versions --location "my location" --query "orchestrators[].orchestratorVersion"
{{< /text >}}
Ensure `1.10.5` is listed or choose a different value greater than or equal to `1.9.6`.
1. Create the resource group and deploy the AKS cluster
Replace `myResourceGroup` and `myAKSCluster` with desired names, `my location` using the value from step 1, `1.10.5` if not supported in the region, and then execute:
{{< text bash >}}
$ az group create --name myResourceGroup --location "my location"
$ az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 3 --kubernetes-version 1.10.5 --generate-ssh-keys
{{< /text >}}
1. Get the AKS `kubeconfig` credentials
Replace `myResourceGroup` and `myAKSCluster` with the names from the previous step and execute:
{{< text bash >}}
$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
{{< /text >}}
## Instructions for ACS-Engine
1. [Follow the instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install) to get and install the `acs-engine` binary.
1. Download the `acs-engine` API model definition that supports deploying Istio:
{{< text bash >}}
$ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json
{{< /text >}}
Note: It is possible to use other api model definitions which will work with Istio. The MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission control flags and RBAC are enabled by default on 1.9 or later clusters. See [acs-engine api model default values](https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md) for further information.
1. Deploy your cluster using the `istio.json` template. You can find references
to the parameters in the
[official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition).
| Parameter | Expected value |
|---------------------------------------|----------------------------|
| `subscription_id` | Azure Subscription Id |
| `dns_prefix` | Cluster DNS Prefix |
| `location` | Cluster Location |
{{< text bash >}}
$ acs-engine deploy --subscription-id <subscription_id> \
--dns-prefix <dns_prefix> --location <location> --auto-suffix \
--api-model istio.json
{{< /text >}}
> After a few minutes, you can find your cluster on your Azure subscription
> in a resource group called `<dns_prefix>-<id>`. Assuming `dns_prefix` has
> the value `myclustername`, a valid resource group with a unique cluster
> ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig`
> file in the `_output` folder.
1. Use the `<dns_prefix>-<id>` cluster ID, to copy your `kubeconfig` to your
machine from the `_output` folder:
{{< text bash >}}
$ cp _output/<dns_prefix>-<id>/kubeconfig/kubeconfig.<location>.json \
~/.kube/config
{{< /text >}}
For example:
{{< text bash >}}
$ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \
~/.kube/config
{{< /text >}}

2
content/docs/setup/kubernetes/download-release/index.md
View File

@ -1,7 +1,7 @@
---
title: Download the Istio release
description: Instructions to download the Istio release.
weight: 10
weight: 9
keywords: [kubernetes]
---

36
content/docs/setup/kubernetes/gke/index.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Platform setup for Google Kubernetes Engine
description: Instructions to setup the Google Kubernetes Engine cluster for Istio.
weight: 11
keywords: [kubernetes,gke,google]
---
To setup the Google Kubernetes Engine cluster for Istio, follow these instructions:
1. Create a new cluster.
{{< text bash >}}
$ gcloud container clusters create <cluster-name> \
--cluster-version=1.10.5-gke.0 \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Retrieve your credentials for `kubectl`.
{{< text bash >}}
$ gcloud container clusters get-credentials <cluster-name> \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Grant cluster administrator (admin) permissions to the current user. To
create the necessary RBAC rules for Istio, the current user requires admin
permissions.
{{< text bash >}}
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
{{< /text >}}

10
content/docs/setup/kubernetes/helm-install/index.md
View File

@ -1,7 +1,7 @@
---
title: Installation with Helm
description: Install Istio with the included Helm chart.
weight: 30
weight: 3
keywords: [kubernetes,helm]
aliases:
- /docs/setup/kubernetes/helm.html
@ -17,7 +17,13 @@ plane and the sidecars for the Istio data plane.
1. [Download the Istio release](/docs/setup/kubernetes/download-release/).
1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/).
1. Kubernetes platform setup
* [Minikube](/docs/setup/kubernetes/minikube/)
* [Google Container Engine (GKE)](/docs/setup/kubernetes/gke/)
* [IBM Cloud Kubernetes Service (IKS)](/docs/setup/kubernetes/ibm/)
* [Openshift Origin](/docs/setup/kubernetes/openshift/)
* [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/aws/)
* [Azure](/docs/setup/kubernetes/azure/)
1. [Install the Helm client](https://docs.helm.sh/using_helm/#installing-helm).

