K8s 生产环境中运行 Istio 得到的经验

挪威福利管理局已经从现有的Kubernestes集群转变为在公共云中运行生产应用程序。在这次旅程中,我们将Istio带入了我们的开源平台。 在本演示中,我们将讨论我们在多云生产环境中运行Istio的经验,这些环境包括内部集群和Google Kubernetes Engine。我们将关注如何使用Istio来控制服务之间的流量,相互TLS,Istio RBAC,描述我们在路上遇到的挑战以及我们如何解决它们。
展开查看详情

1. Experiences from running Istio in a k8s production environment Line Moseng Johnny Horvi @linemoseng Norwegian Labour and Welfare Administration

2.5,2 million

3.

4.

5.

6.nais.io github.com/nais

7.CD

8. logs metrics alerts events secrets cache app storage runtime deploy

9.

10.

11.internal external gke dev dev dev prod prod prod on-prem public cloud

12.internal external dev dev prod prod on-prem

13.internal external DMZ internet

14. Zone app app app app app app

15. app app app app app app

16.

17.mTLS as a service Telemetry

18.

19.0.5

20.0.8

21.app

22.

23.app

24.app

25. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

26. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 m l port: 8080 . ya is replicas: { min: 2, max: 4 } a probes: { liveness: … } n ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

27. deployment cluster virtualservice autoscaler service application serviceentry kubectl apply -f nais.yaml networkpolicy servicerole servicerolebinding

28.apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } Ro probes: { liveness: … } ing ingresses: le ind - app.dev-gke.nais.io egresses: leB - svc-not-in-mesh.nav.local secrets: true Ro accessPolicy: inbound: - name: consumer-a

29.apiVersion: "nais.io/v1alpha1" deployment kind: "Application" metadata: name: app virtualservice labels: team: pension spec: autoscaler image: navikt/app:1 port: 8080 service replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: serviceentry - app.dev-gke.nais.io egresses: networkpolicy - svc-not-in-mesh.nav.local secrets: true accessPolicy: servicerole inbound: - name: consumer-a servicerolebinding