我的书签
添加书签
移除书签Install Istio with an External Control Plane
This feature is currently considered alpha.
External control plane cluster and remote cluster
Requirements
This guide requires that you have two Kubernetes clusters with any of the supported Kubernetes versions: 1.17, 1.18, 1.19, 1.20.
The first cluster contains the external control plane installed in the namespace. An ingress gateway is also installed in the istio-system namespace to provide mesh sidecars access to the external control plane.
The second cluster is a remote cluster running the mesh workloads. Its Kubernetes API server also provides the configuration for the control plane (istiod) running in the external cluster.
The Kubernetes API server in the remote cluster must be accessible to the external control plane cluster. Many cloud providers make API servers publicly accessible via network load balancers (NLBs). If the API server is not directly accessible, you will have to modify the installation procedure to enable access. For example, the gateway used in the multi-network and primary-remote configurations could also be used to enable access to the API server.
The following environment variables will be used throughout to simplify the instructions:
Set the CTX_EXTERNAL_CLUSTER, CTX_REMOTE_CLUSTER, and REMOTE_CLUSTER_NAME now. You will set the others later.
Cluster configuration
Create the Istio install configuration for the ingress gateway that exposes the external control plane ports to other clusters:
$ cat <<EOF > controlplane-gateway.yamlapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemspec:components:ingressGateways:- name: istio-ingressgatewayenabled: truek8s:service:ports:- port: 15021targetPort: 15021name: status-port- port: 15012targetPort: 15012name: tls-xds- port: 15017targetPort: 15017name: tls-webhookEOF
$ istioctl install -f controlplane-gateway.yaml --context="${CTX_EXTERNAL_CLUSTER}"
You may notice an istiod deployment created in the istio-system namespace. This is used only to configure the ingress gateway and is NOT the control plane used by remote clusters. This ingress gateway could, in fact, be configured to host multiple external control planes, in different namespaces on the cluster, even though in this example you will only deploy a single external istiod in the external-istiod namespace.
Configure your environment to expose the Istio ingress gateway service using a public hostname with TLS. Set the EXTERNAL_ISTIOD_ADDR environment variable to the hostname and SSL_SECRET_NAME environment variable to the secret that holds the TLS certs:
$ export EXTERNAL_ISTIOD_ADDR=<your external istiod host>$ export SSL_SECRET_NAME=<your external istiod secret>
Create the Istio Gateway, VirtualService, and DestinationRule configuration for the yet to be installed external control plane:
$ cat <<EOF > external-istiod-gw.yamlapiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata:name: external-istiod-gwnamespace: external-istiodspec:selector:istio: ingressgatewayservers:- port:number: 15012protocol: httpsname: https-XDStls:mode: SIMPLEcredentialName: $SSL_SECRET_NAMEhosts:- $EXTERNAL_ISTIOD_ADDR- port:number: 15017protocol: httpsname: https-WEBHOOKtls:credentialName: $SSL_SECRET_NAME- $EXTERNAL_ISTIOD_ADDR---apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:name: external-istiod-vsnamespace: external-istiodspec:hosts:- $EXTERNAL_ISTIOD_ADDRgateways:- external-istiod-gwhttp:- match:- port: 15012route:- destination:host: istiod.external-istiod.svc.cluster.localport:number: 15012- match:- port: 15017route:- destination:host: istiod.external-istiod.svc.cluster.localport:number: 443---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: external-istiod-drnamespace: external-istiodspec:host: istiod.external-istiod.svc.cluster.localtrafficPolicy:portLevelSettings:- port:number: 15012tls:mode: SIMPLEconnectionPool:http:h2UpgradePolicy: UPGRADE- port:number: 443tls:mode: SIMPLEEOF
Create the external-istiod namespace and apply the configuration:
Create the remote Istio install configuration:
$ cat <<EOF > remote-config-cluster.yamlapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: external-istiodspec:profile: remotemeshConfig:rootNamespace: external-istioddefaultConfig:discoveryAddress: $EXTERNAL_ISTIOD_ADDR:15012proxyMetadata:XDS_ROOT_CA: /etc/ssl/certs/ca-certificates.crtCA_ROOT_CA: /etc/ssl/certs/ca-certificates.crtenabled: falseistiodRemote:enabled: truevalues:global:caAddress: $EXTERNAL_ISTIOD_ADDR:15012istioNamespace: external-istiodmeshID: mesh1multiCluster:clusterName: $REMOTE_CLUSTER_NAMEistiodRemote:injectionURL: https://$EXTERNAL_ISTIOD_ADDR:15017/injectbase:validationURL: https://$EXTERNAL_ISTIOD_ADDR:15017/validateEOF
Install the configuration on the remote cluster:
$ kubectl create namespace external-istiod --context="${CTX_REMOTE_CLUSTER}"$ istioctl manifest generate -f remote-config-cluster.yaml | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
NOTE: An ingress gateway, for accessing services in the remote cluster mesh, is included in the above installation. However it will not start working until you install the external control plane in the next section.
The control plane in the external cluster needs access to the remote cluster to discover services, endpoints, and pod attributes. Create a secret with credentials to access the remote cluster’s kube-apiserver and install it in the external cluster.
$ kubectl create sa istiod-service-account -n external-istiod --context="${CTX_EXTERNAL_CLUSTER}"$ istioctl x create-remote-secret \--context="${CTX_REMOTE_CLUSTER}" \--type=config \--namespace=external-istiod | \kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}"
Create the Istio install configuration to create the control plane in the external-istiod namespace of the external cluster:
$ cat <<EOF > external-istiod.yamlapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: external-istiodspec:meshConfig:rootNamespace: external-istioddefaultConfig:discoveryAddress: $EXTERNAL_ISTIOD_ADDR:15012proxyMetadata:XDS_ROOT_CA: /etc/ssl/certs/ca-certificates.crtCA_ROOT_CA: /etc/ssl/certs/ca-certificates.crtcomponents:base:enabled: falseingressGateways:- name: istio-ingressgatewayenabled: falsevalues:global:caAddress: $EXTERNAL_ISTIOD_ADDR:15012istioNamespace: external-istiodoperatorManageWebhooks: truemeshID: mesh1multiCluster:clusterName: $REMOTE_CLUSTER_NAMEpilot:env:INJECTION_WEBHOOK_CONFIG_NAME: ""VALIDATION_WEBHOOK_CONFIG_NAME: ""EOF
Apply the Istio configuration on the external cluster:
$ kubectl get pod -l app=istio-ingressgateway -n external-istiod --context="${CTX_REMOTE_CLUSTER}"
Deploy the helloworld sample to the remote cluster. Wait a few seconds for the helloworld pods to be running with sidecars injected.
$ kubectl label namespace default istio-injection=enabled --context="${CTX_REMOTE_CLUSTER}"$ kubectl apply -f samples/helloworld/helloworld.yaml --context="${CTX_REMOTE_CLUSTER}"$ kubectl get pod -l app=helloworld --context="${CTX_REMOTE_CLUSTER}"
Expose the helloworld application on the ingress gateway:
$ kubectl apply -f samples/helloworld/helloworld-gateway.yaml --context="${CTX_REMOTE_CLUSTER}"
Follow to set GATEWAY_URL and then confirm you can access the application:
$ curl -s "http://${GATEWAY_URL}/hello" | grep -o "Hello"
Congratulations! You successfully installed an external control plane and used it to manage services running in a remote cluster!
See also
Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh.
Deploying Istio Control Planes Outside the Mesh
A new deployment model for Istio.
Istiod consolidates the Istio control plane components into a single binary.
Describes the telemetry and monitoring features provided by Istio.
