Istio
This quick guide will guide you on how to use Istio.
This quick guide will guide you on how to use Istio.
| Port | Protocol | Used by Description |
|---|---|---|
| 15000 | TCP | Envoy Envoy admin port (commands/diagnostics) |
| 15001 | TCP | Envoy Envoy Outbound |
| 15006 | TCP | Envoy Envoy Inbound |
| 15020 | HTTP | Envoy Istio agent Prometheus telemetry |
| 15021 | HTTP | Envoy Health checks |
| 15090 | HTTP | Envoy Envoy Prometheus telemetry |
| 15010 | GRPC | Istiod XDS and CA services (plaintext) |
| 15012 | GRPC | Istiod XDS and CA services (TLS) |
| 8080 | HTTP | Istiod Debug interface |
| 443 | HTTPS | Istiod Webhooks |
| 15014 | HTTP | Mixer, Istiod Control plane monitoring |
| 15443 | TLS | Ingress and Egress Gateways SNI |
| 9090 | HTTP | Prometheus Prometheus |
| 42422 | TCP | Mixer Telemetry - Prometheus |
| 15004 | HTTP | Mixer, Pilot Policy/Telemetry - mTLS |
| 9091 | HTTP | Mixer Policy/Telemetry |
Install
istioctl
1curl -L https://istio.io/downloadIstio | sh -# or visit https://istio.io/downloadIstio, execute the shell script which is download, or visit https://github.com/istio/istio/releases to download
2# Set evironment variable
3cd istio-1.19.3
4export PATH=$PWD/bin:$PATH
5# List setting template
6istioctl profile list
7istioctl install # default
8# Set istio (Optional)
9# k label namespace default istio-injection=enabled
10#kubectl label namespace default istio-injection=enabledUninstall
istioctl
1istioctl x uninstall --purge
2istioctl x uninstall <your original installation options>
3istioctl manifest generate <your original installation options> | kubectl delete -f -
4kubectl delete namespace istio-systemAdd-ons
kubectl
1kubectl apply -f samples/addons
2kubectl rollout status deployment/kiali -n istio-system
3kubectl apply -f samples/addons/prometheus.yaml #grafana, jaeger, kiali, loki, prometheus
4istioctl dashboard kiali
5kubectl delete -f samples/addons
6Optimize
istio-system
1kubectl edit cm istio-sidecar-injector -n istio-system
2# Change the requests as following json
3k delete po istiod-64d75d6b98-kg7x4 -n istio-systemistio yaml
1"resources": {
2 "limits": {
3 "cpu": "2000m",
4 "memory": "1024Mi"
5 },
6 "requests": {
7 "cpu": "100m", //need to change
8 "memory": "128Mi" // need to change
9 }
10},Idiom
istioctl
1istioctl profile list
2istioctl profile dump default
3istioctl profile diff default demo
4istioctl manifest generate > $HOME/generated-manifest.yaml
5istioctl verify-install -f $HOME/generated-manifest.yamlIssue
JWT Issue
1info JWT policy is first-party-jwt
2Missing JWT token, can't use in process SDS /var/run/secrets/kubernetes.io/serviceaccount/tokenstat /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
3Missing JWT, can't authenticate with control plane. Try using plain text (15010)deployment > template > spec (automountServiceAccountToken: true)
Upload File Issue
1kubectl describe pod kube-apiserver -n kube-system | grep 'service-cluster-ip-range'
2# --service-cluster-ip-range=10.96.0.0/12
3./istioctl profile list
4./istioctl install --set values.global.proxy.includeIPRanges="10.96.0.0/12"
5# 清除值
6#./istioctl install --set values.global.proxy.includeIPRanges=""