K8s 生产环境中运行 Istio 得到的经验
分享
点赞
4
收藏
0
下载 0
-
快召唤伙伴们来围观吧
-
微博
QQ
QQ空间
贴吧
-
文档嵌入链接
- 复制
-
-
微信扫一扫分享
-
已成功复制到剪贴板
挪威福利管理局已经从现有的Kubernestes集群转变为在公共云中运行生产应用程序。在这次旅程中,我们将Istio带入了我们的开源平台。
在本演示中,我们将讨论我们在多云生产环境中运行Istio的经验,这些环境包括内部集群和Google Kubernetes Engine。我们将关注如何使用Istio来控制服务之间的流量,相互TLS,Istio RBAC,描述我们在路上遇到的挑战以及我们如何解决它们。
展开查看详情
1 . Experiences from running Istio
in a k8s production environment
Line Moseng Johnny Horvi
@linemoseng
Norwegian Labour and Welfare Administration
�
6 .nais.io
github.com/nais
�
8 . logs metrics alerts events
secrets cache
app
storage runtime deploy
�
11 .internal external gke
dev dev dev
prod prod prod
on-prem public cloud
�
12 .internal external
dev dev
prod prod
on-prem
�
13 .internal external DMZ internet
�
14 . Zone
app
app app
app app
app
�
15 . app
app
app app
app
app
�
17 .mTLS as a service
Telemetry
�
25 . apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
name: app
labels:
team: pension
app spec:
image: navikt/app:1
port: 8080
replicas: { min: 2, max: 4 }
probes: { liveness: … }
ingresses:
- app.dev-gke.nais.io
egresses:
- svc-not-in-mesh.nav.local
secrets: true
accessPolicy:
inbound:
- name: consumer-a
�
26 . apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
name: app
labels:
team: pension
app spec:
image: navikt/app:1
m l
port: 8080
. ya
is
replicas: { min: 2, max: 4 }
a
probes: { liveness: … }
n
ingresses:
- app.dev-gke.nais.io
egresses:
- svc-not-in-mesh.nav.local
secrets: true
accessPolicy:
inbound:
- name: consumer-a
�
27 . deployment
cluster
virtualservice
autoscaler
service
application serviceentry
kubectl apply
-f nais.yaml
networkpolicy
servicerole
servicerolebinding
�
28 .apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
name: app
labels:
team: pension
spec:
image: navikt/app:1
port: 8080
replicas: { min: 2, max: 4 }
Ro
probes: { liveness: … }
ing
ingresses:
le
ind
- app.dev-gke.nais.io
egresses:
leB
- svc-not-in-mesh.nav.local
secrets: true
Ro
accessPolicy:
inbound:
- name: consumer-a
�
29 .apiVersion: "nais.io/v1alpha1" deployment
kind: "Application"
metadata:
name: app virtualservice
labels:
team: pension
spec:
autoscaler
image: navikt/app:1
port: 8080 service
replicas: { min: 2, max: 4 }
probes: { liveness: … }
ingresses:
serviceentry
- app.dev-gke.nais.io
egresses: networkpolicy
- svc-not-in-mesh.nav.local
secrets: true
accessPolicy:
servicerole
inbound:
- name: consumer-a servicerolebinding
�
热门城市