35
content/docs/setup/kubernetes/ibm/index.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Platform setup for IBM Cloud Kubernetes Service
description: Instructions to setup the IBM Cloud Kubernetes Service (IKS) cluster for Istio.
weight: 12
keywords: [ibm,iks]
---
To setup the IBM Cloud Kubernetes Service (IKS) cluster for Istio, follow these instructions:
## IBM Cloud Kubernetes Service (IKS)
1. Create a new lite cluster.
{{< text bash >}}
$ bx cs cluster-create --name <cluster-name> --kube-version 1.9.7
{{< /text >}}
Alternatively, you can create a new paid cluster:
{{< text bash >}}
$ bx cs cluster-create --location location --machine-type u2c.2x4 \
--name <cluster-name> --kube-version 1.9.7
{{< /text >}}
1. Retrieve your credentials for `kubectl`. Replace `<cluster-name>` with the
name of the cluster you want to use:
{{< text bash >}}
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
{{< /text >}}
## IBM Cloud Private
[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html)
to access the IBM Cloud Private Cluster.

2
content/docs/setup/kubernetes/mesh-expansion/index.md
View File

@ -1,7 +1,7 @@
---
title: Mesh Expansion
description: Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes.
weight: 60
weight: 5
keywords: [kubernetes,vms]
---

29
content/docs/setup/kubernetes/minikube/index.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Platform setup for Minikube
description: Instructions to setup Minikube for use with Istio
weight: 10
keywords: [kubernetes,minikube]
---
To setup the Kubernetes cluster for Istio with Minikube, follow these instructions:
1. To run Istio locally, install the latest version of
[Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or
later**.
1. Select a
[VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart)
and substitute `your_vm_driver_choice` below with the installed virtual
machine (VM) driver.
On Kubernetes **1.9**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.9.4 --vm-driver=`your_vm_driver_choice`
{{< /text >}}
On Kubernetes **1.10**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.10.0 --vm-driver=`your_vm_driver_choice`
{{< /text >}}

2
content/docs/setup/kubernetes/multicluster-install/index.md
View File

@ -1,7 +1,7 @@
---
title: Istio Multicluster
description: Install Istio with multicluster support.
weight: 65
weight: 6
keywords: [kubernetes,multicluster]
---

41
content/docs/setup/kubernetes/openshift/index.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Platform setup for Openshift
description: Instructions to setup the Openshift cluster for Istio.
weight: 13
keywords: [openshift]
---
To setup the Openshift cluster for Istio, follow these instructions:
By default, OpenShift doesn't allow containers running with user ID 0.
Enable containers running with UID 0 for Istio's service accounts:
{{< text bash >}}
$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system
{{< /text >}}
The list above accounts for the default Istio service accounts. If you enabled
other Istio services, like _Grafana_ for example, you need to enable its
service account with a similar command.
A service account that runs application pods needs privileged security context
constraints as part of sidecar injection.
{{< text bash >}}
$ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
{{< /text >}}
> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34)
> with respect to Istio in case you see issues bringing up the Envoy.

