前言:
眼前我们对“centos75进入单用户”大致比较关注,你们都需要了解一些“centos75进入单用户”的相关文章。那么小编同时在网络上网罗了一些有关“centos75进入单用户””的相关知识,希望看官们能喜欢,我们快快来学习一下吧!1、前言
在安装完成istio后,默认状态下,集群外用户不能直接访问istio集群内的grafana等管理、监控服务。
有两种方法可以将集群内服务开放出来。一种是使用port-forward方式将本地端口流量转发到pod端口,实现集群内服务的访问;另一种方式是采用istio gateway方式,将集群内服务暴露到外网。
第二种方式需要将集群的默认网关服务ingressgateway的网络模式设置为nodeport模式,作为跳板实现对外服务。
2、启用ingressgateway的NodePort模式
(1)设置ingress gateway的工作模式
istio安装时,可以通过参数 --set gateways.istio-ingressgateway.type=NodePort设置ingress gateway组件的工作模式。
--创建istio并安装grafana、kiali、tracing等组件,并设置ingress gateway模式为NodePorthelm install istio.io/istio --name istio --namespace=istio-system --set gateways.istio-ingressgateway.type=NodePort --set grafana.enabled=true --set kiali.enabled=true --set tracing.enabled=true
如果Istio安装时没有指定该参数,可以通过以下方式更改
helm upgrade istio istio.io/istio --set gateways.istio-ingressgateway.type=NodePort --set grafana.enabled=true --set kiali.enabled=true --set tracing.enabled=true
或
kubectl patch service istio-ingressgateway -n istio-system -p '{"spec":{"type":"NodePort"}}'(2)验证ingress gateway的网络模式
kubectl get svc -n istio-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEgrafana ClusterIP 172.18.87.213 <none> 3000/TCP 3m45sistio-citadel ClusterIP 172.18.62.138 <none> 8060/TCP,15014/TCP 4h56mistio-galley ClusterIP 172.18.108.232 <none> 443/TCP,15014/TCP,9901/TCP 4h56m-----------istio-ingressgateway NodePort 172.18.24.214 <none> 15020:31970/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:32365/TCP,15030:30818/TCP,15031:30828/TCP,15032:31036/TCP,15443:30309/TCP 4h56m -----------可以看到istio-ingressgateway当前是NodePort模式istio-pilot ClusterIP 172.18.249.193 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 4h56mistio-policy ClusterIP 172.18.236.243 <none> 9091/TCP,15004/TCP,15014/TCP 4h56mistio-sidecar-injector ClusterIP 172.18.41.244 <none> 443/TCP,15014/TCP 4h56mistio-telemetry ClusterIP 172.18.199.225 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 4h56mjaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 3m45sjaeger-collector ClusterIP 172.18.252.169 <none> 14267/TCP,14268/TCP 3m45sjaeger-query ClusterIP 172.18.112.84 <none> 16686/TCP 3m45skiali ClusterIP 172.18.27.228 <none> 20001/TCP 3m45sprometheus ClusterIP 172.18.67.104 <none> 9090/TCP 4h56mtracing ClusterIP 172.18.118.65 <none> 80/TCP 3m45szipkin ClusterIP 172.18.105.196 <none> 9411/TCP 3m45s[root@centos75 istio-ui]#
(3)查看作为边界代理的ingress-gateway的端口映射情况
[root@centos75 istio-ui]# kubectl describe svc istio-ingressgateway -n istio-systemName: istio-ingressgatewayNamespace: istio-systemLabels: app=istio-ingressgateway chart=gateways heritage=Tiller istio=ingressgateway release=istioAnnotations: <none>Selector: app=istio-ingressgateway,istio=ingressgateway,release=istioType: NodePortIP: 172.18.24.214Port: status-port 15020/TCPTargetPort: 15020/TCPNodePort: status-port 31970/TCPEndpoints: 192.168.148.92:15020Port: http2 80/TCPTargetPort: 80/TCPNodePort: http2 31380/TCPEndpoints: 192.168.148.92:80Port: https 443/TCPTargetPort: 443/TCPNodePort: https 31390/TCPEndpoints: 192.168.148.92:443Port: tcp 31400/TCPTargetPort: 31400/TCPNodePort: tcp 31400/TCPEndpoints: 192.168.148.92:31400Port: https-kiali 15029/TCPTargetPort: 15029/TCPNodePort: https-kiali 32365/TCPEndpoints: 192.168.148.92:15029Port: https-prometheus 15030/TCPTargetPort: 15030/TCPNodePort: https-prometheus 30818/TCPEndpoints: 192.168.148.92:15030--------- https-grafana的15301端口映射到node的30828端口,我们需要将15031端口关联到grafana上Port: https-grafana 15031/TCPTargetPort: 15031/TCPNodePort: https-grafana 30828/TCPEndpoints: 192.168.148.92:15031--------- 集群外用户通过访问网关所在机器的30828端口就可以访问到grafana服务Port: https-tracing 15032/TCPTargetPort: 15032/TCPNodePort: https-tracing 31036/TCPEndpoints: 192.168.148.92:15032Port: tls 15443/TCPTargetPort: 15443/TCPNodePort: tls 30309/TCPEndpoints: 192.168.148.92:15443Session Affinity: NoneExternal Traffic Policy: ClusterEvents: <none>[root@centos75 istio-ui]#
上图所示,ingressgateway创建时,自动预设了一些端口映射,其中https-grafana的15301端口映射到node的30828端口,我们将15031端口关联到grafana上,集群外就用户通过访问网关所在机器的30828端口访问到grafana服务
4、gateway方式暴露集群内服务
需要创建服务的gateway和virtual service资源如下
(1)创建grafana的gateway
gateway的服务端口是15031,正好对应ingressgateway的nodetype端口30828。
[root@centos75 istio-ui]# cat grafana-gateway.yamlapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: grafana-gatewayspec: selector: istio: ingressgateway servers: - port: number: 15031 name: http protocol: HTTP hosts: - "*"[root@centos75 istio-ui]# kubectl apply -f grafana-gateway.yaml -n istio-systemgateway.networking.istio.io/grafana-gateway created[root@centos75 istio-ui]#
(2)创建grafana的virtual service
设置virtual service与grafana-gateway绑定,将来自gateway的流量路由到内部grafana服务3000端口
[root@centos75 istio-ui]# cat grafana-vs.yamlapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: grafana-vsspec: hosts: - "*" gateways: - grafana-gateway http: - route: - destination: host: grafana port: number: 3000[root@centos75 istio-ui]# kubectl apply -f grafana-vs.yaml -n istio-systemvirtualservice.networking.istio.io/grafana-vs unchanged[root@centos75 istio-ui]#
(3)测试grafana的连通性
[root@centos75 istio-ui]# curl -I 200 OKcontent-type: text/html; charset=UTF-8date: Sat, 14 Sep 2019 11:22:50 GMTx-envoy-upstream-service-time: 1server: istio-envoytransfer-encoding: chunked[root@centos75 istio-ui]#测试成功5 总结
本方式利用istio 边界gateway来实现内部服务的对外映射,可以发挥istio gateway流量管理的能力,比port-forward更适用。
版权声明:
本站文章均来自互联网搜集,如有侵犯您的权益,请联系我们删除,谢谢。
标签: #centos75进入单用户
