From 897fbbcbda46e21f514ce9cecbb1131d4f0b5838 Mon Sep 17 00:00:00 2001 From: Bill Pratt Date: Thu, 3 May 2018 14:14:41 -0400 Subject: [PATCH] Refine Istio example (#2819) --- examples/service-mesh/README.md | 90 +++++++++++++++++++++++--------- examples/service-mesh/istio.json | 3 +- 2 files changed, 67 insertions(+), 26 deletions(-) diff --git a/examples/service-mesh/README.md b/examples/service-mesh/README.md index 939384411..ec226ce31 100644 --- a/examples/service-mesh/README.md +++ b/examples/service-mesh/README.md @@ -1,25 +1,67 @@ -# Kubernetes - Service Mesh - -There are numerous implementations of a service mesh which integrate with kubernetes such as Istio, [Linkerd](http://linkerd.io), and [Conduit](https://conduit.io/). [This is one blog post](https://medium.com/microservices-in-practice/service-mesh-for-microservices-2953109a3c9a) which explains some fundamentals behind what it is and why to use it. - -Some service mesh implementations **may** benefit from or require additional [customizations to the kubernetes cluster itself](https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md). - -## Istio - -The `istio.json` file in this directory enables the kubernetes API server options to support automatic sidecar injection using [Isitio](https://istio.io/). If automatic sidecar injection isn't enabled, then all services must then manually inject the sidecar configuration into every deployment, every time. - -The main changes this configuration makes is adding these flags to the apiserver `Initializers,MutatingAdmissionWebhook,ValidatingAdmissionWebhook` and starting using the `runtime-config` with `admissionregistration.k8s.io/v1alpha1`. - -> Note: The default acs-engine apiserver options `AlwaysPullImages` and `SecurityContextDeny` were removed from this configuration in order to have the Istio book info examples work without any errors. Consider enabling these for a production cluster. - - -### Post installation - -Once the template has been successfully deployed, then Istio can be installed via either: - -1. Manual - follow the website [Installation steps](https://istio.io/docs/setup/kubernetes/quick-start.html#installation-steps). -1. Helm Chart - is maintained in the Istio repository itself (no longer hub.kubeapps.com). [See these instructions on the Istio website](https://istio.io/docs/setup/kubernetes/helm.html). - -> Note: So far it seems the manual steps are more well maintained and up-to-date than the helm chart. - +# Kubernetes - Service Mesh + +There are numerous implementations of a service mesh which integrate with kubernetes such as Istio, [Linkerd](http://linkerd.io), and [Conduit](https://conduit.io/). [This is one blog post](https://medium.com/microservices-in-practice/service-mesh-for-microservices-2953109a3c9a) which explains some fundamentals behind what it is and why to use it. + +Some service mesh implementations **may** benefit from or require additional [customizations to the kubernetes cluster itself](https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md). + +## Istio + +The `istio.json` file in this directory enables the kubernetes API server options to support automatic sidecar injection using [Isitio](https://istio.io/). If automatic sidecar injection isn't enabled, then all services must then manually inject the sidecar configuration into every deployment, every time. + +The main changes this configuration makes is adding these flags to the apiserver `MutatingAdmissionWebhook,ValidatingAdmissionWebhook`. + +### Installation + +#### Create Azure Resources + +1. Create Resource Group + + ``` + az group create --name "" --location "eastus" + ``` + +2. Create Service Principal + + ``` + az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions//resourceGroups/" + ``` + +#### Update istio.json + +3. Ensure `orchestratorRelease` is 1.9+. +4. Update `--admission-control` to include `MutatingAdmissionWebhook,ValidatingAdmissionWebhook` + + **Note**: admission-controls need to be entered in the order defined on the kubernetes [docs](https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use). + + Your updates should look like this. + ``` + "orchestratorProfile": { + "orchestratorType": "Kubernetes", + "orchestratorRelease": "1.9", + "kubernetesConfig": { + "apiServerConfig": { + "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,ValidatingAdmissionWebhook,ResourceQuota", + } + } + } + ``` + +4. Add Service Principal ID and Secret + ``` + "servicePrincipalProfile": { + "clientId": "", + "secret": "" + } + ``` + + +### Post installation + +Once the template has been successfully deployed, then Istio can be installed via either: + +1. Manual - follow the website [Installation steps](https://istio.io/docs/setup/kubernetes/quick-start.html#installation-steps). +1. Helm Chart - is maintained in the Istio repository itself (no longer hub.kubeapps.com). [See these instructions on the Istio website](https://istio.io/docs/setup/kubernetes/helm.html). + +> Note: So far it seems the manual steps are more well maintained and up-to-date than the helm chart. + After Istio has been installed, consider [walking through the various Tasks](https://istio.io/docs/tasks/) which use the Book info example application. \ No newline at end of file diff --git a/examples/service-mesh/istio.json b/examples/service-mesh/istio.json index 612061bf9..90f5b13fd 100644 --- a/examples/service-mesh/istio.json +++ b/examples/service-mesh/istio.json @@ -6,8 +6,7 @@ "orchestratorRelease": "1.9", "kubernetesConfig": { "apiServerConfig": { - "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DenyEscalatingExec,Initializers,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota", - "--runtime-config": "admissionregistration.k8s.io/v1alpha1" + "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,DenyEscalatingExec,AlwaysPullImages" } } },