283
content/docs/setup/kubernetes/platform-setup/index.md
View File

@ -1,283 +0,0 @@
---
title: Kubernetes platform setup
description: Instructions to setup the Kubernetes cluster for Istio.
weight: 10
keywords: [kubernetes]
---
Follow these instructions to setup the Kubernetes cluster for Istio.
## Prerequisites
The following instructions require:
* Access to a Kubernetes **1.9 or newer** cluster with
[RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
enabled.
* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or
newer** installed. Version **1.10** is recommended.
> If you installed Istio 0.2.x,
> [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling)
> it completely before installing the newer version. Remember to uninstall
> the Istio sidecar for all Istio enabled application pods too.
## Platform setup
This section describes the setup in different Kubernetes providers.
### Minikube
1. To run Istio locally, install the latest version of
[Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or
later**.
1. Select a
[VM driver](https://kubernetes.io/docs/setup/minikube/#quickstart)
and substitute `your_vm_driver_choice` below with the installed virtual
machine (VM) driver.
On Kubernetes **1.9**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.9.4 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
On Kubernetes **1.10**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.10.0 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
### Google Kubernetes Engine
1. Create a new cluster.
{{< text bash >}}
$ gcloud container clusters create <cluster-name> \
--cluster-version=1.10.5-gke.0 \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Retrieve your credentials for `kubectl`.
{{< text bash >}}
$ gcloud container clusters get-credentials <cluster-name> \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Grant cluster administrator (admin) permissions to the current user. To
create the necessary RBAC rules for Istio, the current user requires admin
permissions.
{{< text bash >}}
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
{{< /text >}}
### IBM Cloud Kubernetes Service (IKS)
1. Create a new lite cluster.
{{< text bash >}}
$ bx cs cluster-create --name <cluster-name> --kube-version 1.9.7
{{< /text >}}
Alternatively, you can create a new paid cluster:
{{< text bash >}}
$ bx cs cluster-create --location location --machine-type u2c.2x4 \
--name <cluster-name> --kube-version 1.9.7
{{< /text >}}
1. Retrieve your credentials for `kubectl`. Replace `<cluster-name>` with the
name of the cluster you want to use:
{{< text bash >}}
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
{{< /text >}}
### IBM Cloud Private
[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html)
to access the IBM Cloud Private Cluster.
### OpenShift Origin
By default, OpenShift doesn't allow containers running with user ID (UID) 0.
Enable containers running with UID 0 for Istio's service accounts:
{{< text bash >}}
$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-egressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-ingressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-cleanup-old-ca-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-sidecar-injector-service-account -n istio-system
{{< /text >}}
The list above accounts for the default Istio service accounts. If you enabled
other Istio services, like _Grafana_ for example, you need to enable its
service account with a similar command.
A service account that runs application pods needs privileged security context
constraints as part of sidecar injection.
{{< text bash >}}
$ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
{{< /text >}}
> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34)
> with respect to Istio in case you see issues bringing up the Envoy.
### AWS with Kops
When you install a new cluster with Kubernetes version 1.9, the prerequisite to
enable `admissionregistration.k8s.io/v1beta1` is covered.
Nevertheless, you must update the list of admission controllers.
1. Open the configuration file:
{{< text bash >}}
$ kops edit cluster $YOURCLUSTER
{{< /text >}}
1. Add the following in the configuration file:
{{< text yaml >}}
kubeAPIServer:
admissionControl:
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- ResourceQuota
- NodeRestriction
- Priority
{{< /text >}}
1. Perform the update:
{{< text bash >}}
$ kops update cluster
$ kops update cluster --yes
{{< /text >}}
1. Launch the rolling update:
{{< text bash >}}
$ kops rolling-update cluster
$ kops rolling-update cluster --yes
{{< /text >}}
1. Validate the update with the `kubectl` client on the `kube-api` pod, you
should see new admission controller:
{{< text bash >}}
$ for i in `kubectl \
get pods -nkube-system | grep api | awk '{print $1}'` ; \
do kubectl describe pods -nkube-system \
$i | grep "/usr/local/bin/kube-apiserver" ; done
{{< /text >}}
1. Review the output:
{{< text plain >}}
[...]
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,
PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,
MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,
NodeRestriction,Priority
[...]
{{< /text >}}
### Azure
You must use `ACS-Engine` to deploy your cluster.
1. Follow the instructions to get and install the `acs-engine` binary with
[their instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install).
1. Download Istio's `api model definition`:
{{< text bash >}}
$ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json
{{< /text >}}
1. Deploy your cluster using the `istio.json` template. You can find references
to the parameters in the
[official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition).
| Parameter | Expected value |
|---------------------------------------|----------------------------|
| `subscription_id` | Azure Subscription Id |
| `dns_prefix` | Cluster DNS Prefix |
| `location` | Cluster Location |
{{< text bash >}}
$ acs-engine deploy --subscription-id <subscription_id> \
--dns-prefix <dns_prefix> --location <location> --auto-suffix \
--api-model istio.json
{{< /text >}}
> After a few minutes, you can find your cluster on your Azure subscription
> in a resource group called `<dns_prefix>-<id>`. Assuming `dns_prefix` has
> the value `myclustername`, a valid resource group with a unique cluster
> ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig`
> file in the `_output` folder.
1. Use the `<dns_prefix>-<id>` cluster ID, to copy your `kubeconfig` to your
machine from the `_output` folder:
{{< text bash >}}
$ cp _output/<dns_prefix>-<id>/kubeconfig/kubeconfig.<location>.json \
~/.kube/config
{{< /text >}}
For example:
{{< text bash >}}
$ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \
~/.kube/config
{{< /text >}}
1. Check if the right Istio flags were deployed:
{{< text bash >}}
$ kubectl describe pod --namespace kube-system
$(kubectl get pods --namespace kube-system | grep api | cut -d ' ' -f 1) \
| grep admission-control
{{< /text >}}
1. Confirm the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`
flags are present:
{{< text plain >}}
--admission-control=...,MutatingAdmissionWebhook,...,
ValidatingAdmissionWebhook,...
{{< /text >}}

