时间戳

首页 > 解决方案 > Istio:在每个节点上运行入口网关

kubernetes - Istio:在每个节点上运行入口网关

问题描述

我正在使用外部 TCP/UDP 网络负载均衡器(Fortigate)、Kubernetes 1.20.6 和 Istio 1.9.4。我已经设置了 set externalTrafficPolicy: Local 并且需要在每个节点上运行入口网关(如网络负载平衡器选项卡中所述。我怎么做?

这是我的入口网关服务:

kind: Service
apiVersion: v1
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  uid: d1a86f50-ad14-415f-9c1e-d186fd72cb31
  resourceVersion: '1063961'
  creationTimestamp: '2021-04-28T19:25:37Z'
  labels:
    app: istio-ingressgateway
    install.operator.istio.io/owning-resource: unknown
    install.operator.istio.io/owning-resource-namespace: istio-system
    istio: ingressgateway
    istio.io/rev: default
    operator.istio.io/component: IngressGateways
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.9.4
    release: istio
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","install.operator.istio.io/owning-resource":"unknown","install.operator.istio.io/owning-resource-namespace":"istio-system","istio":"ingressgateway","istio.io/rev":"default","operator.istio.io/component":"IngressGateways","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.9.4","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15021,"protocol":"TCP","targetPort":15021},{"name":"http2","port":80,"protocol":"TCP","targetPort":8080},{"name":"https","port":443,"protocol":"TCP","targetPort":8443},{"name":"tcp-istiod","port":15012,"protocol":"TCP","targetPort":15012},{"name":"tls","port":15443,"protocol":"TCP","targetPort":15443}],"selector":{"app":"istio-ingressgateway","istio":"ingressgateway"},"type":"LoadBalancer"}}
  managedFields:
    - manager: istio-operator
      ........operation: Apply
      apiVersion: v1
      time: '2021-05-04T18:02:38Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:kubectl.kubernetes.io/last-applied-configuration': {}
          'f:labels':
            'f:app': {}
            'f:install.operator.istio.io/owning-resource': {}
            'f:install.operator.istio.io/owning-resource-namespace': {}
            'f:istio': {}
            'f:istio.io/rev': {}
            'f:operator.istio.io/component': {}
            'f:operator.istio.io/managed': {}
            'f:operator.istio.io/version': {}
            'f:release': {}
        'f:spec':
          'f:ports':
            'k:{"port":80,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":443,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15012,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15021,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15443,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector':
            'f:app': {}
            'f:istio': {}
          'f:type': {}
    - manager: kubectl-patch
      operation: Update
      apiVersion: v1
      time: '2021-05-04T18:01:23Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          'f:externalIPs': {}
          'f:externalTrafficPolicy': {}
          'f:type': {}
  selfLink: /api/v1/namespaces/istio-system/services/istio-ingressgateway
spec:
  ports:
    - name: status-port
      protocol: TCP
      port: 15021
      targetPort: 15021
      nodePort: 30036
    - name: http2
      protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 32415
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8443
      nodePort: 32418
    - name: tcp-istiod
      protocol: TCP
      port: 15012
      targetPort: 15012
      nodePort: 31529
    - name: tls
      protocol: TCP
      port: 15443
      targetPort: 15443
      nodePort: 30478
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  clusterIP: 10.103.72.212
  clusterIPs:
    - 10.103.72.212
  type: LoadBalancer
  externalIPs:
    - 10.43.34.38
    - 10.43.34.77
  sessionAffinity: None
  externalTrafficPolicy: Local
  healthCheckNodePort: 30788
status:
  loadBalancer: {}

防火墙有这两个地址 10.43.34.38 和 10.43.34.77,并将请求中继到端口 32415(http)和 32415(https)上的两个 K8S 节点。

标签: kubernetesistioistio-gateway

解决方案

正如评论中提到的 brgsousa ,该解决方案被重新部署为 DaemonSet。

这是工作 yaml 文件:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    accessLogFile: /dev/stdout
  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istio-ingressgateway
          patches:
          - path: kind
            value: DaemonSet
          - path: spec.strategy
          - path: spec.updateStrategy
            value:
              rollingUpdate:
                maxUnavailable: 50%
              type: RollingUpdate
    egressGateways:
    - name: istio-egressgateway
      enabled: true

推荐阅读