- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
K8s 生产环境中运行 Istio 得到的经验
展开查看详情
1 . Experiences from running Istio in a k8s production environment Line Moseng Johnny Horvi @linemoseng Norwegian Labour and Welfare Administration
2 .5,2 million
3 .
4 .
5 .
6 .nais.io github.com/nais
7 .CD
8 . logs metrics alerts events secrets cache app storage runtime deploy
9 .
10 .
11 .internal external gke dev dev dev prod prod prod on-prem public cloud
12 .internal external dev dev prod prod on-prem
13 .internal external DMZ internet
14 . Zone app app app app app app
15 . app app app app app app
16 .
17 .mTLS as a service Telemetry
18 .
19 .0.5
20 .0.8
21 .app
22 .
23 .app
24 .app
25 . apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a
26 . apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 m l port: 8080 . ya is replicas: { min: 2, max: 4 } a probes: { liveness: … } n ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a
27 . deployment cluster virtualservice autoscaler service application serviceentry kubectl apply -f nais.yaml networkpolicy servicerole servicerolebinding
28 .apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } Ro probes: { liveness: … } ing ingresses: le ind - app.dev-gke.nais.io egresses: leB - svc-not-in-mesh.nav.local secrets: true Ro accessPolicy: inbound: - name: consumer-a
29 .apiVersion: "nais.io/v1alpha1" deployment kind: "Application" metadata: name: app virtualservice labels: team: pension spec: autoscaler image: navikt/app:1 port: 8080 service replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: serviceentry - app.dev-gke.nais.io egresses: networkpolicy - svc-not-in-mesh.nav.local secrets: true accessPolicy: servicerole inbound: - name: consumer-a servicerolebinding