4
content/docs/setup/kubernetes/quick-start-gke-dm/index.md
View File

@ -1,8 +1,8 @@
---
title: Quick Start with Google Kubernetes Engine
description: Quick Start instructions to setup the Istio service using Google Kubernetes Engine (GKE)
weight: 11
keywords: [kubernetes,gke]
weight: 2
keywords: [kubernetes,gke,google]
---
Quick Start instructions to install and run Istio in [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) (GKE) using [Google Cloud Deployment Manager](https://cloud.google.com/deployment-manager/).

346
content/docs/setup/kubernetes/quick-start/index.md
View File

@ -1,350 +1,24 @@
---
title: Quick Start with Kubernetes
description: Instructions to setup the Istio service mesh in a Kubernetes cluster.
weight: 10
weight: 1
keywords: [kubernetes]
---
Follow these instructions to install and configure Istio in a Kubernetes
cluster.
To install and configure Istio in a Kubernetes
cluster, follow these instructions:
## Prerequisites
1. [Download the Istio release](/docs/setup/kubernetes/download-release/).
1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/).
* Access to a Kubernetes **1.9 or newer** cluster with
[RBAC (Role-Based Access Control)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
enabled.
* [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) **1.9 or
newer** installed. Version **1.10** is recommended.
> If you installed Istio 0.2.x,
> [uninstall](https://archive.istio.io/v0.2/docs/setup/kubernetes/quick-start#uninstalling)
> it completely before installing the newer version. Remember to uninstall
> the Istio sidecar for all Istio enabled application pods too.
### Setup Minikube
1. To install Istio locally, install the latest version of
[Minikube](https://kubernetes.io/docs/setup/minikube/), version **0.28.0 or
later**.
1. Select a
[VM driver](https://kubernetes.io/docs/tasks/tools/install-minikube/#install-a-hypervisor)
and substitute `your_vm_driver_choice` below with the installed virtual
machine (VM) driver.
On Kubernetes **1.9**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.9.4 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
On Kubernetes **1.10**:
{{< text bash >}}
$ minikube start --memory=4096 --kubernetes-version=v1.10.0 \
--vm-driver=`your_vm_driver_choice`
{{< /text >}}
### Google Kubernetes Engine
1. Create a new cluster.
{{< text bash >}}
$ gcloud container clusters create <cluster-name> \
--cluster-version=1.10.5-gke.0 \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Retrieve your credentials for `kubectl`.
{{< text bash >}}
$ gcloud container clusters get-credentials <cluster-name> \
--zone <zone> \
--project <project-id>
{{< /text >}}
1. Grant cluster administrator (admin) permissions to the current user. To
create the necessary RBAC rules for Istio, the current user requires admin
permissions.
{{< text bash >}}
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
{{< /text >}}
### IBM Cloud Kubernetes Service (IKS)
1. Create a new lite cluster.
{{< text bash >}}
$ bx cs cluster-create --name <cluster-name> --kube-version 1.9.7
{{< /text >}}
Alternatively, you can create a new paid cluster:
{{< text bash >}}
$ bx cs cluster-create --location location --machine-type u2c.2x4 \
--name <cluster-name> --kube-version 1.9.7
{{< /text >}}
1. Retrieve your credentials for `kubectl`. Replace `<cluster-name>` with the
name of the cluster you want to use:
{{< text bash >}}
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
{{< /text >}}
### IBM Cloud Private
[Configure the kubectl CLI](https://www.ibm.com/support/knowledgecenter/SSBS6K_2.1.0/manage_cluster/cfc_cli.html)
to access the IBM Cloud Private Cluster.
### OpenShift Origin
By default, OpenShift doesn't allow containers running with user ID (UID) 0.
Enable containers running with UID 0 for Istio's service accounts:
{{< text bash >}}
$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-egressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-ingressgateway-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-cleanup-old-ca-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account \
-n istio-system
$ oc adm policy add-scc-to-user anyuid \
-z istio-sidecar-injector-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z istio-galley-service-account \
-n istio-system
{{< /text >}}
The list above accounts for the default Istio service accounts. If you enabled
other Istio services, like _Grafana_ for example, you need to enable its
service account with a similar command.
A service account that runs application pods needs privileged security context
constraints as part of sidecar injection.
{{< text bash >}}
$ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
{{< /text >}}
> Check for `SELINUX` in this [discussion](https://github.com/istio/issues/issues/34)
> with respect to Istio in case you see issues bringing up the Envoy.
### AWS with Kops
When you install a new cluster with Kubernetes version 1.9, the prerequisite to
enable `admissionregistration.k8s.io/v1beta1` is covered.
Nevertheless, you must update the list of admission controllers.
1. Open the configuration file:
{{< text bash >}}
$ kops edit cluster $YOURCLUSTER
{{< /text >}}
1. Add the following in the configuration file:
{{< text yaml >}}
kubeAPIServer:
admissionControl:
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- ResourceQuota
- NodeRestriction
- Priority
{{< /text >}}
1. Perform the update:
{{< text bash >}}
$ kops update cluster
$ kops update cluster --yes
{{< /text >}}
1. Launch the rolling update:
{{< text bash >}}
$ kops rolling-update cluster
$ kops rolling-update cluster --yes
{{< /text >}}
1. Validate the update with the `kubectl` client on the `kube-api` pod, you
should see new admission controller:
{{< text bash >}}
$ for i in `kubectl \
