Grafana、Prometheus、Kiali 身份验证与 AzureAD 和 istio 内部负载均衡器
Grafana, Prometheus, Kiali authentication with AzureAD and istio internal load balancer
我在 azure kubernetes 服务 (AKS) 中部署 istio,我有以下问题:
是否可以使用内部负载均衡器部署 istio。看起来它默认部署在带有 public 负载均衡器的 Azure 中。我需要更改什么才能使用内部负载平衡器?
回答第二个问题:
可以根据 AKS documentation:
为内部负载均衡器添加 AKS 注释
To create an internal load balancer, create a service manifest named internal-lb.yaml with the service type LoadBalancer and the azure-load-balancer-internal annotation as shown in the following example:
apiVersion: v1
kind: Service
metadata:
name: internal-app
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: internal-app
因此,您可以通过使用 helm 和以下 --set:
来设置此注释
helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml
如评论中所述,您应该按照 here 的建议坚持每个 post 一个问题。所以我建议用其他问题创建第二个 post。
希望对您有所帮助。
更新:
对于 istioctl 可以进行如下操作:
- 为这个示例的 istio 部署生成清单文件我使用了演示配置文件。
istioctl manifest generate --set profile=demo > istio.yaml
- 修改
istio.yaml 并搜索 type: LoadBalancer 的文本。
---
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
type: LoadBalancer
selector:
app: istio-ingressgateway
ports:
像这样为内部负载平衡器添加注释:
---
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
type: LoadBalancer
selector:
app: istio-ingressgateway
ports:
- 保存更改后将修改后的
istio.yaml 部署到您的 K8s 集群,使用:
kubectl apply -f istio.yaml
之后您可以验证注释是否存在于 istio-ingressgateway service.
$ kubectl get svc istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-internal":"true"},"labels":{"app":"istio-ingressgateway","istio":"ingressgateway","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway"},"type":"LoadBalancer"}}
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
creationTimestamp: "2020-01-27T13:51:07Z"
希望对您有所帮助。
我在 azure kubernetes 服务 (AKS) 中部署 istio,我有以下问题:
是否可以使用内部负载均衡器部署 istio。看起来它默认部署在带有 public 负载均衡器的 Azure 中。我需要更改什么才能使用内部负载平衡器?
回答第二个问题:
可以根据 AKS documentation:
为内部负载均衡器添加 AKS 注释To create an internal load balancer, create a service manifest named
internal-lb.yamlwith the service type LoadBalancer and theazure-load-balancer-internalannotation as shown in the following example:apiVersion: v1 kind: Service metadata: name: internal-app annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" spec: type: LoadBalancer ports: - port: 80 selector: app: internal-app
因此,您可以通过使用 helm 和以下 --set:
来设置此注释helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml
如评论中所述,您应该按照 here 的建议坚持每个 post 一个问题。所以我建议用其他问题创建第二个 post。
希望对您有所帮助。
更新:
对于 istioctl 可以进行如下操作:
- 为这个示例的 istio 部署生成清单文件我使用了演示配置文件。
istioctl manifest generate --set profile=demo > istio.yaml
- 修改
istio.yaml并搜索type: LoadBalancer的文本。
---
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
type: LoadBalancer
selector:
app: istio-ingressgateway
ports:
像这样为内部负载平衡器添加注释:
---
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
type: LoadBalancer
selector:
app: istio-ingressgateway
ports:
- 保存更改后将修改后的
istio.yaml部署到您的 K8s 集群,使用:
kubectl apply -f istio.yaml
之后您可以验证注释是否存在于 istio-ingressgateway service.
$ kubectl get svc istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-internal":"true"},"labels":{"app":"istio-ingressgateway","istio":"ingressgateway","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway"},"type":"LoadBalancer"}}
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
creationTimestamp: "2020-01-27T13:51:07Z"
希望对您有所帮助。