get pods -nkube-system | grep api | awk '{print $1}'` ; \
do kubectl describe pods -nkube-system \
$i | grep "/usr/local/bin/kube-apiserver" ; done
{{< /text >}}
1. Review the output:
{{< text plain >}}
[...]
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,
PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,
MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,
NodeRestriction,Priority
[...]
{{< /text >}}
### Azure
You can deploy a Kubernetes cluster to Azure via [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) or [ACS-Engine](https://github.com/azure/acs-engine) which fully supports Istio.
#### Instructions for AKS
You can create an AKS cluster via [the az cli](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough) or [the Azure portal](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal).
For the `az` cli option, complete `az login` authentication OR use cloud shell, then run the following commands below.
1. Determine the desired region name which supports AKS
{{< text bash >}}
$ az provider list --query "[?namespace=='Microsoft.ContainerService'].resourceTypes[] | [?resourceType=='managedClusters'].locations[]" -o tsv
{{< /text >}}
1. Verify the supported Kubernetes versions for the desired region
Replace `my location` using the desired region value from the above step, and then execute:
{{< text bash >}}
$ az aks get-versions --location "my location" --query "orchestrators[].orchestratorVersion"
{{< /text >}}
Ensure `1.10.5` is listed or choose a different value greater than or equal to `1.9.6`.
1. Create the resource group and deploy the AKS cluster
Replace `myResourceGroup` and `myAKSCluster` with desired names, `my location` using the value from step 1, `1.10.5` if not supported in the region, and then execute:
{{< text bash >}}
$ az group create --name myResourceGroup --location "my location"
$ az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 3 --kubernetes-version 1.10.5 --generate-ssh-keys
{{< /text >}}
1. Get the AKS `kubeconfig` credentials
Replace `myResourceGroup` and `myAKSCluster` with the names from the previous step and execute:
{{< text bash >}}
$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
{{< /text >}}
#### Instructions for ACS-Engine
1. [Follow the instructions](https://github.com/Azure/acs-engine/blob/master/docs/acsengine.md#install) to get and install the `acs-engine` binary.
1. Download the `acs-engine` API model definition that supports deploying Istio:
{{< text bash >}}
$ wget https://raw.githubusercontent.com/Azure/acs-engine/master/examples/service-mesh/istio.json
{{< /text >}}
Note: It is possible to use other api model definitions which will work with Istio. The MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission control flags and RBAC are enabled by default on 1.9 or later clusters. See [acs-engine api model default values](https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md) for further information.
1. Deploy your cluster using the `istio.json` template. You can find references
to the parameters in the
[official docs](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md#step-3-edit-your-cluster-definition).
| Parameter | Expected value |
|---------------------------------------|----------------------------|
| `subscription_id` | Azure Subscription Id |
| `dns_prefix` | Cluster DNS Prefix |
| `location` | Cluster Location |
{{< text bash >}}
$ acs-engine deploy --subscription-id <subscription_id> \
--dns-prefix <dns_prefix> --location <location> --auto-suffix \
--api-model istio.json
{{< /text >}}
> After a few minutes, you can find your cluster on your Azure subscription
> in a resource group called `<dns_prefix>-<id>`. Assuming `dns_prefix` has
> the value `myclustername`, a valid resource group with a unique cluster
> ID is `mycluster-5adfba82`. The `acs-engine` generates your `kubeconfig`
> file in the `_output` folder.
1. Use the `<dns_prefix>-<id>` cluster ID, to copy your `kubeconfig` to your
machine from the `_output` folder:
{{< text bash >}}
$ cp _output/<dns_prefix>-<id>/kubeconfig/kubeconfig.<location>.json \
~/.kube/config
{{< /text >}}
For example:
{{< text bash >}}
$ cp _output/mycluster-5adfba82/kubeconfig/kubeconfig.westus2.json \
~/.kube/config
{{< /text >}}
## Download and prepare for the installation
Istio is installed in its own `istio-system` namespace and can manage
services from all other namespaces.
1. Go to the [Istio release](https://github.com/istio/istio/releases) page to
download the installation file corresponding to your OS. On a macOS or
Linux system, you can run the following command to download and
extract the latest release automatically:
{{< text bash >}}
$ curl -L https://git.io/getLatestIstio | sh -
{{< /text >}}
1. Move to the Istio package directory . For example, if the package is
istio-{{< istio_version >}}.0:
{{< text bash >}}
$ cd istio-{{< istio_version >}}.0
{{< /text >}}
The installation directory contains:
* Installation `.yaml` files for Kubernetes in `install/`
* Sample applications in `samples/`
* The `istioctl` client binary in the `bin/` directory. `istioctl` is
used when manually injecting Envoy as a sidecar proxy and for creating
routing rules and policies.
* The `istio.VERSION` configuration file
1. Add the `istioctl` client to your PATH environment variable, on a macOS or
Linux system:
{{< text bash >}}
$ export PATH=$PWD/bin:$PATH
{{< /text >}}
1. Kubernetes platform setup
* [Minikube](/docs/setup/kubernetes/minikube/)
* [Google Container Engine (GKE)](/docs/setup/kubernetes/gke/)
* [IBM Cloud Kubernetes Service (IKS)](/docs/setup/kubernetes/ibm/)
* [Openshift Origin](/docs/setup/kubernetes/openshift/)
* [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/aws/)
* [Azure](/docs/setup/kubernetes/azure/)
## Installation steps

2
content/docs/setup/kubernetes/sidecar-injection/index.md
View File

@ -1,7 +1,7 @@
---
title: Installing the Istio sidecar
description: Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.
weight: 50
weight: 3
keywords: [kubernetes,sidecar,sidecar-injection]
aliases:
- /docs/setup/kubernetes/automatic-sidecar-inject.html

2
content/docs/setup/kubernetes/upgrading-istio/index.md
View File

@ -1,7 +1,7 @@
---
title: Upgrading Istio
description: Demonstrates how to upgrade the Istio control plane and data plane independently.
weight: 70
weight: 7
keywords: [kubernetes,upgrading]
---

8
content_zh/docs/setup/kubernetes/helm-install/index.md
View File

@ -14,7 +14,13 @@ aliases:
## 先决条件
1. [下载 Istio 的发布版本](/docs/setup/kubernetes/download-release/)。
1. [在 Kubernetes 中安装 Istio](/docs/setup/kubernetes/platform-setup/)
1. [在 Kubernetes 中安装 Istio]
* [Minikube](/docs/setup/kubernetes/minikube/)
* [Google Container Engine (GKE)](/docs/setup/kubernetes/gke/)
* [IBM Cloud Kubernetes Service (IKS)](/docs/setup/kubernetes/ibm/)
* [Openshift Origin](/docs/setup/kubernetes/openshift/)
* [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/aws/)
* [Azure](/docs/setup/kubernetes/azure/)
## 安装步骤